Sysrv-Hello Botnet Rounding up WordPress Pods in Crypto-Miner Attack

Threat actors attack Kubernetes clusters for cryptomining; this time, the victims are WordPress users.


Sysdig Security researchers, on August 26, 2021, released a report underlying malicious activity involving Kubernetes clusters. The attackers were reported to have been deploying Sysrv-Hello Botnet in WordPress pods.

Mining cryptocurrency individually is a very unproductive task.
Mining cryptocurrency individually is a very unproductive task.
Key Facts
  1. 1

    The most recent case of botnet malware has been the Sysrv-Hello botnet.

  2. 2

    Attackers earned initial access through misconfigured WordPress pods.

  3. 3

    They (hackers) have been very elusive.

  4. 4

    Their ultimate goal is to invade the system and mine cryptocurrency at scale.

  5. 5

    The Sysrv-hello operators are actively updating configurations to match new developments.


The Botnet cryptojacking attacks have been ravaging the internet since the beginning of last year. The word, Botnet, has enjoyed quality time on many headlines, with its different variants been paired with words like crypto-mining or cryptojacking. In this equally increasingly popular exercise, Kubernetes clusters have been targeted due to misconfigured Argo workflows or misconfiguration in CI/CD pipelines. These actors are always on the lookout for the slightest of weakness in a bid to strike, compromise systems, perform the mining exercise, and replicate the compromised systems. Their obfuscation tactics are not always topnotch but enough to buy ample time to complete a stretched and scaled cryptojacking activity. Mining cryptocurrency individually is a very unproductive task. Hence, they tend to compromise systems, take control of user profiles, and mine crypto at scale with the help of a crypto miner. In this case, it is a Botnet - the Sysrv-Hello Botnet.

Though the attackers have not been identified, their operation is in the air and has been brought to WordPress's attention, thanks to the research wing of the SaaS platform founded in 2013, Sysdig. The attackers have been planting the Sysrv-hello Botnet cryptominer in Kubernetes pods running WordPress. As said earlier, the goal is to control the pod, mine cryptocurrency at scale, and replicate themselves from compromised systems to keep their activities on a low profile.

Another borderline fact about this attack is using an attack script unfamiliar with malware databases, making it very elusive for security software. Only a few people have detected irregularities relating to these attacks. The Sysrv-hello botnet, initially discovered in late December 2020, is a Windows and Linux virus that leverages numerous vulnerabilities and is spread using shell scripts.

To match recent developments, Sysrv-operators are continually updating and altering the botnet. Since the first discovery, attackers have made many changes to the shell scripts that install Sysrv-hello implant on host systems, which is how the executable malware is distributed.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …

Why Your Business Should Connect Directly To Your Cloud

Today, companies make the most use of cloud technology regardless of their size and sector. …

7 Must-Watch DevSecOps Videos

Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …