After achieving initial server access via weak passwords, threat actors proceeded to launch a pair of scripts to retrieve the Hadooken malware, which features not only a cryptocurrency miner but also the Tsunami distributed denial-of-service botnet, according to a report from Aqua Security. Despite the lack of evidence showing the execution of Tsunami, Hadooken has already been leveraged to facilitate persistence and credential and secret theft.

Source: SC Magazine