Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware – Source:hackread.com

A recent investigation by VulnCheck has exposed a cryptomining campaign that has been running unnoticed for years. The threat actor behind this operation, using the Linuxsys miner, has been targeting vulnerable systems since at least 2021, maintaining a consistent strategy that relies heavily on compromised legitimate websites to distribute malware.

What makes this campaign more difficult to detect is the attacker’s use of real websites as malware delivery channels. Instead of hosting payloads on suspicious domains, they compromise third-party sites with valid SSL certificates and plant their download links there. This not only helps them bypass many security filters but also keeps their core infrastructure (like the downloader site repositorylinux.org) at a distance from the actual malware files.

Between July 1 and July 16 this year, VulnCheck analysts spotted repeated exploit attempts from the IP address 103.193.177.152 against a canary Apache 2.4.49 instance. These attempts were tied to the CVE-2021-41773 vulnerability. While this particular vulnerability isn’t new and continues to be a popular target, the entity exploiting it stood out.

The attackers used a simple script called linux.sh, which pulls down both the configuration file and the Linuxsys binary from a list of five compromised websites. These include domains like prepstarcenter.com, wisecode.it, and dodoma.shop, all of which are otherwise ordinary-looking sites.

According to VulnCheck’s blog post shared with Hackread.com ahead of publishing on Wednesday, the list wasn’t random. This gave the attacker backup options if one site got taken down or stopped working, so the malware could still be delivered without interruption.

The miner configuration file retrieved from these sites points to hashvault.pro as the mining pool and identifies the wallet associated with the operation. That wallet has been receiving small payouts since January 2025, averaging around 0.024 XMR per day, about $8.

While $8 sounds insignificant, the operation isn’t necessarily about high revenue. The consistency and duration suggest other goals, or possibly more mining activity elsewhere that hasn’t been observed yet.

Tracing Linuxsys back in time, it first appeared in 2021 in a blog post by Hal Pomeranz, a highly respected expert in Linux and Unix digital forensics, analysing the exploitation of the same CVE. Since then, it has been tied to multiple vulnerabilities through reports by several cybersecurity firms. These include recent CVEs like 2023-22527, 2023-34960, and 2024-36401.

All of these security vulnerabilities were exploited using a n-day vulnerability exploitation, content staging on compromised web infrastructure, and persistent mining operations. An n-day vulnerability is a security bug that’s already known and usually has a fix available. The name just means the flaw has been public for a certain number of days, with ‘n’ being how many days it’s been since the issue was first made public or patched.

There’s also some evidence that the operation isn’t limited to Linux. Two Windows executables, nssm.exe and winsys.exe, were found on the same compromised hosts. While VulnCheck didn’t observe these in action, their presence suggests a broader scope than just Linux systems.

What’s kept this campaign so low-profile is likely a combination of careful targeting and deliberate avoidance of honeypots. VulnCheck notes that the attacker appears to favour high-interaction environments, meaning typical bait servers often miss this activity entirely. This cautious approach has likely helped the campaign avoid attracting too much attention despite being active for years.

VulnCheck has released Suricata and Snort rules that detect exploit attempts for all known associated CVEs. Meanwhile, indicators of compromise include IPs, URLs, and file hashes related to the attack. They also provided detection rules that security teams can use to identify DNS queries and HTTP traffic associated with the downloader and initial payload scripts.