Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

This report analyzes OUTLAW, an actively observed, unsophisticated but persistent Linux coinminer/worm that spreads through SSH brute-force (BLITZ), maintains persistence via cron and SSH key manipulation, runs a modified XMRig miner, and provides IRC-based command-and-control (STEALTH SHELLBOT). The authors deploy a honeypot to capture operator behavior and provide a full attack-chain mapping to MITRE ATT&CK, YARA and detection rules, hunting queries, and IOCs to help defenders detect and mitigate infections.