Botnets and Crypto Miners Invade the Backbone: How CondiBot and Monaco Are Turning Network Devices Into Criminal Goldmines

In a dimly lit server room, humming routers and blinking switches have long been the silent workhorses of the internet. But in 2026, these once-overlooked devices have become prime real estate for cybercriminals. Two new malware strains - CondiBot and Monaco - are leading a wave of attacks that transform everyday network hardware into engines of digital chaos and illicit profit.

Network Devices: The Newest Criminal Playground

For years, routers, switches, and IoT devices were the quiet backbone of enterprise and home networks - rarely patched, rarely monitored, and rarely considered the frontline of cyberattacks. That complacency has ended. Recent research reveals that financially motivated cybercriminals, not just nation-state actors, are systematically exploiting these devices at scale.

On March 6, 2026, security analysts captured samples of two sophisticated malware threats. The first, CondiBot, is an evolved descendant of the notorious Mirai botnet. Written in C and engineered for multiple processor types, CondiBot infects Linux-based systems, disables reboots, and ruthlessly eliminates rival malware. It connects to a hardcoded command-and-control server and can unleash 32 different types of network-flooding attacks - turning infected devices into unwitting soldiers in massive Distributed Denial of Service (DDoS) campaigns.

Monaco, the second threat, takes a different but equally insidious approach. Written in Go, Monaco hunts the internet for exposed SSH servers, routers, and IoT gadgets. Using a list of hardcoded credentials like “root” and “admin,” it brute-forces its way into vulnerable devices, then quietly installs Monero cryptocurrency miners. The result: attackers siphon off computing power globally, raking in digital coins while victims remain largely unaware.

This shift is no anomaly. Industry reports paint a stark picture: vulnerability exploitation in network hardware has skyrocketed, and nearly one in four zero-day attacks now strike network appliances. The days when endpoint security alone could protect an organization are gone. Today, the threat is embedded in the very infrastructure that connects the digital world.

Blind Spots and Next Steps

As cybercriminals weaponize network infrastructure, traditional defenses fall short. Experts urge organizations to invest in device-level visibility - monitoring firmware, detecting anomalous behavior, and patching network hardware as rigorously as PCs or servers. The frontlines of cybercrime have shifted, and so too must our defenses.

The blinking lights in the server room are no longer just signs of connectivity. They are now beacons - potentially signaling the presence of criminal code, hidden in plain sight.

WIKICROOK

• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• DDoS (Distributed Denial of Service): A DDoS attack overwhelms a website or service with excessive traffic, disrupting normal operations and making it unavailable to real users.
• Cryptojacking: Cryptojacking is when hackers secretly use your device to mine cryptocurrency, slowing it down and increasing electricity costs without your knowledge.
• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.