The Q1 2026 malware analysis for Linux SSH servers identifies the P2PInfect worm as the predominant threat, responsible for 70.3% of attack sources. Additional threats include multiple DDoS botnets (Mirai, XMRig, Prometei, CoinMiner). Attackers used SSH brute-force methods to gain unauthorized access, followed by reconnaissance commands to gather system information. A notable campaign involved deploying V2Ray proxy tools on compromised hosts, facilitating proxy node operations. This campaign is linked to a suspected Chinese threat actor. The attacks focus on poorly secured SSH servers with weak passwords, highlighting credential attacks as a key vector. No known exploits in the wild or official patches are indicated. The report recommends strengthening password policies, implementing access controls, and monitoring network traffic for proxy-related anomalies.

The primary impact is unauthorized access to Linux SSH servers through brute-force attacks exploiting weak credentials. Compromised systems are used to deploy malware such as the P2PInfect worm and various DDoS botnets, potentially enabling distributed denial-of-service attacks and proxy node operations via V2Ray. This can degrade system availability and be leveraged for further malicious activities. The campaign's use of proxy tools may also facilitate anonymized malicious traffic. No direct evidence of widespread exploitation beyond these activities is reported.

No official patches or fixes are available as this threat exploits weak SSH credentials rather than software vulnerabilities. Mitigation focuses on enforcing strong password policies and robust access controls for SSH servers. Network monitoring should be employed to detect unusual outbound connections and proxy-related activities indicative of compromise. Regular review of SSH login attempts and use of multi-factor authentication where possible are recommended to reduce risk.