Linux Malware Evolves to Mine Cryptocurrencies

Cyrptocurrency mining malware has previously targeted Windows PCs. Now Linux owners are getting a taste of malware misery too.

AccessTimeIconMar 24, 2014 at 2:22 p.m. UTC
Updated Sep 11, 2021 at 10:34 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

While cryptocurrency mining malware has generally been targeted at PCs running the Windows OS, owners of Linux-based machines are now experiencing a taste of malware misery too.

Computer security company Symantec has identified a new version of an old worm that has been going after Linux-based routers and set-top boxes for some time.

The Darlloz worm, as it is called, has evolved to attack Linux desktops and to press them into service as unwilling cryptocurrency miners, IDG News Service reports.

Darlloz is a rather unusual piece of malware, as it was originally developed to wreak havoc on embedded device architectures – computer systems within mechanical devices, such as printers.

In its latest incarnation, however, the coin-mining worm seeks out Intel-based computers running Linux, installs the 'cpuminer' program and sets the PC to mining for either dogecoins or mincoins.

Attractive altcoins

Since bitcoin can no longer be effectively mined by personal computers, the developers of the Darlloz worm sensibly opted for scrypt mining instead. Scrypt is the 'proof of work' algorithm used by many altcoins, such as litecoin and dogecoin, whereas bitcoin uses SHA-256.

Symantec researcher Kaoru Hayashi said scrypt-based altcoins can still be successfully mined on standard PCs, hence malicious developers now find them a more attractive proposition than bitcoin.

Fortunately, the worm appears to be propagating slowly and it is not doing much damage. Hayashi cited one attacker who used Darlloz to mine 42,438 dogecoins and 282 mincoins, with a combined value of less than $200.

However, Hayashi cautioned that the situation could get worse:

"These amounts are relatively low for the average cybercrime activity, so we expect the attacker to continue to evolve their threat for increased monetization."

Internet of Things

Staying true to its roots, Darlloz is still targeting plenty of devices that cannot be used for mining. Symantec identified over 30,000 devices infected with the worm last month, with half of the infections being in the US, China, India, South Korea and Taiwan.

More than a third of all infections had nothing to do with PCs, Symantec said, as they involved Internet of Things (IoT) gear, including printers, routers, set-top boxes and IP cameras.

These devices tend to be vulnerable to attack as they are not patched as regularly as PCs. Hayashi said that updating firmware and changing default passwords can go a long way towards protecting such devices. Blocking connections to port 23 and port 80 helps too.

Other dangers

Although this is a curious case of mining malware for Linux, it should be pointed out that the vast majority of cryptocurrency related malware is designed to target Microsoft Windows.

Dell SecureWorks recently published a report on cryptocurrency stealing malware (CCSM), which found that 147 strains of CCSM in the wild. Less than 1% of all cryptocurrency malware, however, is designed to attack Mac OS X or Linux.

Another danger for owners of cryptocurrency is ransomware that demands on bitcoin for payment. The latter also comes in a hybrid form, which blackmails the user into paying a bitcoin ransom, while at the same time mining for bitcoins.

The heyday of bitcoin-mining malware has long gone, but coin-stealing malware and bitcoin ransomware is on the rise.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.