According to an AhnLab Security Emergency Response Center report, threat actors have been conducting a wide-scale reconnaissance for publicly-accessible MySQL instances using port 3306, and subsequently attempting intrusion via common misconfigurations - i.e. weak credentials - or poor maintenance - i.e. exploitation of known vulnerabilities. Then the attackers deployed the Ddostf DDoS bot malware turning the impacted system into a "zombie" for DDoS attacks.
Clipeus