Security News > 2024 > April > RUBYCARP hackers linked to 10-year-old cryptomining botnet
A Romanian botnet group named 'RUBYCARP' is leveraging known vulnerabilities and performing brute force attacks to breach corporate networks and compromise servers for financial gain.
According to a new report by Sysdig, RUBYCARP currently operates a botnet managed via private IRC channels comprising over 600 compromised servers.
Sysdig has found 39 variants of the RUBYCARP botnet's Perl-based payload, with only eight appearing on VirusTotal, illustrating low detection rates for the activity.
"The Sysdig Threat Research Team recently discovered a long-running botnet operated by a Romanian threat actor group, which we are calling RUBYCARP," explains the researchers.
Once the shellbot payload is installed on a compromised server, it connects to the IRC-based command and control server and becomes part of the botnet.
Though RUBYCARP is not among the largest botnet operators out there, the fact that they have managed to operate largely undetected for over a decade shows a degree of stealth and operational security.