🔍 It also looks out for resource monitoring tools such as htop, nmon, or iostat, in which case it kills the resource-heavy XMRig process to avoid being caught. To maintain access, the sample adds the attackers’ public key to the “.ssh/authorized_keys” file, allowing them to re-enter into the compromised machine without a password.

Note, the official httpd configuration script from Apache is NOT backdoored – this is about a custom modification by threat actors, likely to distribute their own backdoored httpd source code to their victims.