{
	"id": "3994c0e0-28ff-47e0-977c-ac34e845a2fc",
	"created_at": "2026-04-06T01:32:34.667023Z",
	"updated_at": "2026-04-10T13:11:57.231672Z",
	"deleted_at": null,
	"sha1_hash": "6af32834732ed56cb31b546dfeb90956e5f4d6d1",
	"title": "Uncovering the Sysrv-Hello Crypto-Jacking Bonet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3117610,
	"plain_text": "Uncovering the Sysrv-Hello Crypto-Jacking Bonet\r\nBy Shuh Chin Goh\r\nPublished: 2022-05-25 · Archived: 2026-04-06 01:15:46 UTC\r\nIn recent years, the prevalence of crypto-jacking botnets has risen in tandem with the popularity and value of\r\ncryptocurrencies. Increasingly crypto-mining malware programs are distributed by botnets as they allow threat actors to\r\nharness the cumulative processing power of a large number of machines (discussed in our other Darktrace blogs.1 2 One of\r\nthese botnets is Sysrv-hello, which in addition to crypto-mining, propagates aggressively across the Internet in a worm-like\r\nmanner by trolling for Remote Code Execution (RCE) vulnerabilities and SSH worming from the compromised victim\r\ndevices. This all has the purpose of expanding the botnet.\r\nFirst identified in December 2020, Sysrv-hello’s operators constantly update and change the bots’ behavior to evolve and\r\nstay ahead of security researchers and law enforcement. As such, infected systems can easily go unnoticed by both users and\r\norganizations. This blog examines the cyber kill chain sequence of a Sysrv-hello botnet infection detected at the network\r\nlevel by Darktrace DETECT/Network, as well as the botnet’s tactics, techniques, and procedures (TTPs) in March and April\r\n2022.\r\nFigure 1: Timeline of the attack\r\nDelivery and exploitation\r\nThe organization, which was trialing Darktrace, had deployed the technology on March 2, 2022. On the very same day, the\r\ninitial host infection was seen through the download of a first-stage PowerShell loader script from a rare external endpoint\r\nby a device in the internal network. Although initial exploitation of the device happened prior to the installation and was not\r\nobserved, this botnet is known to target RCE vulnerabilities in various applications such as MySQL, Tomcat, PHPUnit,\r\nApache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic and Apache Struts to gain initial access to\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 1 of 10\n\ninternal systems.3\r\n Recent iterations have also been reported to have been deployed via drive-by-downloads from an empty\r\nHTML iframe pointing to a malicious executable that downloads to the device from a user visiting a compromised website.4\r\nInitial intrusion\r\nThe Sysrv-hello botnet is distributed for both Linux and Windows environments, with the corresponding compatible script\r\npulled based on the architecture of the system. In this incident, the Windows version was observed.\r\nOn March 2, 2022 at 15:15:28 UTC, the device made a successful HTTP GET request to a malicious IP address5 that had a\r\nrarity score of 100% in the network. It subsequently downloaded a malicious PowerShell script named ‘ldr.ps1'6 onto the\r\nsystem. The associated IP address ‘194.145.227[.]21’ belongs to ‘ASN AS48693 Rices Privately owned enterprise’ and had\r\nbeen identified as a Sysrv-hello botnet command and control (C2) server in April the previous year.\r\n3\r\nLooking at the URI ‘/ldr.ps1?b0f895_admin:admin_81.255.222.82:8443_https’, it appears some form of query was being\r\nexecuted onto the object. The question mark ‘?’ in this URI is used to delimit the boundary between the URI of the\r\nqueryable object and the set of strings used to express a query onto that object. Conventionally, we see the set of strings\r\ncontains a list of key/value pairs with equal signs ‘=’, which are separated by the ampersand symbol ‘\u0026’ between each of\r\nthose parameters (e.g. www.youtube[.]com/watch?v=RdcCjDS0s6s\u0026ab_channel=SANSCyberDefense), though the exact\r\nstructure of the query string is not standardized and different servers may parse it differently. Instead, this case saw a set of\r\nstrings with the hexadecimal color code #b0f895 (a light shade of green), admin username and password login credentials,\r\nand the IP address ‘81.255.222[.]82’ being applied during the object query (via HTTPS protocol on port 8443). In recent\r\nmonths this French IP has also had reports of abuse from the OSINT community.\r\n7\r\nOn March 2, 2022 at 15:15:33 UTC, the PowerShell loader script further downloaded second-stage executables named\r\n‘sys.exe’ and ‘xmrig.2 sver.\r\n8 9\r\n These have been identified as the worm and cryptocurrency miner payloads respectively.\r\nEstablish foothold\r\nOn March 2, 2022 at 17:46:55 UTC, after the downloads of the worm and cryptocurrency miner payloads, the device\r\ninitiated multiple SSL connections in a regular, automated manner to Pastebin – a text storage website. This technique was\r\nused as a vector to download/upload data and drop further malicious scripts onto the host. OSINT sources suggest the JA3\r\nclient SSL fingerprint (05af1f5ca1b87cc9cc9b25185115607d) is associated with PowerShell usage, corroborating with the\r\nobservation that further tooling was initiated by the PowerShell script ‘ldr.ps1’.\r\nContinual Pastebin C2 connections were still being made by the device almost two months since the initiation of such\r\nconnections. These Pastebin C2 connections point to new tactics and techniques employed by Sysrv-hello — reports earlier\r\nthan May do not appear to mention any usage of the file storage site. These new TTPs serve two purposes: defense evasion\r\nusing a web service/protocol and persistence. Persistence was likely achieved through scheduling daemons downloaded\r\nfrom this web service and shellcode executions at set intervals to kill off other malware processes, as similarly seen in other\r\nbotnets.10 Recent reports have seen other malware programs also switch to Pastebin C2 tunnels to deliver subsequent\r\npayloads, scrapping the need for traditional C2 servers and evading detection.11\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 2 of 10\n\nFigure 2: A section of the constant SSL connections that the device was still making to ‘pastebin[.]com’ even in the month of\r\nApril, which resembles beaconing scheduled activity\r\nThroughout the months of March and April, suspicious SSL connections were made from a second potentially compromised\r\ndevice in the internal network to the infected breach device. The suspicious French IP address ‘81.255.222[.]82’ previously\r\nseen in the URI object query was revealed as the value of the Server Name Indicator (SNI) in these SSL connections where,\r\ntypically, a hostname or domain name is indicated.\r\nAfter an initial compromise, attackers usually aim to gain long-term remote shell access to continue the attack. As the breach\r\ndevice does not have a public IP address and is most certainly behind a firewall, for it to be directly accessible from the\r\nInternet a reverse shell would need to be established. Outgoing connections often succeed because firewalls generally filter\r\nonly incoming traffic. Darktrace observed the device making continuous outgoing connections to an external host listening\r\non an unusual port, 8443, indicating the presence of a reverse shell for pivoting and remote administration.\r\nFigure 3: SSL connections to server name ‘81.255.222[.]8’ at end of March and start of April\r\nAccomplish mission\r\nOn March 4, 2022 at 15:07:04 UTC, the device made a total of 16,029 failed connections to a large volume of external\r\nendpoints on the same port (8080). This behavior is consistent with address scanning. From the country codes, it appears\r\nthat public IP addresses for various countries around the world were contacted (at least 99 unique addresses), with the US\r\nbeing the most targeted.\r\nFrom 19:44:36 UTC onwards, the device performed cryptocurrency mining using the Minergate mining pool protocol to\r\ngenerate profits for the attacker. A login credential called ‘x’ was observed in the Minergate connections to\r\n‘194.145.227[.]21’ via port 5443. JSON-RPC methods of ‘login’ and ‘submit’ were seen from the connection originator (the\r\ninfected breach device) and ‘job’ was seen from the connection responder (the C2 server). A high volume of connections\r\nusing the JSON-RPC application protocol to ‘pool-fr.supportxmr[.]com’ were also made on port 80.\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 3 of 10\n\nWhen the botnet was first discovered in December 2020, mining pools MineXMR and F2Pool were used. In February 2021,\r\nMineXMR was removed and in March 2021, Nanopool mining pool was added,12 before switching to the present\r\nSupportXMR and Minergate mining pools. Threat actors utilize such proxy pools to help hide the actual crypto wallet\r\naddress where the contributions are made by the crypto-mining activity. From April onwards, the device appears to\r\ndownload the ‘xmrig.exe’ executable from a rare IP address ‘61.103.177[.]229’ in Korea every few days – likely in an\r\nattempt to establish persistency and ensure the cryptocurrency mining payload continues to exist on the compromised\r\nsystem for continued mining.\r\nOn March 9, 2022 from 18:16:20 UTC onwards, trolling for various RCE vulnerabilities (including but not limited to these\r\nfour) was observed over HTTP connections to public IP addresses:\r\n1. Through March, the device made around 5,417 HTTP POSTs with the URI\r\n‘/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php’ to at least 99 unique public IPs. This appears to be related to\r\nCVE-2017-9841, which in PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data\r\nbeginning with a ‘13 PHPUnit is a common testing framework for PHP, used for performing unit tests during\r\napplication development. It is used by a variety of popular Content Management Systems (CMS) such as WordPress,\r\nDrupal and Prestashop. This CVE has been called “one of the most exploitable CVEs of 2019,” with around seven\r\nmillion attack attempts being observed that year.\r\n14\r\n This framework is not designed to be exposed on the critical paths\r\nserving web pages and should not be reachable by external HTTP requests. Looking at the status messages of the\r\nHTTP POSTs in this incident, some ‘Found’ and ‘OK’ messages were seen, suggesting the vulnerable path could be\r\naccessible on some of those endpoints.\r\nFigure 4: PCAP of CVE-2017-9841 vulnerability trolling\r\nFigure 5: The CVE-2017-9841 vulnerable path appears to be reachable on some endpoints\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 4 of 10\n\n1. Through March, the device also made around 5,500 HTTP POSTs with the URI ‘/_ignition/execute-solution’ to at\r\nleast 99 unique public IPs. This appears related to CVE-2021-3129, which allows unauthenticated remote attackers to\r\nexecute arbitrary code using debug mode with Laravel, a PHP web application framework in versions prior to\r\n8.4.2.15 The POST request below makes the variable ‘username’ optional, and the ‘viewFile’ parameter is empty, as a\r\ntest to see if the endpoint is vulnerable.16\r\nFigure 6: PCAP of CVE-2021-3129 vulnerability trolling\r\n1. The device made approximately a further 252 HTTP GETs with URIs containing ‘invokefunction\u0026function’ to\r\nanother minimum of 99 unique public IPs. This appears related to a RCE vulnerability in ThinkPHP, an open-source\r\nweb framework.17\r\nFigure 7: Some of the URIs associated with ThinkPHP RCE vulnerability\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 5 of 10\n\n1. A HTTP header related to a RCE vulnerability for the Jakarta Multipart parser used by Apache struts2 in CVE-2017-\r\n563818 was also seen during the connection attempts. In this case the payload used a custom Content-Type header.\r\nFigure 8: PCAP of CVE-2017-5638 vulnerability trolling\r\nTwo widely used methods of SSH authentication are public key authentication and password authentication. After gaining a\r\nfoothold in the network, previous reports3 19 have mentioned that Sysrv-hello harvests private SSH keys from the\r\ncompromised device, along with identifying known devices. Being a known device means the system can communicate with\r\nthe other system without any further authentication checks after the initial key exchange. This technique was likely\r\nperformed in conjunction with password brute-force attacks against the known devices. Starting from March 9, 2022 at\r\n20:31:25 UTC, Darktrace observed the device making a large number of SSH connections and login failures to public IP\r\nranges. For example, between 00:05:41 UTC on March 26 and 05:00:02 UTC on April 14, around 83,389 SSH connection\r\nattempts were made to 31 unique public IPs.\r\nFigure 9: Darktrace’s Threat Visualizer shows large spikes in SSH connections by the breach device\r\nFigure 10: Beaconing SSH connections to a single external endpoint, indicating a potential brute-force attack\r\nDarktrace coverage\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 6 of 10\n\nCyber AI Analyst was able to connect the events and present them in a digestible, chronological order for the organization.\r\nIn the aftermath of any security incidents, this is a convenient way for security users to conduct assisted investigations and\r\nreduce the workload on human analysts. However, it is good to note that this activity was also easily observed in real time\r\nfrom the model section on the Threat Visualizer due to the large number of escalating model breaches.\r\nFigure 11: Cyber AI Analyst consolidating the events in the month of March into a summary\r\nFigure 12: Cyber AI Analyst shows the progression of the attack through the month of March\r\nAs this incident occurred during a trial, Darktrace RESPOND was enabled in passive mode – with a valid license to display\r\nthe actions that it would have taken, but with no active control performed. In this instance, no Antigena models breached for\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 7 of 10\n\nthe initial compromised device as it was not tagged to be eligible for Antigena actions. Nonetheless, Darktrace was able to\r\nprovide visibility into these anomalous connections.\r\nHad Antigena been deployed in active mode, and the breach device appropriately tagged with Antigena All or Antigena\r\nExternal Threat, Darktrace would have been able to respond and neutralize different stages of the attack through network\r\ninhibitors Block Matching Connections and Enforce Group Pattern of Life, and relevant Antigena models such as Antigena\r\nSuspicious File Block, Antigena Suspicious File Pattern of Life Block, Antigena Pastebin Block and Antigena Crypto\r\nCurrency Mining Block. The first of these inhibitors, Block Matching Connections, will block the specific connection and all\r\nfuture connections that matches the same criteria (e.g. all future outbound HTTP connections from the breach device to\r\ndestination port 80) for a set period of time. Enforce Group Pattern of Life allows a device to only make connections and\r\ndata transfers that it or any of its peer group typically make.\r\nConclusion\r\nResource hijacking results in unauthorized consumption of system resources and monetary loss for affected organizations.\r\nCompromised devices can potentially be rented out to other threat actors and botnet operators could switch from conducting\r\ncrypto-mining to other more destructive illicit activities (e.g. DDoS or dropping of ransomware) whilst changing their TTPs\r\nin the future. Defenders are constantly playing catch-up to this continual evolution, and retrospective rules and signatures\r\nsolutions or threat intelligence that relies on humans to spot future threats will not be able to keep up.\r\nIn this case, it appears the botnet operator has added an object query in the URL of the initial PowerShell loader script\r\ndownload, added Pastebin C2 for evasion and persistence, and utilized new cryptocurrency mining pools. Despite this,\r\nDarktrace’s Self-Learning AI was able to identify the threats the moment attackers changed their approach, detecting every\r\nstep of the attack in the network without relying on known indicators of threat.\r\nAppendix\r\nDarktrace model detections\r\nAnomalous File / Script from Rare Location\r\nAnomalous File / EXE from Rare External Location\r\nCompromise / Agent Beacon (Medium Period)\r\nCompromise / Slow Beaconing Activity To External Rare\r\nCompromise / Beaconing Activity To External Rare\r\nDevice / External Address Scan\r\nCompromise / Crypto Currency Mining Activity\r\nCompromise / High Priority Crypto Currency Mining\r\nCompromise / High Volume of Connections with Beacon Score\r\nCompromise / SSL Beaconing to Rare Destination\r\nAnomalous Connection / Multiple HTTP POSTs to Rare Hostname\r\nDevice / Large Number of Model Breaches\r\nAnomalous Connection / Multiple Failed Connections to Rare Endpoint\r\nAnomalous Connection / SSH Brute Force\r\nCompromise / SSH Beacon\r\nCompliance / SSH to Rare External AWS\r\nCompromise / High Frequency SSH Beacon\r\nCompliance / SSH to Rare External Destination\r\nDevice / Multiple C2 Model Breaches\r\nAnomalous Connection / POST to PHP on New External Host\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 8 of 10\n\nMITRE ATT\u0026CK techniques observed:\r\nIoCs\r\nThanks to Victoria Baldie and Yung Ju Chua for their contributions.\r\nFootnotes\r\n1. https://www.darktrace.com/en/blog/crypto-botnets-moving-laterally\r\n2. https://www.darktrace.com/en/blog/how-ai-uncovered-outlaws-secret-crypto-mining-operation\r\n3. https://www.lacework.com/blog/sysrv-hello-expands-infrastructure\r\n4. https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet\r\n5. https://www.virustotal.com/gui/ip-address/194.145.227.21\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 9 of 10\n\n6. https://www.virustotal.com/gui/url/c586845daa2aec275453659f287dcb302921321e04cb476b0d98d731d57c4e83?\r\nnocache=1\r\n7. https://www.abuseipdb.com/check/81.255.222.82\r\n8. https://www.virustotal.com/gui/file/586e271b5095068484446ee222a4bb0f885987a0b77e59eb24511f6d4a774c30\r\n9. https://www.virustotal.com/gui/file/f5bef6ace91110289a2977cfc9f4dbec1e32fecdbe77326e8efe7b353c58e639\r\n10. https://www.ironnet.com/blog/continued-exploitation-of-cve-2021-26084\r\n11. https://www.zdnet.com/article/njrat-trojan-operators-are-now-using-pastebin-as-alternative-to-central-command-server\r\n12. https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence\r\n13. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9841\r\n14. https://www.imperva.com/blog/the-resurrection-of-phpunit-rce-vulnerability\r\n15. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3129\r\n16.\r\nhttps://isc.sans.edu/forums/diary/Laravel+v842+exploit+attempts+for+CVE20213129+debug+mode+Remote+code+execution/277\r\n17. https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited\r\n18. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638\r\n19. https://sysdig.com/blog/crypto-sysrv-hello-wordpress\r\nSource: https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nhttps://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet"
	],
	"report_names": [
		"worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775439154,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6af32834732ed56cb31b546dfeb90956e5f4d6d1.pdf",
		"text": "https://archive.orkl.eu/6af32834732ed56cb31b546dfeb90956e5f4d6d1.txt",
		"img": "https://archive.orkl.eu/6af32834732ed56cb31b546dfeb90956e5f4d6d1.jpg"
	}
}