A new Linux malware campaign has been uncovered, targeting Oracle Weblogic servers to mine cryptocurrency and deliver botnet malware. The malware, called Hadooken, deploys the Tsunami (Kaiten) botnet and a crypto miner. The attack exploits known vulnerabilities and weak credentials, using Python and shell script payloads to retrieve the malware from remote servers. Hadooken establishes persistence through cron jobs and evades detection by disguising its processes as legitimate ones. The malware is linked to the Aeza International hosting company, known for supporting cybercriminal activities.