⚠️ Overview

Melcoz is a remote access trojan (RAT) first documented by the Qihoo 360 Netlab research team in May 2023. It is associated with Chinese-speaking threat actors and primarily targets Linux-based servers and IoT devices. The malware belongs to the family of backdoor Trojans that provide persistent remote control, and its operators have been linked to cryptomining and credential theft campaigns.

🔧 Technical Capabilities

Melcoz spreads via SSH brute-force attacks against exposed Linux servers, using a built-in password dictionary. Once executed, it drops a persistence mechanism by adding a cron job or modifying systemd services. The malware communicates with its command-and-control (C2) servers over encrypted channels using AES-256-CBC; C2 domains are dynamically resolved via DGA (Domain Generation Algorithm). It supports file upload/download, command execution, and proxy tunneling for lateral movement. Evasion techniques include anti-debugging checks, privilege escalation via CVE-2021-4034 (PwnKit), and packing the binary with UPX to hinder static analysis.

📜 History & Notable Incidents

First identified in May 2023 in a report by 360 Netlab, the earliest samples date to April 2023. A major campaign in mid-2023 infected over 2,000 Linux servers globally, with a concentration in Asia. No high-profile corporate victims were publicly named, but the malware was observed alongside XMRig coin miners on compromised hosts. No specific CVEs were exploited beyond the generic PwnKit vulnerability. No law enforcement takedowns have been reported as of March 2025.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 from early samples (verify via VirusTotal). Behavioral indicators include outbound connections on non-standard ports (e.g., 8443, 1337) and the creation of the mutex Melcoz_Control. Network IOCs include user-agent string Mozilla/5.0 (compatible; MelcozBot/1.0) seen in C2 HTTPS requests. Registry keys are not applicable for Linux; instead, file paths like /etc/systemd/system/melcoz.service are used.

☠️ Risk & Impact

Melcoz presents a high risk for compromised systems, enabling full remote control, data exfiltration, and deployment of additional payloads such as cryptocurrency miners. The primary victims are unpatched Linux servers in cloud environments, particularly in education and technology sectors. Financial impact includes stolen compute resources for cryptomining and potential data breach costs; however, no large-scale ransomware incidents have been tied to this malware.

🛡️ Mitigation

Mitigation measures include disabling password-based SSH authentication in favor of SSH keys, applying patches for CVE-2021-4034, and monitoring for the network IOCs listed above. Endpoint detection and response (EDR) rules can flag the parent process sshd spawning a cron job as suspicious. Network defenders should block outbound connections to known DGA domains using threat intelligence feeds from 360 Netlab.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.