Full Report
Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks.
Analysis Summary
# Threat Actor: XorDDoS Operators
## Attribution & Identity
The operators are assessed with high confidence to be Chinese-speaking individuals, based on the simplified Chinese user interface and instructions found in the XorDDoS controller and builder. The malware is known as XorDDoS.
## Activity Summary
XorDDoS, a long-standing DDoS malware targeting Linux machines, has seen a significant increase in prevalence from 2020 to 2023. Between November 2023 and February 2025, Cisco Talos observed its continued global spread. A new, more sophisticated version called the "VIP version" of the controller was discovered being used to build the bot network. Compromised systems were observed launching DDoS attacks globally, with the United States being the primary target for attack attempts (over 70%).
## Tactics, Techniques & Procedures
- **Initial Access:** Leverages SSH brute-force attacks, attempting numerous root credential combinations against target Linux devices.
- **Execution/Persistence:** Installs a malicious shell script after gaining root privileges to download and install the XorDDoS trojan.
- **Persistence:** Ensures automatic launching at system startup by installing an init script and a cron job script.
- **Defense Evasion:** Attempts to evade detection and termination via security products through established persistence mechanisms.
- **Command and Control:** Decrypts embedded configuration (using XOR key "BB2FA36AAA9541F0") to obtain C2 URLs/IPs for command retrieval.
- **Capabilities:** Converts infected Linux machines, including exposed Docker servers, into "zombie bots" for DDoS attacks.
- **MITRE ATT&CK IDs (Implied by TTPs):** T1110.001 (Brute Force: Password Guessing), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), T1071.001 (Application Layer Protocol: Web Protocols).
## Targeting
- **Sectors:** Not explicitly detailed, but targeting is based on exposed Linux machines and Docker servers, suggesting prevalence across any internet-facing infrastructure.
- **Geography:** Global distribution of compromised bots. Attack victims were primarily located in the United States (nearly 50% of compromised systems). Attack attempts targeted over two dozen countries including the US (over 70% of attack attempts), Spain, Taiwan, Canada, Japan, Germany, China, India, and others.
- **Victims:** Specific organizations are not named, but the targets are Linux/Docker servers vulnerable to SSH brute-forcing.
## Tools & Infrastructure
- **Malware Families used:** XorDDoS (including the new "VIP version" controller).
- **Infrastructure (C2, domains, IPs - defang URLs):** Infrastructure includes a central controller and sub-controllers communicating with the malware. Specific C2 artifacts mentioned are decrypted via an XOR key "BB2FA36AAA9541F0". IOCs are available on the vendor's GitHub repository.
## Implications
The continued evolution of XorDDoS, evidenced by the new "VIP version" controller, indicates persistent, sophisticated operation by Chinese-speaking threat actors focused purely on generating large-scale DDoS attacks. The focus on Linux and Docker environments suggests an exploitation of the rapidly expanding IoT and containerized infrastructure footprint.
## Mitigations
- **Network Security:** Utilize solutions capable of detecting malicious network communication patterns associated with this threat (e.g., Cisco Secure Firewall, Umbrella blocking malicious domains/IPs).
- **Endpoint Security:** Employ security tools that identify malicious binaries (e.g., Cisco Secure Malware Analytics/Threat Grid).
- **Authentication:** Implement Multi-Factor Authentication (Duo) to prevent successful initial access via compromised credentials, even if brute-forcing is attempted.
- **Detection Rules:** Update Snort rules (SIDs 64669, 64668, 64667) and ClamAV signatures (Unix.Dropper.Xorddos::in07.talos).
- **System Hardening:** Focus on hardening SSH services against brute-force attacks on Internet-facing Linux and Docker hosts.