RUBYCARP Hackers: A quick look at what we know about the issue.


RUBYCARP Hackers: A quick look at what we know about the issue.

In the realm of cybersecurity, a new threat has emerged. A Romanian botnet group named ‘RUBYCARP’ has been linked to a 10-year-old cryptomining botnet. This article will delve into the details of this group, their tactics, and the implications of their activities.

The RUBYCARP Hackers

RUBYCARP is a Romanian botnet group that has been active for at least a decade. They leverage known vulnerabilities and perform brute force attacks to breach corporate networks and compromise servers for financial gain.

The Botnet

RUBYCARP operates a botnet managed via private IRC channels, comprising over 600 compromised servers. Sysdig, a cybersecurity firm, has found 39 variants of the RUBYCARP botnet’s Perl-based payload (shellbot), with only eight appearing on VirusTotal, illustrating low detection rates for the activity.

The Tactics

RUBYCARP has been detected probing honeypots for several months, targeting Laravel applications via CVE-2021-3129, a remote code execution vulnerability. More recently, the group has been observed performing brute forcing SSH servers and targeting WordPress sites using credential dumps.

Once the shellbot payload is installed on a compromised server, it connects to the IRC-based command and control (C2) server and becomes part of the botnet. The researchers have discovered three distinct botnet clusters, namely ‘Juice,’ ‘Cartier,’ and ‘Aridan,’ which are likely used for different purposes.

The Implications

The compromised servers can be used to launch distributed denial of service (DDoS) attacks, phishing and financial fraud, and to mine cryptocurrencies like Monero, Ethereum, and Ravencoin, using the victim’s computational resources. The group also uses phishing to steal financial information such as credit card numbers.

Mitigation Measures

Given the sophistication of these attacks, it’s crucial for organizations to stay vigilant. Regularly updating and patching systems, monitoring for high volumes of access activity, and educating employees about phishing attacks can help mitigate the risks posed by groups like RUBYCARP.


The emergence of RUBYCARP serves as a stark reminder of the evolving threats in the digital landscape. As we continue to rely on digital platforms, it’s more important than ever to prioritize cybersecurity and stay one step ahead of potential threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment