According to Bitdefender security researchers who discovered the cryptojacking attacks, it has been active since at least 2020 and the attackers are believed to be a threat group likely based in Romania. The attackers exploited Linux Systems with previously undocumented SSH brute-forcer written in Golang, with their toolset dubbed "Diicot brute" which is a password cracking tool supposed to be available via a software-as-a-service model.
The stealthy part isn't necessarily the brute-forcing of those credentials, but that the hackers does it in a way that lets them go completely undetected.
How the Linux Cryptojacking Attackers target Linux Systems?
While exploitation of weak SSH credentials isn't quite uncommon to Linux Systems, the method employed by the threat group involves obfuscating Bash scripts by compiling them with a shell script compiler (shc) and using Discord to report back the information.
The toolkit used by the threat actors includes traditional tools such as masscan and zmap, and as distributed on an as-a-service model, each threat actor supplies their own API key in their scripts. And like most tools in this kit, the brute force tool has a mix of Romanian and English languages in its interface.
Once the attackers finds a Linux device with inadequate SSH credentials, they'll deploy and execute the loader, as in the current campaign, they employed .93joshua, though they have a couple of others such as .purrple and .black. However, all the loaders are obfuscated via shc and the loader gathers system information and relays to the attacker using an HTTP POST through a Discord webhook.
Albeit, there's no shortage of Linux machines with weak SSH credentials, and the only way to find out is through scanning.
As a mitigation strategy, it is recommended that Linux users should resort to runtime cloud security as an important last line of defense if they detect malicious code injections and other threats that took place after a vulnerability has been exploited by an attacker.