Outlaw

Outlaw is a long-running Linux-focused cryptomining botnet and intrusion set, also referred to in the provided reporting as Dota and Shellbot. The content describes it as a Perl-based crypto-mining botnet that typically compromises systems through weak or default SSH credentials, with additional reporting tying it to brute-force activity against SSH and Telnet, PHP web shells, and exploitation of CVE-2016-8655 and Dirty COW (CVE-2016-5195). Trend Micro is cited as first identifying the group in 2018. Across the reporting, Outlaw targets Linux and Unix systems, including servers and IoT devices. Victim telemetry cited in the content places activity mainly in the United States, with additional victims in Germany, Italy, Thailand, Singapore, Taiwan, Canada, Brazil, and broader targeting in the United States and Europe. One report states researchers assessed the kits were designed to steal information from the automotive and finance industries, but the dominant activity directly described is illicit monetization through Monero mining and botnet operations. The intrusion playbook consistently includes post-compromise SSH persistence by deleting and recreating the victim’s .ssh directory and writing an attacker-controlled public key into authorized_keys. The inserted key is repeatedly associated with the comment string "mdrfckr," which multiple sources in the content link to the Outlaw/Dota family. The same authorized_keys artifact is associated with SHA-256 a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2. Reporting also notes defensive-disarm commands such as chattr -ia .ssh and lockr -ia .ssh before overwriting SSH files, password changes on compromised hosts, and recurring reconnaissance commands such as uname and resource checks. The malware/tooling described includes shell-script downloaders, hidden working directories such as .configrc5 and /tmp/.X19-unix, persistence via cron and looping init scripts, and a Perl IRC backdoor disguised as rsync. The IRC bot connects to hardcoded IRC infrastructure over port 443, uses randomized nicknames, and supports command execution, DDoS, port scanning, file download, and HTTP upload. Mining functionality includes a UPX-packed modified XMRig 6.19.0 configured for CPU-only Monero mining, with Tor-related components and multiple mining pools. The toolkit also removes competing miners and prior infections, resets cron, kills suspicious or rival high-CPU processes, and in some reporting changes the root password to a random string. The content documents continued operational evolution. Kaspersky reported renewed activity after apparent inactivity from December 2024 through February 2025, followed by a spike in March 2025. Separate April 2026 observations tie the same Outlaw/Shellbot authorized_keys persistence playbook to a new SSH client fingerprint lineage using banner SSH-2.0-libssh_0.11.1 and hassh 03a80b21afa810682a776a7d42e5e6fb, while retaining the stable "mdrfckr" key, command sequence, credential dictionary, and cleanup behavior. Earlier reporting cited prior libssh-based fingerprints for the same campaign. Known aliases directly mentioned in the content are Dota and Shellbot. The content also references related naming such as the Outlaw Hacking Group and notes overlap with broader Linux cryptomining ecosystems, but only the aliases explicitly tied to this actor in the reporting are included here.