Intezer - Pacha Group, A New Threat Actor Deploying Undetected Cryptojacking Campaigns on Linux Servers

Pacha Group, A New Threat Actor Deploying Undetected Cryptojacking Campaigns on Linux Servers

Written by Intezer
Join our free communityGet started
Share Article

Key Takeaways:

Intezer has evidence of a new threat actor, calling it Pacha Group, which has been deploying undetected cryptojacking campaigns operating from compromised servers.

The cryptominer employed by Pacha Group, labeled Linux.GreedyAntd by Intezer, was completely undetected by all leading engines, demonstrating the sophistication of this malware.

The malware was found on the Linux platform and is employing sophisticated evasion techniques not commonly seen in today’s Linux threat landscape.

• The cryptominer is compromising third party servers and making them part of its infrastructure to attack additional servers. It is taking a very aggressive approach to eradicate other miners by actively scanning the system to eliminate them.


Cryptomining malware, also known as cryptojacking or cryptocurrency mining malware, is a relatively new cyber threat. It refers to the development of software which is designed to stealthily take over a computer’s resources and use the resources to mine bitcoin without the user’s permission.

Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines.

The new miner employed by Pacha Group, named Linux.GreedyAntd, has shown to be more sophisticated than the average Linux threat, using evasion techniques rarely seen in Linux malware. For example, when a payload is downloaded its timestamp is replaced to remain unnoticed in the file system. This technique is widely used in Windows systems but not in Linux threats. The miner also demonstrates a remarkably aggressive behavior, implementing techniques to disable or eliminate other miners to a high degree that have not been observed previously. Once in the system, Linux.GreedyAntd will kill all other miners in the server if it finds any, using the infected system for Pacha Group’s profit.

Pacha Group is believed to be of Chinese origin, and is actively delivering new campaigns, deploying a broad number of components, many of which are undetected and operating within compromised third party servers.

Technical Analysis:

Please visit to view the full technical analysis and IOCs.


Revealing the “genetic" origins of software, Intezer introduces a new way to detect and respond to cyber threats. Intezer offers enterprises advanced solutions to detect modern cyber attacks, while providing deep context for effective response.

© 2020 All rights reserved