While conducting a routine log check, we noticed an interesting script from one of our honeypots downloading a binary connected to a domain. Upon further analysis, we found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS. It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.

https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/