The Reveal Platform
Intel Name: V3g4 botnet evolves: from ddos to covert cryptomining
Date of Scan: December 4, 2025
Impact: High
Summary: An active Linux-targeting campaign is deploying a Mirai-derived botnet called V3G4, now enhanced with a stealthy, fileless-configured XMRig Monero cryptominer. The attack uses a multi-stage chain delivering architecture-specific binaries across x86_64, ARM, and MIPS devices, where the bot disguises itself as systemd-logind, conducts reconnaissance, and performs large-scale SSH scanning. It maintains persistent C2 communication and dynamically activates a concealed miner at runtime, blending traditional Mirai DDoS capabilities with covert cryptomining.
