{
	"id": "1495b435-ac64-441d-93b6-15d0dd4f3fd4",
	"created_at": "2026-04-06T00:22:22.219809Z",
	"updated_at": "2026-04-10T13:11:28.616723Z",
	"deleted_at": null,
	"sha1_hash": "3af6bc0abe7c95ac58f4a66651875f53240daba6",
	"title": "New Multi-Platform Xbash Packs Obfuscation, Ransomware, Coinminer, Worm and Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67339,
	"plain_text": "New Multi-Platform Xbash Packs Obfuscation, Ransomware,\r\nCoinminer, Worm and Botnet\r\nArchived: 2026-04-05 19:55:04 UTC\r\nResearchers discovered a new malware family, named Xbash, targeting servers of various platforms, with four\r\ndifferent versions seen in the wild actively seeking unprotected services, exploiting vulnerabilities, and deleting\r\ndatabases in Linux and Microsoft systems. Xbash evades detection, scans targets from IP addresses and domain\r\nnames, brute forcing, and combines ransomware, cryptocurrency coinmining, worm, and scanner capabilities.\r\nReverse analysis found an estimated $6,000 worth of Bitcoin wired from approximately 48 victims to the C\u0026C IP\r\naddress, though evidence of data recovery has yet to be seen.\r\n[Read: The evolution of ransomware]\r\nXbash specifically targets Linux servers with ransomware and botnet installations, and Windows servers for\r\ncoinminer installs and propagation. Developed using Python, attackers used legitimate tool PyInstaller to\r\ndistribute the Linux ELF executables, with Redis services enabling Xbash to determine if the system is running on\r\nWindows or not. Once it confirms that it's running on a Windows server, a hijacked Javascript or VBScript\r\npayload will download and execute a coinminer. It also has obfuscation capabilities that tries to bypass static\r\nanalysis to avoid detection.\r\n[Read: Cryptocurrency-mining malware targets Kodi users on Windows, Linuxnews- cybercrime-and-digital-threats]\r\nUnlike recent variants of Mirai and Gafgytnews article that target vulnerable Linux systems via randomly\r\ngenerated IP addresses, Xbash also scans and trawls through domain names. The C\u0026C scans for specific\r\ndestinations’ known vulnerabilities in Hadoop, Redis and ActiveMQ (CVE-2016-3088) for self-propagation.\r\nHadoop’s unauthenticated command execution flaw discovered in October 2016, as well as the Redis arbitrary and\r\nremote command execution vulnerability disclosed in October 2015, have yet to be assigned CVE numbers. Based\r\non the active C\u0026C traffic, it scans and probes for open TCP or UDP ports such as HTTP, VNC, MySQL/MariaDB,\r\nTelnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. While the\r\nmalware uses a weak username and password dictionary to brute force itself into the service, it is also able to\r\nupdate its set from the C\u0026C server, delete all the databases, and display the ransom message.\r\nSecurity researchers note this to be the first malware family to pack ransomware, coinmining, and worm\r\ncapabilities that target services for both Linux and Windows.open on a new tab Further, the samples of Xbash\r\nindicate developing new capabilities of scanning for eventual implementation of intranet infection in enterprises,\r\nmuch like WannaCry and Petya.\r\n[Read: WannaCry/Wcry Ransomware: How to defend against itnews- cybercrime-and-digital-threats]\r\nThreats such as Xbash will continue to evolve as cybercriminals find more ways to profit from legitimate\r\nbusinesses and enterprises. Here are some best practices to protect enterprise systems from these kind of threats:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/new-multi-platform-xbash-packs-obfuscation-ransomware-coinminer-worm-and-botnet\r\nPage 1 of 3\n\nFrequently change your passwords and make them complicated, from the gateway to the endpoint. Practice\r\ngood password hygiene, and avoid reusing credentials on multiple user accounts.\r\nRegularly install system updates and patches for your systems once released by legitimate vendors.\r\nRegularly back up your files. Practice the 3-2-1 system to minimize or mitigate data loss.\r\nMalware related to this threat are detected as: \r\nRansom.Linux.XBASH.A\r\nRansom.Linux.XBASH.AB\r\nRansom.Linux.XBASH.AC\r\nRansom.Linux.XBASH.AD\r\nRansom.Linux.XBASH.AE\r\nRansom.Linux.XBASH.AF\r\nTrojan.JS.POWLOAD.AA \r\nTrojan.VBS.POWLOAD.AB\r\nTrojan.Win32.INFOSTEAL.TIDAOCN\r\nCoinminer.Win32.MALXMR.AX\r\nCoinminer_TOOLXMR.SMB-WIN64\r\nCoinminer.Unix.MALXMR.AA\r\nTrend Micro™ Endpoint Securityproducts offers the broadest range of defense against the changing, advanced\r\nthreat landscape. Trend Micro™ OfficeScanproducts™ infuses high-fidelity machine learning into a blend of\r\nthreat protection techniques to eliminate security gaps across any user activity and any endpoint. It constantly\r\nlearns, adapts, and automatically shares threat intelligence across your environment. All of this modern threat\r\nsecurity technology is made simple for your organization with central visibility, management, and reporting.\r\nTrend Micro™ Deep Discoveryproducts™ protects customers from this threat via these Deep Discovery Inspector\r\n(DDI) rules:\r\n1536 - HTTP Request to a malware Command and Control Site\r\n2573 - MINER - TCP (Request)\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/new-multi-platform-xbash-packs-obfuscation-ransomware-coinminer-worm-and-botnet\r\nPage 2 of 3\n\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/new-multi-platform-xbash-packs-obfuscation-rans\r\nomware-coinminer-worm-and-botnet\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/new-multi-platform-xbash-packs-obfuscation-ransomware-coinminer-worm-and-botnet\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/new-multi-platform-xbash-packs-obfuscation-ransomware-coinminer-worm-and-botnet"
	],
	"report_names": [
		"new-multi-platform-xbash-packs-obfuscation-ransomware-coinminer-worm-and-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434942,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3af6bc0abe7c95ac58f4a66651875f53240daba6.pdf",
		"text": "https://archive.orkl.eu/3af6bc0abe7c95ac58f4a66651875f53240daba6.txt",
		"img": "https://archive.orkl.eu/3af6bc0abe7c95ac58f4a66651875f53240daba6.jpg"
	}
}