Q1 2026 Malware Statistics Report for Linux SSH Servers
Overview.
ASEC analyzed the statistics of attacks against Linux SSH servers in Q1 2026 based on honeypot logs. The P2PInfect worm dominated, accounting for 70.3% of all attack sources, and DDoS bots such as Mirai, XMRig, Prometei, and CoinMiner were identified as the main threats.
Purpose and Scope.
the purpose of this report is to summarize the statistics of damage, number of attacks, and malware classification through verified logs for the first quarter of 2026.
Key statistics.
- in Q1 2026, there was a confirmed case of attacking Linux servers to install a tool called V2Ray. considering that no other attack logs exist except for this, the threat actor’s purpose seems to be to utilize the infected system as a proxy node.
- the threat actor is unknown, but based on the tools and platforms used in the attack, it is believed to be a Chinese user.
- after scanning the SSH service, the threat actor attempted to log in to the honeypot Linux server and then executed commands to view network information, files in the current directory, memory usage, and disk usage.
- finally, we installed V2Ray to utilize the infected system as a proxy. V2Ray is a tool used for proxying, tunneling, and bypassing access and supports protocols such as VMess, VLESS, Trojan, and Shadowsocks.
- while the commands executed by the threat actors are limited in determining the specific purpose, it is likely that one of the goals was to utilize a mismanaged SSH server as a proxy node.
Prevention and diagnostic information.
account passwords should be difficult to guess and changed periodically. SSH access should be minimized to the outside world and restricted by changing ports, introducing key-based authentication, firewalls, and access controls.
systems should be kept up to date with the latest security patches and unnecessary services should be disabled. networks should enforce log-based monitoring to detect unusual outbound connections, Netcat listen ports, and traces of V2Ray-related process execution. utilizing honeypots and threat intelligence (e.g., AhnLab TIP) to collect and correlate attack source information is useful for early detection.
