Crackonosh: Coordinated Cryptojacking Malware
- Crackonosh is a cryptojacking malware that spreads via pirated torrents, mines Monero, and employs synchronized daily UDP scans for botnet coordination.
- It uses a pseudo-random daily port rotation mechanism, making individual hosts nearly invisible while creating aggregate network signatures.
- Detection relies on lightweight metrics such as unique source IP counts and high packet-size entropy, enhancing early-stage threat discoverability.
Searching arXiv for the specified paper and closely related Crackonosh/threat-hunting work to ground the article. Crackonosh is a cryptojacking malware package whose operational significance in network security derives less from volumetric prominence than from a distinctive, coordinated Internet-visible behavior in unsolicited UDP darkspace traffic. In the measurement framework developed in “Hunting in the Dark: Metrics for Early Stage Traffic Discovery” (Gao et al., 7 Jul 2025), Crackonosh serves as a concrete case for understanding early-stage discovery of stealthy threats in unlabeled traffic, particularly when defenders must rely on lightweight exploratory metrics rather than prior signatures. The malware spreads through torrents containing pirated games, mines Monero via XMRig, and exhibits a synchronized daily-port mechanism in which infected hosts compute a pseudo-random “daily port,” switch to it at roughly midnight UTC, and participate in a slow, distributed IPv4 UDP scan. This behavior makes individual hosts nearly invisible at small collection scales, while simultaneously creating aggregate signatures that become detectable when traffic is partitioned by destination port and ranked using metrics such as source-address counts, source-block counts, source/destination spread, and packet-size entropy (Gao et al., 7 Jul 2025).
1. Malware function and network-visible coordination
Crackonosh is described as a cryptojacking malware package that spreads through torrents containing pirated games and mines Monero via XMRig (Gao et al., 7 Jul 2025). Avast had also reported that it hides control messages in encrypted DNS TXT records, disables antivirus, and clears system logs. Within the network-centric treatment of the malware, however, the decisive behavior is not the mining component itself but a coordinated update or botnet-member contact mechanism implemented through daily UDP scanning on a single shared destination port.
Every infected host computes a pseudo-random “daily port” from the date and a shared secret, then at roughly midnight UTC switches to that port and begins a slow, distributed IPv4 scan (Gao et al., 7 Jul 2025). Each host both listens on and sends UDP probes to that daily port at about 10 packets per second, choosing random IPv4 targets. Infection is through pirated software rather than worm-like self-propagation via scanning; the scan behavior appears to support update discovery, botnet member contact, and command-and-control-like coordination on the daily port.
This structure produces an unusual combination of stealth and coordination. A single host would take roughly 14 years to scan all of IPv4, and on a /22 telescope a given host would send at most about one packet per week. This suggests that endpoint-local observability and small-collector observability are intrinsically weak for any one infected machine. At the same time, because all infected hosts converge on the same destination port each day and rotate at 0000Z, the aggregate phenomenon becomes visible when traffic is analyzed by destination port rather than by connection semantics or payload signature (Gao et al., 7 Jul 2025).
2. Measurement setting and retrospective ground truth
The study uses seven datasets from two darkspaces: a single /22 operated by Group 1 and 41,636 /24s operated by Group 2, effectively on the order of a /16 in aggregate visibility (Gao et al., 7 Jul 2025). The main observation windows are October 13–31, 2022; January 1–15, 2024; and February 15–28, 2025, with an additional preliminary dataset from September 13–26, 2022 for initial behavioral analysis.
The traffic examined is unsolicited UDP traffic to darkspace, partitioned by destination port. To obtain ground truth for evaluation, UDP traffic matching the predicted daily port is labeled as Crackonosh, using a port-prediction script based on reverse engineering by Avast’s Daniel Benes (Gao et al., 7 Jul 2025). The paper notes a small risk of false positives if a daily port collides with a legitimate service, but considers that unlikely because the relevant port range is high, approximately 49108/UDP to 65535/UDP.
The methodology is intentionally structured as threat hunting over unlabeled data. For each day, the traffic is partitioned by destination port, several metrics are computed per port, ports are ranked by each metric, and the position of the true Crackonosh daily port is examined retrospectively (Gao et al., 7 Jul 2025). The labels are therefore used only after the fact to assess whether a metric would have caused an analyst to notice and prioritize the phenomenon. This retrospective design is central to the paper’s notion of discoverability: the problem is not supervised classification in the usual sense, but whether a metric pushes an otherwise unknown threat into a manageable top- set for human review.
Several assumptions delimit the scope of the findings. The analysis is largely restricted to UDP and to the daily-port scanning behavior; ground truth depends on the correctness of the daily-port prediction script; the large darkspace is treated as sufficiently large that daily unique-IP counts approximate the extant Crackonosh population; the observability model assumes uniform random scanning across IPv4; and the authors explicitly note that observability may not generalize if attackers alter packet construction or scan logic (Gao et al., 7 Jul 2025).
3. Behavioral signatures in darkspace traffic
The paper characterizes Crackonosh as a distributed daily IPv4 scan on one UDP destination port, with all infected nodes synchronized to the same port on a given day (Gao et al., 7 Jul 2025). Two signatures are especially important.
First, there is coordinated daily port concentration. Traffic to one otherwise unexplained high UDP port surges during its active day and disappears when the malware rotates to the next day’s port at 0000Z. Figure 1 in the paper, covering September 13–26, 2022, shows this day-specific activation and absence pattern.
Second, there is a distinctive packet-size distribution. Crackonosh encrypts and pads its probe payload, and the amount of padding is uniformly distributed. The resulting packet-size histogram is unusually flat, yielding high entropy relative to ordinary UDP scanning, which tends to be more modal (Gao et al., 7 Jul 2025). The authors explicitly interpret this as an attacker mistake: padding intended to frustrate simple signature checks instead creates a highly distinctive entropy signature.
The malware’s operational visibility depends on aggregation. In the September 17–23, 2022 top-port comparison, Crackonosh was usually the top port by unique source IPs, though not always; on September 19 it ranked second behind WS-Discovery (Gao et al., 7 Jul 2025). This establishes a recurring theme of the case study: Crackonosh is not necessarily the loudest phenomenon by packet volume, but it often stands out because many infected hosts each contribute a small number of probes to the same destination port. A plausible implication is that metrics emphasizing distributed source participation can reveal globally coordinated low-rate activity even when packet-volume rankings obscure it.
4. Discoverability and the threat-hunting metrics
The paper’s central analytical construct is discoverability, defined as the probability that a metric applied to suspicious unlabeled data will rank the true phenomenon high enough for an analyst to notice it (Gao et al., 7 Jul 2025). In verbal form, for a metric , discoverability at threshold is the probability that the Crackonosh daily port is ranked within the top ports on a day. The paper evaluates metrics up to a daily top 100, using a heuristic that an analyst can process about 12 alerts per hour for 8 hours.
Four lightweight metrics are evaluated.
Source Address Count () counts unique source IP addresses contacting port . The paper defines as the number of unique source-address prefixes of bits that contact port , with as address count and 0 as block count (Gao et al., 7 Jul 2025). For Crackonosh, this metric captures the fact that many infected hosts independently probe the same daily port.
Source Block Count (1) counts unique source /24 prefixes contacting the port. The rationale is that other scanners may originate from dense neighborhoods, whereas Crackonosh “tends to scan from at most two addresses in a /24 network,” making /24 aggregation a better proxy for globally distributed prevalence (Gao et al., 7 Jul 2025).
Source/Destination Address Spread is the ratio of source addresses to destination darkspace addresses targeted on a given port. The paper’s notation is partially corrupted, but the concept is explicit: typical scanners hitting many destinations from few sources exhibit low spread, whereas Crackonosh’s many-source, low-rate behavior yields high spread (Gao et al., 7 Jul 2025).
Packet-size Entropy (2) is Shannon entropy of packet sizes for traffic to a port. Because Crackonosh’s padded encrypted probes create a near-uniform size distribution, the corresponding entropy is unusually high, reported as roughly 6.8 to 7 bits (Gao et al., 7 Jul 2025).
The empirical comparison reported in the paper can be summarized as follows:
| Metric | Primary signal | Reported behavior |
|---|---|---|
| Address count (3) | Many infected hosts on one daily port | Works when population is high; by 2025 ranks regularly exceed twenty |
| Source spread | Many-source, low-rate scanning | Highly correlated with address count; weak as population falls |
| Block count (4) | Distributed source /24 prevalence | Best of the address-based metrics; still viable in 2025 |
| Packet-size entropy (5) | Near-uniform padded packet sizes | Strongest and most consistent across all periods |
The paper reports strong Pearson correlations among the address-based metrics: 0.944 for address count versus block count, 1 for address count versus source spread, and 0.944 for block count versus source spread (Gao et al., 7 Jul 2025). These values indicate that the metrics move together, although their ranking utility diverges as prevalence declines and competition from unrelated scan traffic increases.
5. Observability, remediation, and population decline
A major theme of the study is that the discoverability of Crackonosh is conditional on malware prevalence. Using the large Group 2 darkspace, the authors report a decline in observed daily Crackonosh source populations over 3.5 years: about 90k unique IPs per day in 2022, about 40k per day in 2024, and about 26k per day in 2025 (Gao et al., 7 Jul 2025). They argue that because the darkspace is large, these counts are a reasonable estimate of the remaining botnet population.
As the population shrinks, address-based metrics weaken. Fewer infected hosts means lower source-IP and source-/24 counts on the daily port, increasing the chance that unrelated background radiation or common Internet-wide scans will outrank Crackonosh (Gao et al., 7 Jul 2025). This is directly reflected in the rank behavior of 6, which becomes effectively “invisible” by 2025 in the sense that ranks regularly exceed twenty.
The paper adapts Moore’s network telescope model for observability. Let 7 be the size of the collecting darkspace in IP addresses, 8 the size of IPv4, 9 the scan rate in packets per second, and 0 the observation duration in seconds. Then the probability that a single packet hits the darkspace is
1
and the probability of observing at least one packet from a single Crackonosh host during duration 2 is
3
The expected number of packets from one host in a 24-hour period is
4
Using 5 pps and 6 seconds, the paper gives the following values (Gao et al., 7 Jul 2025):
| Darkspace size | 7 | 8 | 9 |
|---|---|---|---|
| /32 | 0 | 1 | 2 |
| /24 | 3 | 4 | 5 |
| /22 | 6 | 7 | 8 |
| /16 | 9 | 0 | 1 |
These values establish why darkspace size is decisive. A /16 can expect to see at least one packet from essentially every Crackonosh host daily, whereas a /22 has only about 0.19 daily observation probability per host and would need roughly 13 days to reach 95% observation probability for a given host (Gao et al., 7 Jul 2025). Because the active port changes every day, delayed per-host observability does not translate into easy same-epoch detection. This suggests that early-stage discovery depends not only on the existence of a discriminative metric but also on whether the collector is large enough to supply useful samples before port rotation.
6. Scan-rate estimation, darkspace scale, and emergent behaviors
The large darkspace enables inference beyond simple detection. The paper defines “always-on IPs” as public IPs from which the telescope captures at least one probe in all 144 five-minute intervals of a day (Gao et al., 7 Jul 2025). Counts of always-on IPs also decline over time: about 6k in 2022, about 3k in 2024, and about 1.6k in 2025. Using these addresses, the study estimates scan rates with a telescope-adapted form of Moore’s formula,
2
where 3 is the number of probe packets captured, 4 the observation interval, and 5 the number of IP addresses in the telescope.
From 65,833 unique IPs that were always-on for at least one day, the kernel density of observed daily packet counts is bimodal, with peaks at 1370.31 packets per day and 2508.14 packets per day, corresponding to 12.4 pps and 22.7 pps respectively (Gao et al., 7 Jul 2025). The lower mode is close to Avast’s reported 10 pps; the higher mode is interpreted as likely due to two infected hosts behind the same home router or public IP. The paper emphasizes that this probing behavior remained stable over 3.5 years.
Darkspace size also controls how quickly the daily port can be identified. In the /16-scale setting, both teams could find potential Crackonosh daily ports within three hours, and the larger darkspace often produces top-ranked values within 15 minutes (Gao et al., 7 Jul 2025). In the /22 setting, detection often requires several hours; in January 2024, more than 3 hours were needed to collect the 128 packets the authors regard as a minimum threshold for reasoning about a 7-bit entropy estimate.
This yields a practical hierarchy among metrics. Entropy is strong but sample-hungry, whereas block count is faster at small sample sizes (Gao et al., 7 Jul 2025). A plausible implication is that early-stage operational workflows should use block-count-like metrics for initial triage and entropy for confirmation when enough packets have accumulated.
7. Attacker mistakes, operational implications, and limits of generalization
A central conclusion of the study is that Crackonosh became discoverable because of attacker mistakes (Gao et al., 7 Jul 2025). The clearest is uniform random packet padding, which creates a highly distinctive high-entropy packet-size distribution. If the malware had used no padding, fixed-size packets, or more modal lengths, entropy would have been much less useful. A second mistake is strong daily coordination: all bots share one daily destination port, all switch at midnight, and all scan that same port globally. A third is behavioral stability over 3.5 years, which gave defenders a prolonged opportunity to characterize and exploit the mechanism.
For defenders, the paper suggests several operational lessons: use darkspace or unsolicited inbound telemetry where possible; aggregate by destination port and time; prefer /24 block count over simple source-IP count as prevalence declines; use packet-size entropy as a high-confidence discriminator when sufficient packets are available; act quickly after midnight UTC; and exploit coordination rather than raw packet volume (Gao et al., 7 Jul 2025). The study also notes that Group 2’s security team validated the anomaly by identifying hosts mining Monero, helping confirm that the traffic was indeed Crackonosh.
The limits of the results are stated explicitly. Generalization to other malware is uncertain; entropy depends on an attacker implementation mistake; large darkspaces are rare because of IPv4 exhaustion; ground truth depends on reverse engineering and port prediction; the observability model assumes uniform random IPv4 scanning; and the work is principally about early-stage discovery rather than full classification or remediation workflows (Gao et al., 7 Jul 2025). Accordingly, Crackonosh is best understood not as a universal template for malware hunting, but as a case in which coordinated low-and-slow behavior, coupled with implementation artifacts, made a stealthy cryptojacking botnet component measurable in darkspace. The broader significance lies in the paper’s demonstration that discoverability is conditional: simple source-based metrics can suffice when prevalence is high, but as remediation shrinks the population, packet-size entropy and collection scale become decisive (Gao et al., 7 Jul 2025).