This threat involves the BYOB (Build Your Own Botnet) framework, a sophisticated multi-stage malware campaign uncovered through an exposed open directory on a command and control server. The malware targets multiple operating systems—Windows, Linux, and macOS—making it highly versatile and capable of infecting a wide range of endpoints. The infection chain employs seven distinct persistence mechanisms, which include scheduled tasks, registry modifications, and launch agents, ensuring the malware remains active even after system reboots or user logouts. Post-exploitation capabilities are extensive, featuring keylogging to capture user input, packet capture to intercept network traffic, and email harvesting to steal sensitive communications. The malware’s modular architecture allows operators to load and update components dynamically, enhancing adaptability and evasion. Communications with the C2 servers are encrypted, complicating network detection and analysis. The infrastructure shows reuse of nodes across different geographic regions and hosting providers, indicating an operational strategy to maintain resilience and avoid disruption. Additionally, two C2 nodes were found hosting XMRig cryptocurrency miners, suggesting that the attackers monetize compromised systems beyond traditional botnet activities. The campaign has been active for about 10 months, reflecting a persistent and ongoing threat. Indicators such as file hashes and URLs to payloads and stagers have been identified, enabling defenders to detect and block infection attempts. Although no public CVEs or exploits are linked to this malware, its cross-platform reach and multi-stage persistence make it a significant threat vector.

European organizations face considerable risks from this malware due to its cross-platform targeting and advanced persistence mechanisms. The ability to infect Windows, Linux, and macOS systems means that diverse IT environments common in Europe are vulnerable. The post-exploitation capabilities threaten confidentiality by capturing keystrokes, emails, and network packets, potentially exposing sensitive corporate data, intellectual property, and personal information. The presence of cryptomining components can degrade system performance and increase operational costs through higher energy consumption. The modular and encrypted nature of the malware complicates detection and response, increasing dwell time and potential damage. Infrastructure reuse and geographic diversification of C2 servers make takedown efforts challenging, allowing sustained campaigns against European targets. Organizations in critical sectors such as finance, healthcare, and government could experience data breaches, espionage, and resource depletion. The medium severity rating reflects the balance between the malware’s capabilities and the absence of known exploits in the wild, but the threat remains significant due to its persistence and stealth.

1. Implement advanced endpoint detection and response (EDR) solutions capable of identifying the seven known persistence mechanisms used by BYOB, including scheduled tasks, registry run keys, and launch agents. 2. Monitor network traffic for encrypted C2 communications, focusing on anomalous outbound connections to known malicious IPs and URLs such as those identified (e.g., http://38.255.43.60:8081). 3. Deploy network segmentation to limit lateral movement and isolate critical systems from general user environments. 4. Use threat intelligence feeds to block identified file hashes and URLs at the gateway and endpoint levels. 5. Conduct regular audits of system and user accounts to detect unauthorized persistence artifacts and unusual activity. 6. Harden email systems and implement anti-phishing controls to reduce the risk of initial infection vectors. 7. Employ behavioral analytics to detect cryptomining activity and unusual resource consumption indicative of XMRig miners. 8. Maintain up-to-date backups and incident response plans tailored to multi-platform environments. 9. Collaborate with hosting providers and law enforcement to report and disrupt C2 infrastructure. 10. Educate users on the risks of executing unknown scripts or payloads, especially from untrusted sources.