How does a Romanian cybercrime group evolve from basic cryptojacking into a sophisticated multi-faceted threat? Diicot, formerly known as Mexals, has been quietly building its arsenal since 2020. Romanian language strings littered throughout their code give away their origins. They named themselves after Romania’s own anti-terrorism unit. Ironic, really.
Their technical evolution is something to behold. Gone are the simple shc binaries, replaced with slick Go-based tools. They’ve mastered the art of UPX packing, deliberately corrupting checksums to confuse security tools. Smart. Their malware now recognizes its environment – cloud or traditional – and adapts accordingly. The group has implemented Zephyr protocol for their Monero mining operations, making them harder to detect. It’s like watching a digital predator evolve in real-time.
Diicot isn’t just mining crypto anymore. They’ve branched out. Their toolkit now includes a Mirai-based botnet agent called Cayosin. OpenWrt routers are prime targets, perfect for building DDoS capabilities. Their self-propagating tools move laterally through networks with alarming efficiency. They’re scanning the internet constantly, hunting for vulnerable systems. The group’s recent earnings have exceeded $16,000 from Monero mining operations alone.
Cryptocurrency mining was just the gateway. Now, Diicot builds router botnets and hunts vulnerable systems with predatory precision.
Their command and control has leveled up too. Discord channels? That’s so 2020. Now it’s HTTP communication with API-based controls and heavy traffic obfuscation. Multiple cryptocurrency wallets, different mining pools. They’re diversifying their portfolio, as any good criminal enterprise should. Implementing Zero Trust model principles would significantly reduce vulnerability to their sophisticated attacks.
Linux machines running OpenSSH with weak passwords don’t stand a chance. Their custom brute-forcing tool (“aliases”) makes quick work of poor security. Once inside, they deploy different approaches for cloud versus traditional environments. Clever.
They’re learning, adapting. Reading the same threat intelligence reports as the defenders. Deleting attack artifacts, clearing histories, generating dynamic payloads. Security sandboxes don’t fool them – their malware knows when it’s being analyzed.
What started as simple cryptojacking has morphed into something more sinister. Data exfiltration. Custom attack tools. Persistence mechanisms that survive reboots. The sophistication grows with each campaign. And they’re just getting started.
