Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials.
"Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis published Tuesday.
Outlaw is also the name given to the threat actors behind the malware. It's believed to be of Romanian origin. Other hacking groups dominating the cryptojacking landscape include 8220, Keksec (aka Kek Security), Kinsing, and TeamTNT.
Active since at least late 2018, the hacking crew has brute-forced SSH servers, abusing the foothold to conduct reconnaissance and maintain persistence on the compromised hosts by adding their own SSH keys to the "authorized_keys" file.
The attackers are also known to incorporate a multi-stage infection process that involves using a dropper shell script ("tddwrt7s.sh") to download an archive file ("dota3.tar.gz"), which is then unpacked to launch the miner while also taking steps to remove traces of past compromises and kill both the competition and their own previous miners.
A notable feature of the malware is an initial access component (aka BLITZ) that allows for self-propagation of the malware in a botnet-like fashion by scanning for vulnerable systems running an SSH service. The brute-force module is configured to fetch a target list from an SSH command-and-control (C2) server to further perpetuate the cycle.
Some iterations of the attacks have also resorted to exploiting Linux- and Unix-based operating systems susceptible to CVE-2016-8655 and CVE-2016-5195 (aka Dirty COW), as well as attack systems with weak Telnet credentials. Upon gaining initial access, the malware deploys SHELLBOT for remote control via a C2 server using an IRC channel.
SHELLBOT, for its part, enables the execution of arbitrary shell commands, downloads and runs additional payloads, launches DDoS attacks, steals credentials, and exfiltrates sensitive information.
As part of its mining process, it determines the CPU of the infected system and enables hugepages for all CPU cores to increase memory access efficiency. The malware also makes use of a binary called kswap01 to ensure persistent communications with the threat actor's infrastructure.
"Outlaw remains active despite using basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence," Elastic said. "The malware deploys modified XMRig miners, leverages IRC for C2, and includes publicly available scripts for persistence and defense evasion."
Outlaw Resurfaces After a 3-Month Hiatus
In a new analysis published on April 29, 2025, Kaspersky said it observed the Outlaw Perl-based crypto mining botnet being used in a cyber attack targeting an unnamed entity's Linux environment in Brazil.
The activity involves brute-forcing an SSH server to download a shell script, which is then used to retrieve an archive file from the attacker's server. Once decompressed, the payload is responsible for checking if other known miners are present on the machine and terminating them, and then killing off running processes that use 40% or more CPU.
The malware then runs another file from the archive to set up persistence and ultimately executes a Perl script containing strings in Portuguese. Also deployed from the archive is an XMRig miner.
"This Perl script is an IRC-based botnet client that acts as a backdoor on a compromised system," Kaspersky said. "Upon execution, it disguises itself as an rsync process, creates a copy of itself in the background, and ignores termination signals."
Outlaw supports a wide range of features to execute commands, conduct DDoS attacks, perform port scans, and upload/download files, granting the attackers the ability to remotely commandeer the botnet.
Telemetry data from the Russian cybersecurity vendor shows that the United States, Germany, Italy, Thailand, Singapore, Taiwan, Canada, and Brazil are some of the countries where victims have been identified.
"The group was idle from December 2024 through February 2025, then a spike in the number of victims was observed in March 2025," Kaspersky researchers noted, urging system administrators adopt appropriate measures to harden their SSH servers.
(The story was updated after publication on May 1, 2025, to include additional details of the Outlaw Campaign.)
