Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers

You are currently viewing Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers


Since its inception in March 2022, a new Golang-based peer-to-peer (P2P) botnet has been actively targeting Linux computers in the education sector.


The virus, dubbed Panchan by Akamai Security Research, “harvests SSH keys to perform lateral movement” and “utilizes its built-in concurrency capabilities to increase spreadability and execute malware modules.”

The feature-rich botnet, which uses a simple list of default SSH passwords to launch a dictionary attack and spread its reach, is essentially a cryptojacker that uses a computer’s resources to mine cryptocurrency.

Panchan’s activities was initially noticed on March 19, 2022, by the cybersecurity and cloud service provider, which ascribed the malware to a probable Japanese threat actor based on the language used in the administration panel baked into the binary to alter the mining setup.


Panchan is known to deploy and operate two miners on the host, XMRig and nbhash, during runtime, with the unique feature that the miners aren’t removed to the disc to avoid leaving a forensic trail.

The virus dumps its cryptominers as memory-mapped files, with no disc presence, to escape detection and limit traceability, accordientified as active. Asia (64), Europe (52), North America (45), South America (11), Africa (1), and Oceania (1) are the regions with the most infected devices (1).ng to the researchers. “If it detects any process monitoring, it also terminates the cryptominer processes.”

So far, 40 out of the 209 infected peers have been id


The outcome of the threat actor’s OPSEC failure reveals the connection to a Discord server that’s shown in the “godmode” admin panel, providing an intriguing indication as to the malware’s origins.

“With the exception of a welcome from another user in March,” the researchers noted, “the main conversation was empty.” “It’s possible that some conversations are only accessible to server members with greater privileges.”

Leave a Reply