{
	"id": "f4e8ad8a-9238-461b-bbdc-de74e5245683",
	"created_at": "2026-04-06T00:11:06.003306Z",
	"updated_at": "2026-04-10T03:28:24.291767Z",
	"deleted_at": null,
	"sha1_hash": "5e2c424fd6c9e3d3a32795f4f9b8972bc32958a0",
	"title": "Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1190763,
	"plain_text": "Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding\r\nBy Asher Davila, Yang Ji\r\nPublished: 2020-05-18 · Archived: 2026-04-05 16:04:19 UTC\r\nExecutive Summary\r\nUnit 42 researchers uncovered a new botnet campaign using Perl Shellbot, intended to mine Bitcoin, while avoiding\r\ndetection using a specially crafted rootkit. \r\nThe bot is propagated by sending a malicious shell script to a compromised device that then downloads other scripts. After\r\nthe victim device executes the downloaded scripts, it starts waiting for commands from its Command and Control (C2)\r\nserver. While the Perl programming language is popular in malware for its wide compatibility, this botnet can potentially\r\naffect not only Unix-based systems but also Windows 10 systems that use a Linux subsystem. \r\nThis new campaign uses a shared library called libprocesshider.so to hide the mining processes on the infected device and a\r\nspecially crafted rootkit to avoid detection. The malicious actors use the name “Los Zetas”, which is an allusion to a\r\nMexican criminal organization regarded as one of the most dangerous drug cartels in the country. Despite that, it is unlikely\r\nthat the attackers are actually part of this criminal organization. Additionally, this botnet has links to UnderNet, one of the\r\nlargest IRC (Internet Relay Chat) networks where different topics are discussed including malware and cybercrime.\r\nMoreover, the botnet was still under development when it was uncovered. As a result, it doesn’t have many recruiters.\r\nHowever, it was important to stop it before the attackers compromised more devices. We observed that the botnet performs\r\nBitcoin mining on its victim devices on a growing scale using known mining tools such as xmrig and emech. These tools\r\nhave been seen in recent coin mining campaigns, such as VictoryGate and Monero mining over $6000 for profit. We\r\nestimate the Eleethub botnet can also grow to make thousands of dollars if it expands in a period of one to two years.\r\nShell Script Dropper\r\nA compromised device will download a malicious shell script containing commands to download pieces of the botnet and\r\ncreate directories to copy the downloaded files into. Next, the device executes the downloaded files (procps.h, ps, setup, m)\r\nto start communicating with an IRC server. Additionally, it downloads and implements a library called libprocesshider.so\r\n(Figure 1), which will be explained later.\r\nFigure 1. Downloaded files\r\nHiding Processes with a Rootkit\r\nThis botnet takes the concealment of mining tasks to the next level. First, it reuses the well known open-source process-hiding library libprocesshider to hide the mining process with LD_PRELOAD (Figure 2). This technique has been used in\r\nseveral past coin mining campaigns, such as that perpetrated by the Rocke group Unit 42 found in 2019. \r\nhttps://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/\r\nPage 1 of 6\n\nFigure 2. x.sh\r\nIn addition, the attackers use a specially crafted rootkit to hide the mining operation from detection in the ps (process status)\r\ncommand. Specifically, the malware replaces the original ps tool with a crafted one. The crafted tool calls the real ps (Figure\r\n3) but filters off the mining processes xmrig and emech and sensitive keywords in the ps results such as proc, netstats, and\r\ntops (Figure 4). These keywords are usually assumed to be indicators of existing coin miners. By removing these keywords,\r\nthe mining exploit hides itself from antivirus monitoring and avoids being killed by other competing coin miners (Outlaw,\r\nfor example), which usually scan the running processes to discover if any other miners are present.\r\nFigure 3. Installing rootkit\r\nFigure 4. Process hiding\r\nhttps://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/\r\nPage 2 of 6\n\nConnecting to the Botnet\r\nOnce the infected device has downloaded all the files in the rootkit (Figure 5) and has started running the malicious scripts,\r\nit will connect to an IRC server by sending an assigned nickname that starts with dark followed by a random integer number\r\nbetween 0 and 8999 (Figure 6).\r\nFigure 5. Installation of the rootkit\r\nFigure 6. Assigning a nickname to the compromised device (zombie)\r\nThe initial PING is followed by the word LAG + the current epoch time (Figure 8).\r\nFigure 7. Sending the first PING to the IRC server\r\nAdditionally, it contains scripts to communicate with the UnderNet IRC server as well (Figure 8).\r\nFigure 8. Sending a PING command to the IRC Undernet server\r\nBecause the botnet was not yet ready by the time we discovered it, we were unable to receive any commands from the IRC\r\nserver. However, we were able to connect manually to the IRC server and explore the channels available. We discovered\r\nthat, fortunately, the Miners channel had just a few recruiters or zombies (Figures 10 and 11).\r\nFigure 9. Channels found manually\r\nhttps://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/\r\nPage 3 of 6\n\nFigure 10. Zombies in the botnet\r\nLater, the compromised device could start receiving commands to send attacks such as UDP floods, TCP floods, port scans,\r\nand HTTP attacks (Figure 7).\r\nFigure 11. Available attacks\r\nFigure 11. Available attacks\r\nLos Zetas from Eleethub\r\nThe domain associated with the C2 server is eleethub[.]com. We visited the website and found a message announcing that\r\nsomething was coming, which probably was the botnet they were preparing (Figure 12).\r\nhttps://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/\r\nPage 4 of 6\n\nFigure 12. Visiting eleethub[.]com\r\nIn addition, the IRC server prints a banner (MOTD) with the name of that domain (Figure 13).\r\nFigure 13. Message Of The Day - Eleet Hub\r\nThe phrase “Los Zetas” is mentioned multiple times in the malicious scripts that compose the botnet. The most notable ones\r\nare in the main rootkit directory, in the setup file (Figure 14), and in the information from the botnet operators\r\nundead[@]los[.]zetas[.]mx (Figure 15). “Los Zetas” is a reference to a Mexican criminal organization, regarded as one of\r\nthe most dangerous drug cartels in the country. However, it is unlikely that the attackers are actually part of this criminal\r\norganization.\r\nFigure 14. Reference to “Los Zetas” in setup file\r\nFigure 15. User related to los[.]zetas[.]mx\r\nConclusion\r\nThe new Perl shell-based botnet uses libraries such as libprocesshider.so to hide mining activities. In addition, the attackers\r\nuse a specially crafted rootkit to hide the mining operation from discovery.\r\nThe Perl programming language is popular in malware for its wide compatibility across many Unix-based systems, such as\r\nLinux servers, PCs, and even IoT devices. Perl is a scripting language and does not need to be compiled for every different\r\nCPU architecture or firmware version. Another advantage of using Perl scripts is the wide range of libraries that can easily\r\nbe implemented. This type of botnet takes advantage of the computing power of compromised devices to do various tasks\r\nsuch as coin mining and launching DDoS attacks.\r\nhttps://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/\r\nPage 5 of 6\n\nPalo Alto Networks customers are protected from the Perl shell botnet by the following platforms:\r\n1. Threat Prevention Signatures: 85843 that identifies IRC C2 communication.\r\n2. PAN-DB and DNS Security block the attackers’ C2 server URL and domain.\r\n3. WildFire identifies and blocks Perl shell botnets.\r\n4. Palo Alto Networks IoT Security detects attacks such as IRC botnets targeting IoT devices\r\nIndicators of Compromise\r\nSamples\r\n7ed8fc4ad8014da327278b6afc26a2b4d4c8326a681be2d2b33fb2386eade3c6\r\ndbef55cc0e62e690f9afedfdbcfebd04c31c1dcc456f89a44acd516e187e8ef6\r\nd9001aa2d7456db3e77b676f5d265b4300aaef2d34c47399975a4f1a8f0412e4\r\n14c351d76c4e1866bca30d65e0538d94df19b0b3927437bda653b7a73bd36358\r\n6d1fe6ab3cd04ca5d1ab790339ee2b6577553bc042af3b7587ece0c195267c9b\r\nC2 servers\r\neleethub[.]com\r\nirc.eleethub[.]com\r\nghost.eleethub[.]com\r\n62.210.119[.]142\r\n82.76.255[.]62\r\nPublic keys found in the server\r\nssh-rsa\r\nAAAAB3NzaC1yc2EAAAABJQAAAQEAiF+LxAh219ufrvy9Pe1ujDZrIfLBtNlRVojyol/e/G\r\nPUNn+S/k78WaEgqsAXSdpLagCly2FxxZ6JWQx4f4js7DngLm3HWAyX3orlmMljmj60OmMDXPeWDfm3EMul/aVMUUfzXdriAWmHCIKdFrn\r\nfRm4coFgGaIi938ehd1IMdNdeEgyFfRZoEkd7PNVGtTLNtIcwkMF4XHZuS4WQvC95M5yga\r\nrrqB5PNTOS2oTOU36m3rXWFOhQ7N/NX4W+uLMExOWecHr4XIV3qzkeSu5wBoD0Vqi3wUvm\r\n9a+lJFFqnQ8w0ZX4J1mQ==\r\nssh-rsa\r\nAAAAB3NzaC1yc2EAAAABJQAAAQEAiF+LxAh219ufrvy9Pe1ujDZrIfLBtNlRVojyol/e/G\r\nPUNn+S/k78WaEgqsAXSdpLagCly2FxxZ6JWQx4f4js7DngLm3HWAyX3orlmMljmj60OmMD\r\nXPeWDfm3EMul/aVMUUfzXdriAWmHCIKdFrnal/MZhzgQ1evEPLFraKcvqkQrrcQTmsyKdE\r\nfRm4coFgGaIi938ehd1IMdNdeEgyFfRZoEkd7PNVGtTLNtIcwkMF4XHZuS4WQvC95M5yga\r\nrrqB5PNTOS2oTOU36m3rXWFOhQ7N/NX4W+uLMExOWecHr4XIV3qzkeSu5wBoD0Vqi3wUvm\r\n9a+lJFFqnQ8w0ZX4J1mQ==\r\nSource: https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/\r\nhttps://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/"
	],
	"report_names": [
		"los-zetas-from-eleethub-botnet"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434266,
	"ts_updated_at": 1775791704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e2c424fd6c9e3d3a32795f4f9b8972bc32958a0.pdf",
		"text": "https://archive.orkl.eu/5e2c424fd6c9e3d3a32795f4f9b8972bc32958a0.txt",
		"img": "https://archive.orkl.eu/5e2c424fd6c9e3d3a32795f4f9b8972bc32958a0.jpg"
	}
}