Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States.
“From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence,” Cisco Talos researcher Joey Chen said in a Thursday analysis.
“This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots.”
Nearly 42 percent of the compromised devices are located in the United States, followed by Japan, Canada, Denmark, Italy, Morocco, and China.
XorDDoS is a well-known malware that has a track record of striking Linux systems for over a decade. In May 2022, Microsoft reported a significant surge in XorDDoS activity, with the infections paving the way for cryptocurrency mining malware such as Tsunami.
The primary initial access pathway entails conducting Secure Shell (SSH) brute-force attacks to obtain valid SSH credentials and then download and install the malware on vulnerable IoT and other internet-connected devices.
Upon successfully establishing a foothold, the malware sets up persistence using an embedded initialization script and a cron job so that it launches automatically at system startup. It also makes use of the XOR key “BB2FA36AAA9541F0” to decrypt a configuration present within itself to extract the IP addresses necessary for C2 communication.
Talos said it observed in 2024 a new version of the XorDDoS sub-controller, called the VIP version, and its corresponding central controller, along with a builder, indicating that the product is likely being advertised for sale.
The central controller is responsible for managing multiple XorDDoS sub-controllers and sending DDoS commands simultaneously. Each of these sub-controllers, in turn, commandeer a botnet of infected devices.
“The language settings of the multi-layer controller, XorDDoS builder, and controller binding tool strongly suggest that the operators are Chinese-speaking individuals,” Chen said.
