Good guy vigilante, or error in coding? A strange botnet has appeared on the scene which instead of infecting devices in order to enslave them, appears to be actually wiping them clean of cryptocurrency mining malware.

On Monday, researchers from Qihoo’s 360Netlab said that Fbot, a botnet based on Satori botnet coding, is demonstrating some extremely odd behavior for such a system.

Satori is a botnet variant based on Mirai, the infamous botnet which was able to take down online services across an entire country.

Satori’s code was released to the public in January. Since then, we have seen variants which target mining rigs for cryptojacking purposes; those which come equipped with exploits for router compromise, and others which focus on deploying Trojan payloads.

Botnets are generally bad news. They enslave vulnerable devices, such as mobile devices, Internet of Things (IoT) products, and routers, and then these devices are enslaved in their droves to drive everything from automatic spam campaigns to distributed denial-of-service (DDoS) attacks.

See also: IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day

However, Fbot is not characteristic of your typical botnet.

The researchers say that Fbot appeared on the radar last week and it appears the only job this botnet has is to chase down systems infected by another botnet, com.ufo.miner, a variant of ADB.Miner.

ADB.Miner has been active of late. The botnet targets Android devices — including smartphones, the Amazon Fire TV, and…