Unmasking the new XorDDoS controller and infrastructure
Essential information
- Published
- 17/04/2025 13:06
- Modified
- 17/04/2025 16:38
- Tags
- 2025-04-17 brute-force ddos linux xorddos
- Related entities
- 8 techniques (mitre), 1 malware, 26 others
Description
The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.