Recently, the Tencent Security Guardian Threat Intelligence Center monitored and found that the "Agwl" gang increased the attack on the Linux system. After the successful hack, it added the bash script code s667 based on the Linux system. After the script runs, it will add itself to the timing task, and further download the CPU mining trojan bashf and GPU mining trojan bashg under the Linux platform. The "Agwl" gang continues to embed the DDoS virus lst on the Linux platform (known as "Mayday" by foreign researchers) and Xbash. Xbash ransomware will read the attack IP address segment from the C2 server, scan the VNC, Rsync, MySQL, MariaDB, Memcached, PostgreSQL, MongoDB and phpMyAdmin servers in these networks for blasting attacks. After the blast login is successful, it does not go like other ransomware. Encrypted data and then extort money, but directly delete the database file to defraud the rewards, the enterprise will suffer serious losses once the move.