Pacha Group, A New Threat Actor Deploying Undetected Cryptojacking Campaigns on Linux Servers

Written by Intezer

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    Key Takeaways:

    Intezer has evidence of a new threat actor, calling it Pacha Group, which has been deploying undetected cryptojacking campaigns operating from compromised servers.

    The cryptominer employed by Pacha Group, labeled Linux.GreedyAntd by Intezer, was completely undetected by all leading engines, demonstrating the sophistication of this malware.

    The malware was found on the Linux platform and is employing sophisticated evasion techniques not commonly seen in today’s Linux threat landscape.

    • The cryptominer is compromising third party servers and making them part of its infrastructure to attack additional servers. It is taking a very aggressive approach to eradicate other miners by actively scanning the system to eliminate them.


    Cryptomining malware, also known as cryptojacking or cryptocurrency mining malware, is a relatively new cyber threat. It refers to the development of software which is designed to stealthily take over a computer’s resources and use the resources to mine bitcoin without the user’s permission.

    Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines.

    The new miner employed by Pacha Group, named Linux.GreedyAntd, has shown to be more sophisticated than the average Linux threat, using evasion techniques rarely seen in Linux malware. For example, when a payload is downloaded its timestamp is replaced to remain unnoticed in the file system. This technique is widely used in Windows systems but not in Linux threats. The miner also demonstrates a remarkably aggressive behavior, implementing techniques to disable or eliminate other miners to a high degree that have not been observed previously. Once in the system, Linux.GreedyAntd will kill all other miners in the server if it finds any, using the infected system for Pacha Group’s profit.

    Pacha Group is believed to be of Chinese origin, and is actively delivering new campaigns, deploying a broad number of components, many of which are undetected and operating within compromised third party servers.

    Technical Analysis:

    Please visit to view the full technical analysis and IOCs.


    Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt