Cybersecurity researchers have warned of the ongoing risk posed by the distributed denial of service (DDOS) malware known as Xorddos, with 71.3% of attacks targeting the US between November 2023 and February 2025.
“The prevalence of Xorddos Trojan has increased significantly from 2020 to 2023,” Cisco Talos researcher Joey Chen said in an analysis Thursday.
“This trend is due to the increased malicious DNS requests linked to command and control (C2) infrastructure, as well as the widespread global distribution of Xordos Trojans. In addition to targeting exposed Linux machines, Trojans have expanded their reach to Docker servers and converted infected hosts into bots.
Almost 42% of compromised devices are in the US, followed by Japan, Canada, Denmark, Italy, Morocco and China.
Xorddos is a well-known malware with a proven track record of Striking Linux systems for over 10 years. In May 2022, Microsoft reported a significant surge in Xorddos activity, and infectious diseases paved the way for cryptocurrency mining malware, such as tsunamis.
The main initial access route involves carrying out a secure shell (SSH) brute force attack, obtaining valid SSH credentials, and downloading and installing malware on vulnerable IoT and other internet-connected devices.
Once the scaffolding is successfully established, the malware uses built-in initialization scripts and Cron jobs to set up persistence, allowing it to start automatically on system startup. It also uses the XOR key “BB2FA36AAA9541F0” to decrypt the configuration that exists within itself to extract the IP address required for C2 communication.
Talos has observed a new version of the Xorddos subcontroller, known as the VIP version in 2024, along with its corresponding central controller and builder, indicating that the product is likely to be advertised for sale.
The central controller is responsible for managing multiple XordDOS subcontrollers and sending DDOS commands simultaneously. Each of these sub-controllers commands a botnet of infected devices.
“The language settings for multi-layer controllers, Xorddos builders, and controller combined tools strongly suggest that the operator is a Chinese-speaking individual,” Chen said.
