In the second installment of the Codex Red series, the Huntress SOC uncovered a complex Linux breach that involved three distinct threat actors, a malicious cryptominer, a multi‑revenue botnet, and a credential‑harvesting campaign. The incident was further complicated by the victim’s use of OpenAI Codex to diagnose and remediate the problem, which unintentionally amplified noise in the environment and obscured attacker activity.
Key Observations
- At least two separate adversaries operated concurrently on the same host.
- Eight persistence techniques (cron, systemd, UDEV, etc.) were deployed.
- 15 categories of sensitive data were exfiltrated.
- The compromise was initiated via exploitation of CVE‑2025‑55182 (React2Shell) in a vulnerable Next.js/React stack.
- AI‑driven remediation failed to remove all malicious code and introduced additional noise.
Threat Actors and Capabilities
- Actor A – Crypto Miner
- Binary /var/tmp/systemd-logind, scheduled with a @reboot crontab.
- Monero mining to 62.60.246[.]210:443.
- Persistence through a simple scheduled job.
- Actor B – Multi‑Revenue Botnet
- Infrastructure: 162.55.234[.]175:4082.
- Revenue streams: XMR mining (fkkkf) to pool.supportxmr[.]com, residential proxy (Repocket), bandwidth selling (EarnFM).
- Persistence: cron jobs, systemd user services, UDEV rules, root‑level cron, and watchdog scripts.
- Anti‑competitor measures: periodic killing of rival miners.
- Actor C – Credential Harvester
- Staging IPs: 147.45.41[.]25 and 172.245.159[.]216.
- Exfiltration server: 172.86.127[.]128:8080.
- Root‑level cron pulling from 0x1x2x3[.]top.
- Payload: /tmp/.e2933fc3b.sh collecting 15 data categories.
Incident Timeline
- March 19: User reports loud fan noise; Codex masks symptoms but does not stop the miner.
- March 20: Huntress agent installed; Detections trigger from legitimate Codex commands and malicious drops.
- Late March: Actor B introduces cron jobs and systemd services; Actor C drops a base64‑encoded harvester.
- April 6: Repeated wget downloads, attempt to stop Huntress agent, mass log wiping.
- April 16: Host reinfected via CVE‑2025‑55182; same Actor B infrastructure re‑engaged.
Limitations of AI‑Assisted Remediation
- Codex lacked root privileges, unable to inspect /etc/cron.d/ or UDEV rules.
- Timing gaps left credential exfiltration outside Codex’s observation window.
- Race conditions allowed a second attacker to establish persistence while Codex was cleaning up.

