Skip to main content

Unmasking the new XorDDoS controller and infrastructure

Medium
Published: Thu Apr 17 2025 (04/17/2025, 13:06:23 UTC)
Source: AlienVault OTX

Description

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

AI-Powered Analysis

AILast updated: 06/19/2025, 17:34:07 UTC

Technical Analysis

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Potential Impact

For European organizations, XorDDoS poses a significant threat primarily to Linux-based servers and infrastructure exposed to SSH access, including web servers, application servers, and IoT devices running Linux. Successful compromise can lead to these systems being co-opted into large-scale DDoS attacks, resulting in degraded service availability, reputational damage, and increased operational costs due to mitigation efforts. Critical sectors such as finance, telecommunications, government services, and cloud providers are particularly vulnerable given their reliance on Linux infrastructure and the strategic importance of their services. The enhanced controller infrastructure increases the scale and coordination of attacks, potentially overwhelming existing DDoS defenses. Persistence mechanisms complicate remediation, increasing downtime and recovery costs. While the primary target has been the United States, European organizations with weak SSH security or exposed Linux systems could become collateral victims or direct targets as the malware spreads. The medium severity rating suggests the threat is serious but manageable with appropriate security controls and monitoring. Failure to address this threat could lead to significant operational disruptions and cascading effects on interconnected services within Europe.

Mitigation Recommendations

European organizations should implement targeted, practical measures beyond generic advice to mitigate XorDDoS: 1) Harden SSH access by disabling password-based authentication in favor of key-based authentication with strong passphrase-protected keys. 2) Restrict SSH access using IP whitelisting or VPNs to limit exposure. 3) Deploy and regularly update intrusion detection and prevention systems (IDS/IPS) tuned to detect SSH brute-force attempts and anomalous outbound connections to known malicious domains such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. 4) Implement multi-factor authentication (MFA) for SSH where feasible to add an additional security layer. 5) Conduct regular audits of Linux systems to detect unauthorized persistence mechanisms, unusual network traffic, and presence of known malicious file hashes linked to XorDDoS. 6) Employ network segmentation to isolate critical Linux servers from less secure network zones, reducing lateral movement. 7) Apply rate limiting and connection throttling on SSH services to mitigate brute-force attempts. 8) Establish active threat intelligence sharing with European CERTs and Information Sharing and Analysis Centers (ISACs) to stay updated on emerging indicators and attack trends. 9) Regularly update and patch Linux distributions and SSH server software to minimize vulnerabilities. 10) Monitor and block outbound DNS queries to domains associated with the malware’s C2 infrastructure, including sinkholing where possible. These focused actions will reduce attack surface, improve detection, and enhance response capabilities against XorDDoS.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and-infrastructure/"]
Adversary

Indicators of Compromise

Hash

ValueDescriptionCopy
hashf5ce2b557251d8208aede60eac1eb88f
hashe706cdce9dc2e4c13f1775d261e2f1eb41a6938a
hash70167bee44cde87b48e132a9abbac66055277cb552f666ca8b7bf5120914e852
hashd09731c39d57e1c38b771f530422815bb01c338870645e655e53d55266e81556

Domain

ValueDescriptionCopy
domainppp.gggatat456.com
domainppp.xxxatat456.com
domainwww1.gggatat456.com

Threat ID: 682c992c7960f6956616a186

Added to database: 5/20/2025, 3:01:00 PM

Last enriched: 6/19/2025, 5:34:07 PM

Last updated: 8/11/2025, 4:58:53 PM

Views: 20

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats