top of page
  • Clipeus

Linux Trojan XOR DDoS Attacks

At midnight on January 16 and 19, 2024 one of our honeypots was targeted by a sample of the Linux trojan XOR DDoS from an OpenSSH server geolocating in Nanjing, China.

Timestamp of the Attacks

Based on the known TTPs for XOR DDoS trojan, the compromise likely occurred via brute forcing the honeypot SSH and subsequently dropping the payload.

The malware - consistent with the hash value (SHA256) ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73 - was dropped into the download folder of one of our honeypots from the IP address 218[.]92[.]0[.]60 which appears to be an OpenSSH server hosted by CHINANET Jiangsu Province Network.

Source IP geolocation

This specific piece of malware has been consistently used since 2022 based on a review of Virus Total submissions. Further research reveals the malware has been also historically communicating with infrastructure in South Korea and Australia.

Link Analysis Via Virus Total


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page