Article mentions couple of const paths that are used, like /root/.config/cron/perfcc.

Also, it mentions that ~/.profile is modified (EDIT: and many others, actually), so IDS like AIDE, if operated correctly, should alert you on that. I don't see any mentions about attempts to circumvent locally run IDS. I wonder if/why malware author did not attempt any evasive actions here, given how much they try otherwise. Maybe cost/benefit ratio is too low?

From the text, tons! This rootkit does not seem very stealthy at all.

IMHO, a simplest one is to check $PATH. If there are suspicious entries, like /bin/.local/bin, it's a sign of infection.

You can also check for presence of the specific files as mentioned close to the end of article.

> In all the attacks observed, the malware was used to run a cryptominer

I assume it starts by detecting a continuous 100% utilization of the cpu’s.

Supposedly it tones down it's activity while a user is logged in and waits for the machine to go idle. Another reason to have centralized performance monitoring.

Yes, but tools like htop show the average load over the last 15 min. So I assume that will show a high utilization.