Unmasking the new XorDDoS controller and infrastructure
April 17, 2025, 4:38 p.m.
Description
The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.
Tags
Date
- Created: April 17, 2025, 1:06 p.m.
- Published: April 17, 2025, 1:06 p.m.
- Modified: April 17, 2025, 4:38 p.m.
Additional Informations
- Paraguay
- British Indian Ocean Territory
- Finland
- Venezuela, Bolivarian Republic of
- Singapore
- India
- Australia
- Taiwan
- Saudi Arabia
- China
- United Arab Emirates
- Netherlands
- Argentina
- Switzerland
- Spain
- Italy
- Thailand
- Canada
- Japan
- France
- Germany
- United Kingdom of Great Britain and Northern Ireland
- Ukraine
- Israel
- Brazil
- United States of America