Referred to as VictoryGate and active since at least May 2019, the botnet impacted devices in Latin America the most, especially Peru, where more than 90% of the compromised devices are located. After sinkholing the C&Cs, ESET’s security researchers were able to estimate the botnet’s size at over 35,000 devices.
VictoryGate was mainly focused on Monero mining, but the malware allowed the botmaster to issue commands to the nodes to download and execute additional payloads. Thus, ESET believes that the botnet’s purpose could have changed at some point.