June 3, 2023

Researchers have discovered that the Abcbot botnet is connected to cryptocurrency-mining botnet attacks carried out by the Xanthe malware group.

A report has been released highlighting that the same threat group is working behind Xanthe malware and Abcbot botnet.


There is an overlap between the two malware when it comes to similar coding styles, an identical pattern of giving names to routines, with some functions with similar names and implementation and a word ‘go’ added to the end of the function names.

Abcbot botnet creates four malicious users of its own by using generic names such as sysall, logger, system. Users with the same usernames were observed in Xanthe samples too.

Experts added that cybercriminals could be doing away with cryptomining attempts and moving toward traditional botnet functionality of pursuing DDoS attacks.

First discovered the Abcbot attacks in November 2021. The attacks had used shell scripts targeting insecure cloud instances managed by various cloud service providers. Since then, the Abcbot version of the function has been updated multiple times, with a new function being added in every phase of the update.


Multiple code and feature-level similarities imply that the same group is operating both Abcbot and Xanthe. Moreover, gradual updates in the botnet’s capabilities are attempts by its creators to mature it further for bigger campaigns.

Leave a Reply

%d bloggers like this: