Tag: ssh

15 Attack Reports | 0 Vulnerabilities

Attack reports

Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus

A sophisticated campaign targeting Russian and Belarusian military personnel has been identified, using multi-stage infection chains and decoy documents. The attackers deploy OpenSSH and Tor bridges to establish covert remote access and lateral movement capabilities. The infection process involves …
obfuscation
espionage
powershell
russia
belarus
ssh
tor
military
2025-10-31
Published: October 31, 2025
Downloadable IOCs: 12

Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors | Google Cloud Blog

Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal…
linux
windows
zero-day
brickstorm
ssh
2025-10-08
unc5221
vpxd
backup scan
sentinel
silk typhoon
systemconfiguration
socks proxy
vcenter
Published: October 8, 2025
Downloadable IOCs: 12

Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors

Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal…
linux
windows
zero-day
brickstorm
ssh
2025-10-08
unc5221
vpxd
backup scan
sentinel
silk typhoon
systemconfiguration
socks proxy
vcenter
Published: October 8, 2025
Downloadable IOCs: 12

Attacks Targeting Linux SSH Servers to Install SVF DDoS Bot

A recent attack on poorly managed Linux servers has been identified, involving the installation of SVF Botnet, a DDoS Bot malware developed in Python. The malware uses Discord as its C&C server and employs multiple proxy servers for DDoS attacks. The threat actor gains access through weak SSH crede…
linux
ddos
discord
ssh
brute force
dictionary attack
proxy servers
2025-08-20
svf bot
svf botnet
Published: August 20, 2025
Downloadable IOCs: 0

Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild

A critical vulnerability (CVE-2025-32433) in Erlang/OTP's SSH daemon allows unauthenticated remote code execution, affecting critical infrastructure and operational technology networks. With a CVSS score of 10.0, it enables command execution by sending SSH connection protocol messages to open ports…
exploit
vulnerability
ssh
remote code execution
critical infrastructure
CVE-2025-32433
2025-08-11
erlang/otp
operational technology
Published: August 11, 2025
Linked vulnerabilities : CVE-2025-32433 (CVSS 10.0)
Downloadable IOCs: 2

GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

A sophisticated campaign targeting ASUS routers has been uncovered, compromising thousands of devices. The attackers employ brute-force attempts, authentication bypasses, and exploit CVE-2023-39780 to gain initial access. They establish persistence by enabling SSH access on a custom port and insert…
backdoor
apt
persistence
botnet
ssh
stealth
authentication bypass
asus routers
CVE-2023-39780
2025-06-04
nvram
Published: June 4, 2025
Downloadable IOCs: 3

Outlaw cybergang attacking targets worldwide

A recent incident response case in Brazil revealed a Perl-based crypto mining botnet called Outlaw, also known as Dota, targeting Linux environments. The threat actor exploits weak SSH credentials, downloads malicious scripts, and deploys an XMRig miner for Monero cryptocurrency. The botnet include…
linux
backdoor
evasion
xmrig
persistence
botnet
irc
ssh
crypto mining
outlaw
2025-04-29
dota
Published: April 29, 2025
Downloadable IOCs: 0

Introducing ToyMaker

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. …
ransomware
powershell
anydesk
persistence
winscp
impacket
bugsleep
ssh
metasploit
initial access broker
file transfer
cactus
2025-04-23
lagtoy
toymaker
magnet ram
capture
holerun
Published: April 23, 2025
Downloadable IOCs: 20

Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified …
linux
xmrig
worm
persistence
botnet
irc
ssh
cryptocurrency mining
brute-force
2025-04-03
outlaw
stealth shellbot
blitz
Published: April 3, 2025
Downloadable IOCs: 87

More SSH Fun!

A Windows batch file has been discovered that abuses the ssh.exe tool in modern Windows versions to create a backdoor. The script adds a registry entry for persistence and uses SSH to set up a reverse tunnel, allowing remote access. It also downloads and executes a malicious file using a Dev Tunnel…
ssh
2024-12-24
dev tunnels
Published: December 24, 2024
Downloadable IOCs: 2

Christmas "Gift" Delivered Through SSH

A malicious file named "christmas_slab.pdf.lnk" was discovered, utilizing Windows' built-in SSH support to deliver malware. The LNK file executes ssh.exe to transfer and run a PE file from a remote server. The attack leverages the SSH/SCP protocol, taking advantage of its widespread availability on…
lnk file
ssh
2024-12-20
Published: December 20, 2024
Downloadable IOCs: 1

cShell DDoS Bot Attack Case Targeting Linux SSH Server (screen and hping3)

A new DDoS malware strain named cShell is targeting poorly managed Linux servers through SSH services. The threat actor uses brute force attacks to gain initial access, then installs the cShell bot developed in Go language. cShell exploits Linux tools 'screen' and 'hping3' to perform various DDoS a…
linux
ddos
botnet
ssh
brute-force
2024-12-20
carm
hping3
go-language
cshell
screen
Published: December 20, 2024
Downloadable IOCs: 1

Attacker Abuses Victim Resources to Reap Rewards from Titan Network

An attacker exploited the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network. The malicious actor gathered system details using public IP lookup services and various commands. Multiple shell scripts were downloaded and executed …
cryptomining
aws
ssh
remote code execution
CVE-2023-22527
atlassian confluence
2024-11-04
titan network
cassini testnet
aleo-pool
Published: November 4, 2024
Linked vulnerabilities : CVE-2023-22527
Downloadable IOCs: 1

Supershell Malware Being Distributed to Linux SSH Servers

A Chinese-developed Go-based backdoor called Supershell is targeting poorly managed Linux SSH servers. The malware, which supports multiple platforms, primarily functions as a reverse shell for remote system control. Attackers use dictionary attacks from various IP addresses to gain access, then in…
xmrig
ssh
2024-09-20
cryptocurrency mining
supershell
Published: September 20, 2024
Downloadable IOCs: 5

Akira Ransomware Targets the LATAM Airline Industry

An in-depth analysis examined a threat actor utilizing Akira ransomware to compromise a Latin American airline. The attacker gained initial network access via SSH, exploiting a vulnerability in Veeam backup software, and subsequently exfiltrated critical data before deploying the ransomware payload…
linux
ransomware
exfiltration
akira
CVE-2023-27532
2024-07-16
ssh
backup
Published: July 16, 2024
Linked vulnerabilities : CVE-2023-27532, CVE-2023-20269, CVE-2020-3259
Downloadable IOCs: 2
Click here to see more Attack Reports