{ "name": "Unmasking the new XorDDoS controller and infrastructure", "slug": "unmasking-the-new-xorddos-controller-and-infrastructure", "description": "The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.", "published": "2025-04-17T11:06:23+00:00", "created_at": "2025-04-17T11:06:23+00:00", "modified_at": "2025-04-17T14:38:41+00:00", "created_at_opencti": "2025-04-17T11:06:23+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-04-17", "brute-force", "ddos", "linux", "xorddos" ], "related_entities": { "malware": [ { "id": "legacy:malware:02c2486bc5dc22ba", "name": "XorDDoS", "slug": "xorddos" } ], "attack_patterns": [ { "id": "96df92ce-da3e-4c6d-8250-cb250c9ed619", "name": "T1554" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" } ], "others": [ { "id": "", "name": "Paraguay" }, { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "Finland" }, { "id": "", "name": "Venezuela, Bolivarian Republic of" }, { "id": "", "name": "Singapore" }, { "id": "", "name": "India" }, { "id": "", "name": "Australia" }, { "id": "", "name": "Taiwan" }, { "id": "", "name": "Saudi Arabia" }, { "id": "", "name": "China" }, { "id": "", "name": "United Arab Emirates" }, { "id": "", "name": "Netherlands" }, { "id": "", "name": "Argentina" }, { "id": "", "name": "Switzerland" }, { "id": "", "name": "Spain" }, { "id": "", "name": "Italy" }, { "id": "", "name": "Thailand" }, { "id": "", "name": "Canada" }, { "id": "", "name": "Japan" }, { "id": "", "name": "France" }, { "id": "", "name": "Germany" }, { "id": "", "name": "United Kingdom of Great Britain and Northern Ireland" }, { "id": "", "name": "Ukraine" }, { "id": "", "name": "Israel" }, { "id": "", "name": "Brazil" }, { "id": "", "name": "United States of America" } ] }, "external_refs": [ "https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and-infrastructure/", "https://otx.alienvault.com/pulse/6800fccf8db6537ac15e75fb" ] }