Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware

A recent investigation by VulnCheck has exposed a cryptomining campaign that has been running unnoticed for years. The threat actor behind this operation, using the Linuxsys miner, has been targeting vulnerable systems since at least 2021, maintaining a consistent strategy that relies heavily on compromised legitimate websites to distribute malware.

What makes this campaign more difficult to detect is the attacker’s use of real websites as malware delivery channels. Instead of hosting payloads on suspicious domains, they compromise third-party sites with valid SSL certificates and plant their download links there. This not only helps them bypass many security filters but also keeps their core infrastructure (like the downloader site repositorylinux.org) at a distance from the actual malware files.

Between July 1 and July 16 this year, VulnCheck analysts spotted repeated exploit attempts from the IP address 103.193.177.152 against a canary Apache 2.4.49 instance ...