October 2, 2023

Researchers has detailed and warned that an emerging Romanian threat actor named Diicot, formerly known as Mexals, is running a new campaign involving previously unreported brute-forcing malware payloads.

Diicot, previously known for conducting crypto jacking campaigns and offering malware-as-a-service, has been active since at least 2020, connected with Romanian organized crime and an anti-terrorism policing unit also named Diicot.


Researchers identified that Diicot deploying Mirai-based botnet agent named Cayosin that targets routers running the Linux-based embedded devices operating system OpenWRT. The deployment of Cayosin is said to indicate Diicot’s versatility, that shows them engaged in various types of attacks beyond crypto jacking.

Researchers also found that one of Diicot’s servers includes a Romanian-language doxing video featuring a feud between the group and other online personas. The find is said to suggest that Diicot is actively involved in exposing PII, in addition to their other malicious activities.

Diicot has demonstrated its intention to target SSH servers with password authentication enabled. The ongoing campaign involves a limited list of username/password pairs, including default and easily guessed credentials.


The researchers do note that analysing Diicot’s campaign was a laborious task because of the convoluted execution chain and basic obfuscation techniques used by the hacking gang. However, their payloads often exhibit noisy behavior, making them detectable with proper network monitoring.

It’s crucial for organizations to implement effective countermeasures.

  • It is recommended to have basic SSH hardening measures, such as mandating key-based authentication for SSH instances.
  • Organizations should also implement firewall rules to restrict SSH access to specific IP addresses, which can significantly bolster security defenses against this malware family.

This was analysed and documented by researchers from Cado Security

Leave a Reply

%d bloggers like this: