Statistics Report on Malware Targeting Linux SSH Servers in Q4 2025
AhnLab SEcurity intelligence Center (ASEC) utilizes a honeypot to respond to and classify brute-force and dictionary attacks targeting poorly managed Linux SSH servers. This post covers the status of the attack sources identified in the logs from the fourth quarter of 2025 and the statistics of attacks launched by these sources. It also classifies the malware strains used in each attack and provides detailed statistics.
1. Attacks Targeting Linux SSH Servers
The following are statistics on attacks targeting Linux SSH servers identified through AhnLab’s honeypot logs in the fourth quarter of 2025. In the fourth quarter of 2025, attacks from the P2PInfect worm malware accounted for 80.4% of all attacks. This was followed by Prometei at 8.3% and XMRig at 2.4%.
The types of malware strains used in the attacks are mostly worms, coin miners, or DDoS bots, with other types including backdoors and more. Although the attacks target servers with SSH services installed, it is worth noting that IoT DDoS bot malware strains, which primarily target IoT devices, have also been identified. Notable examples include Mirai and Gafgyt. Additionally, Tsunami is distributed to both IoT devices and Linux servers. Other DDoS malware strains that target Linux servers include ShellBot and XorDDoS. As for CoinMiner strains, there are various cases where XMRig is installed, as well as other strains such as Prometei and P2PInfect.
2. Attacks in the Fourth Quarter of 2025
In the fourth quarter of 2025, the case of RUBYCARP threat actor’s ShellBot malware attack was introduced. RUBYCARP, who has been operating for over 10 years, is known to build botnets through the exploitation of public vulnerabilities and brute force attacks. In April 2024, Sysdig introduced RUBYCARP as a Romanian threat group. [1] The threat actor is known to use malware strains related to coin mining, DDoS attacks, and phishing for financial gain.
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the ShellBot (PerlBot) malware of an attacker known as RUBYCARP is continuously being distributed. Some of the Indicators of Compromise (IoCs) in the download address and C&C address of ShellBot identified in the installation command are the same as the RUBYCARP infrastructure published by Sysdig. Even in cases where the IoCs were not the same, it was possible to confirm that the same threat actor was behind the attacks by comparing the various features of ShellBot used in the attacks.
Also known as PerBot, ShellBot is a DDoS Bot malware developed in Perl. It uses the IRC protocol to communicate with the C&C server and supports various commands that allow threat actors to control the infected system, not just launch DDoS attacks. The threat actors scan systems with port 22, where SSH service is running, and upon finding a system with SSH service, they launch a dictionary attack using a list of commonly used SSH account credentials. The threat actor, who successfully logged in, has been continuously installing ShellBot since 2025.
There are two main types of ShellBot used in attacks. The first type is the ShellBot malware distributed to Linux SSH servers, as mentioned in the blog post “ShellBot Malware Distributed to Linux SSH Servers.” In the past, it was known as “LiGhT’s Modded perlbot v2.” [2] This ShellBot supports a large number of commands, and the features are categorized by type below.
Figure 1. Command routine of LiGhT’s Modded perlbot v2
| Command | Function |
|---|---|
| looding | IRC flooding |
| irc | IRC control commands |
| ddos | DDoS commands (TCP, UDP, HTTP, SQL flooding, etc.) |
| news | DDoS attack commands against security web pages |
| hacking | Attack commands (MultiScan, Socks5, LogCleaner, Nmap, Reverse Shell, etc.) |
| linuxhelp | Help |
| extras | Additional feature (suspected to be related to DDoS attacks) |
Table 2. Features supported by LiGhT’s Modded perlbot v2
The other type is simpler than the ShellBot above, but it supports commands such as DDoS attacks and scanning. It is worth noting that both types have the string “netadmin.fuckOff[.]org” in the “@auth” variable.
| Command | Function |
|---|---|
| portscan | Port scanning |
| download | Download file |
| fullportscan | Port scanning for a specific address |
| udp | UDP flooding attack |
| udpfaixa | UDP flooding attack 2 |
| conback | Connecting to a specific address |
Table 3. Features supported by ShellBot
Figure 3. Configuration information of ShellBot
