Cyble threat intelligence researchers have identified a sophisticated Linux botnet built for cryptocurrency mining, remote command execution, and dozens of DDoS attack types.
Cyble Research and Intelligence Labs (CRIL) researchers have dubbed the campaign “Luno.” The malware also includes strong obfuscation and evasion features, “indicating active professional threat actor involvement,” the researchers wrote in a blog post.
“Unlike conventional cryptominers or DDoS botnets, LunoC2 exhibits process masquerading, binary replacement, and a self-update system, suggesting the malware is designed as a long-term criminal infrastructure tool,” they said.
Linux Botnet Actor Selling DDoS Services
Cyble said that while the threat actors behind the malware are unknown, the Luno actor is actively selling DDoS services on a Telegram channel that was created in late July.
LunoC2’s architecture and pricing model “suggest intent for long-term monetization and operational flexibility,” Cyble said.
DDoS features include tunable parameters such as target, method, time, and threads, with explicit target routines for Roblox, Minecraft, and Valve servers, suggesting a botnet-for-hire model, they said.
The malware downloads the xmrig miner from main[.]botnet[.]world and saves it as /bin/ash. The replacement of the legitimate ash shell (Almquist Shell) commonly found in embedded Linux distributions “suggests that the malware is specifically targeting resource-constrained systems for cryptocurrency mining, where ash is the default shell,” Cyble said.
Anti-analysis features include debugger/tracer detection, tool detection, network Interface detection that checks NIC interfaces for anomalies, and timing checks to detect execution delay. “It does this by inspecting the execution environment,” the researchers said. “If an anomaly is detected, it attempts to self-delete itself from disk.”
Luno’s Sophisticated DDoS Capabilities
DDoS_attack_launcher contains the core DDoS capabilities, enabling both thread-based floods and external binary execution. Cyble identified more than 20 different DDoS attack modules and types.
Attacks like udp-bypass and tcp-bypass are more advanced than standard volumetric floods, allowing the attacker to randomize the packet size and destination port to evade basic signature-based detection rules.
An HTTP GET flood attack function simulates real browser traffic with randomized headers, using a hardcoded list of random user-agents with 102 legitimate referrers “that mimic human browsing diversity and evade basic detections.”
The malware targets game servers with Minecraft-specific DDoS attack functions, Valorant-specific QUIC packets, and RakNet engine components used by many gaming engines for multiplayer functionality, the researchers said.
The malware’s RakNet command uses the RakNet protocol handshake to bypass any simple firewall rules or rate-limiting that block untrusted, non-protocol UDP traffic. “By completing the handshake, the attacker makes the traffic look legitimate to the server, causing the server to waste resources processing the flood of incoming packets,” Cyble said.
The more advanced raknet-mix command “floods the target using a variety of randomized packets to make its traffic look more diverse and difficult to block with a single rule.”
Cyble said the malware is built to be a long-term threat, and defenders should take note.
“Given its resilience, modularity, monetization potential, resource theft, and service disruption capabilities, all of which possess operational and financial risks for organizations, defenders should treat LunoC2 as a long-term threat to Linux environments, particularly internet-facing servers and game-hosting platforms,” the researchers concluded.
The full Cyble blog takes an in-depth look at the malware and also includes indicators of compromise (IoCs) and recommendations for defenders.
