The Ghost in the Machine: The Complete Dossier on TA-NATALSTATUS and the Cryptojacking Turf War

TA-NATALSTATUS is a globally active cryptojacking threat actor that abuses unauthenticated Redis servers to obtain root by writing malicious cron entries, then installs a multi-stage toolkit (ndt.sh, is.sh, rs.sh, nnt.sh) that hides via process/binary hijacking, compiles or installs scanning tools, uses distributed masscan scanning for propagation, and enforces persistence with chattr +i and an SSH backdoor; the report includes IoCs (domains, C2/mining IPs, SHA256 hashes, Monero wallet, SSH key comment), hunting checks, and remediation steps including isolation and re-imaging.