![](https://static.wixstatic.com/media/34c96e_046b762982ce4b689c2a0df9827c14aa~mv2.jpg/v1/fill/w_980,h_980,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/34c96e_046b762982ce4b689c2a0df9827c14aa~mv2.jpg)
At midnight on January 16 and 19, 2024 one of our honeypots was targeted by a sample of the Linux trojan XOR DDoS from an OpenSSH server geolocating in Nanjing, China.
![](https://static.wixstatic.com/media/34c96e_715a38fe8c5843598e08d57ba6c7ea4c~mv2.png/v1/fill/w_938,h_315,al_c,q_85,enc_auto/34c96e_715a38fe8c5843598e08d57ba6c7ea4c~mv2.png)
Based on the known TTPs for XOR DDoS trojan, the compromise likely occurred via brute forcing the honeypot SSH and subsequently dropping the payload.
The malware - consistent with the hash value (SHA256) ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73 - was dropped into the download folder of one of our honeypots from the IP address 218[.]92[.]0[.]60 which appears to be an OpenSSH server hosted by CHINANET Jiangsu Province Network.
![](https://static.wixstatic.com/media/34c96e_bc92a695a1974e2fb40f2b2a9c4036fe~mv2.png/v1/fill/w_950,h_612,al_c,q_90,enc_auto/34c96e_bc92a695a1974e2fb40f2b2a9c4036fe~mv2.png)
This specific piece of malware has been consistently used since 2022 based on a review of Virus Total submissions. Further research reveals the malware has been also historically communicating with infrastructure in South Korea and Australia.
![](https://static.wixstatic.com/media/34c96e_12e74040b95342668cf3d2ce290f0696~mv2.png/v1/fill/w_895,h_617,al_c,q_90,enc_auto/34c96e_12e74040b95342668cf3d2ce290f0696~mv2.png)