Hadooken carries a cryptominer and links to ransomware
One of the payloads stored inside Hadooken is a cryptocurrency mining program that is deployed in three different locations on the system: /usr/bin/crondr, /usr/bin/bprofr and /mnt/-java. Cryptominers are a common method of monetizing compromised servers.
Hadooken’s second payload is a DDoS bot client known as Tsunami, Amnesia, or Muhstik. This malware has been around since at least 2020 in different variants, but the Aqua researchers haven’t seen attackers actually making use of it in this campaign after it was deployed. They speculate it could be part of a later stage of the attack.
One of the IP addresses from where Hadooken was downloaded has been associated in the past with campaigns by TeamTNT and Gang8220, but this link is not strong enough to support any attribution for this new campaign. Different groups of cybercriminals can use the same virtual server hosting companies at different times.