New Malware Combines Ransomware, Coin Mining and Botnet Features in One

Eduardo Rocha Senior Sales Engineer and Security Analyst
2 Min read

Windows and Linux users need to beware, as an all-in-one, destructive malware strain has been discovered in the wild that features multiple malware capabilities including ransomware, cryptocurrency miner, botnet, and self-propagating worm targeting Linux and Windows systems.

Dubbed XBash, the new malware, believed to be tied to the Iron Group, a.k.a. Rocke—the Chinese speaking APT threat actors group known for previous cyber attacks involving ransomware and cryptocurrency miners.

Book a demo today to see GlobalDots is action.

Optimize cloud costs, control spend, and automate for deeper insights and efficiency.

Book a demo today to see GlobalDots is action.

According to the researchers from security vendor Palo Alto Networks, who uncovered the malware, XBash is an all-in-one malware that features ransomware and cryptocurrency mining capabilities, as well as worm-like ability similar to WannaCry or Petya/NotPetya.

In addition to self-propagating capabilities, XBash also contains a functionality, which is not yet implemented, that could allow the malware to spread quickly within an organization’s network.

Developed in Python, XBash hunts for vulnerable or unprotected web services and deletes databases such as MySQL, PostgreSQL, and MongoDB running on Linux servers, as part of its ransomware capabilities.

Once find an open port, the malware uses a weak username and password dictionary attack to brute force itself into the vulnerable service, and once in, deletes all the databases and then displays the ransom note.

What’s worrisome is that the malware itself does not contain any functionality that would allow the recovery of the deleted databases once a ransom amount has been paid by the victims.

To date, XBash has infected at least 48 victims, who have already paid the ransom, making about $6,000 to date for cybercriminals behind the threat. However, researchers see no evidence that the paid payments have resulted in the recovery of data for the victims.

The malware also has capabilities to add targeted Linux-based systems in a botnet.

Text graphic representing 'Cyber Security' with shattered glass effect.
Image Source

Read more: The Hacker News

Latest Articles

Vulnerability Assessments vs. Penetration Testing: Key Differences, Use Cases & Best Practices

They’re not interchangeable. A vulnerability assessment identifies known flaws at scale. A penetration test mimics an actual attacker probing for impact. Yet many teams treat them the same. They substitute one for the other, check a compliance box, and move on as if they’re covered. They’re not. And that gap shows up later in real-world […]

Ganesh The Awesome
7th July, 2025
Web Application Firewalls (WAFs): The Evolving First Line of Defense in Cloud Security

Modern applications are built for speed, not simplicity. Containers, microservices, and cloud-native deployments have blown up the security perimeter. Traditional tools can’t keep up with this complexity. That’s why Web Application Firewalls (WAFs) matter. But the WAF of 2025 isn’t just an appliance sitting in front of a static website. It’s a flexible, cloud-aware security […]

Ganesh The Awesome
7th July, 2025
What is an API Security Audit?

 In January 2024, a misconfigured API exposed 650,000 private messages. These included passwords and internal communications. No exploit chain. No zero-day. Just a public-facing endpoint with no authentication. This wasn’t an isolated incident. From T-Mobile and Twitter (now X) to Kronos Research and the US Treasury, attackers have consistently used APIs as entry points. They […]

Ganesh The Awesome
26th June, 2025
The Ultimate API Security Checklist for 2025

APIs are now the top attack vector in enterprise apps. In 2024 alone, breaches tied to APIs cost an average of $4.88 million, and that number is rising fast. Attackers exploit gaps in API authentication, input validation, and outdated endpoints to compromise systems. Legacy controls no longer suffice, and the OWASP API Top 10 outlines […]

Ganesh The Awesome
26th June, 2025

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services