Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Detailed information about Unmasking the new XorDDoS controller and infrastructure. Get real-time updates, technical details, and mitigation strategies.

Unmasking the new XorDDoS controller and infrastructure - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking the new XorDDoS controller and infrastructure

OSINT - Nueva campaÃ±a del grupo ruso TA505 dirigida a Chile y Argentina. #ServHelper

The provided information describes an open-source intelligence (OSINT) report about a new campaign by the Russian threat actor group TA505 targeting Chile and Argentina. TA505 is a well-known financially motivated cybercrime group that has historically conducted large-scale phishing campaigns, distributing malware such as banking Trojans, ransomware, and other malicious payloads. This particular campaign, referenced with the hashtag #ServHelper, appears to be focused on South American countries, specifically Chile and Argentina. The report is categorized as OSINT with a moderate certainty level (50%) and a low severity rating. There are no technical details about specific vulnerabilities exploited or malware used, nor are there indicators of compromise or affected software versions listed. The threat level is noted as 3 on an unspecified scale, and the analysis level is 2, suggesting limited but credible information. The absence of known exploits in the wild and lack of patch links further indicate that this is an intelligence report on threat actor activity rather than a direct vulnerability or exploit. The campaign's focus on Chile and Argentina suggests a regional targeting strategy, possibly for financial gain or espionage. TA505's historical tactics include phishing emails with malicious attachments or links, leveraging social engineering to compromise victims. Given the lack of detailed technical indicators, the report serves primarily as an alert to monitor for TA505 activity and to be vigilant against phishing and malware campaigns associated with this group.

Detailed information about OSINT - Nueva campaÃ±a del grupo ruso TA505 dirigida a Chile y Argentina. #ServHelper. Get real-time updates, technical details, and 

Title	Severity	Type	Source	Date

Threats Affecting Argentina

Filter Threats

Threats Affecting Argentina

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility