Hoze shell script dropped along with XMRig miners on misconfigured SSH Servers by Brute Forcing

CloudSEK’s Threat Intelligence Team uncovered a campaign, actively running from the past 1.8 years, that attacks and brute forces the SSH. 
Updated on
September 8, 2023
Published on
September 8, 2023
Subscribe to the latest industry news, threats and resources.

Category: Adversary Intelligence

Industry:  Multiple

Motivation: Monetary

Country: Global


A: Reliable

1: Confirmed by independent Sources

Executive Summary

  • CloudSEK’s Threat Intelligence Team uncovered a campaign, actively running from the past 1.8 years, that attacks and brute forces the SSH. 
  • The newest sample for this campaign was created on 29 March 2023, with the IP hXXp://141[.]98[.]6[.]76[:]6972/HOZE. 
  • We also uncovered multiple connections of this malicious script with multiple coin miners and an email address for further attribution. 

Analysis and Attribution

The IP: 141[.]98[.]6[.]76 

The IP was already marked malicious since it attempted to conduct SSH attacks using bruteforce method. While investigating this IP, it was found to be communicating with ‘Hoze’ which is a malicious attacking shell script. Hoze requests the following URL: 

The TAR file is a downloadable archive that contains one or more Linux executables. They are popularly known as follow-up mining scripts to uninstall security software and enable executable permissions. 









Analysis of the File Contents

The config.json, which is essentially a miner configuration file, exposes sensitive information containing data fields such as URL, coin, user, password, etc, with different websites that are marked as malicious for coin mining tags. 

Figure- Config.json file found for the IP communicating with Hoze script

The username (4BDcc1fBZ26HAzPpYHKczqe95AKoURDM6EmnwbPfWBqJHgLEXaZSpQYM8pym2Jt8JJRNT5vjKHAU1B1mmCCJT9vJHaG2QRL) is a Monero address which reveals the payment history dating back to 676 days, closely around 1.8 years. 

Figure- Monero (XMR) address statistics

There were multiple mining pools discovered associated with the same wallet:



The Public SSH Key

There was a public SSH key in the archive hosted on the above URL. This key was also observed in AhnLabs report for CoinMiner which targets misconfigured Linux SSH Servers, tracing this campaign back to 2022.

SSH Key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCh047MLLA8ul64R+zVcEezUGtPUhnB+6mSzXoikFgju2orDUBX4K1ve/SW2pMQeQf9ErQojugX43N0iJYtuZUCgtH3A3oLV7zlhbkMuxjfgoUEovBXlAe9sXtLPnbYE999hT0M+OVv2l5/dDgiXs3eG9/BtcuPBEQ4lnH2YdFkckUJmrQQctA1ItFGTNB9fiFu44bH7JjRxSPt97PJPjeEcbEMdJyx4y827NpogeL2QSCfj7II9XdfgaarEOeEF9abY6+1RqDhElhz4ZSQTfoSkl8/8LyBXun7ybdVYxxJdxGznDpNBHyYEcKZFRy9q4mTHBeXMlWiGimSpE7dyhuT rsa-key 

Following the information obtained from AhnLabs due to the same SSH key being used in the latest campaign, we observed an email address present in the threat actor’s XMRig mining information.

Mining Pool: xmr.doi-2020[.]net:14444

Wallet: 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV8K4ZRGaMw6ZVLLLbMQ.worker01/[email protected]

Based on the information obtained from a data breach where the above email was compromised, it belongs to Marian Andrei. However, the authenticity of the data is yet to be confirmed.

Email/ Paypal

[email protected]


Bol Eu

Account ID



Marian Andrei


Bulevard 1, Decembrie 1918, nr. 13-15, București, Romania, 032452




HM Revenue

File xrx/xrx

Certain files present in the compressed archive were found to be encrypted to evade detection. Based on our investigation, a typical stratum mining protocol was observed, which essentially defines how pooled minings should communicate, making data transfers more efficient.  



  • Implementing a strong SSH password policy and avoiding misconfiguration or defaulted settings. 
  • Keeping a close eye on the anomalies indicating attempts for brute forcing through security logs, system logs, error logs, etc. 
  • Installing strong anti-virus software to detect any downloads, or executables present in the system. 

Indicators of Compromise (IoCs)






Wallet Address


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations