This analysis details the V3G4 botnet’s operations, including reconnaissance using system information gathering, resource development with specific C2 infrastructure IPs (103.149.93[.]224, 159.75.47[.]123), and initial access via SSH brute-force. The botnet utilizes execution through shell scripting and native APIs, employs defense evasion tactics like masquerading and obfuscation, and performs discovery of system configurations. It achieves lateral movement via SSH, uses Command & Control over DNS and non-standard ports, and its impact includes DDoS capabilities and resource hijacking for Monero mining.
Edward Kiledjian
@ekiledjian