VERY IMPORTANT

Lacework Labs recently came across an interesting shell script that’s part of an opportunistic Cryptojacking (T1496) campaign. This campaign operated through the remote code execution of public facing Nagios XI applications. Lacework Labs has dubbed the loader script “Carbine Loader” during the clustering process.