Cybersecurity experts have identified a new variant of the XorDDoS malware, which is increasingly targeting Docker and Internet of Things (IoT) devices. This malware has shown a significant rise in activity, particularly in the United States, raising alarms about its potential impact on global cybersecurity.

Key Takeaways

• XorDDoS malware has expanded its reach to Docker servers and IoT devices.

• 71.3% of attacks from November 2023 to February 2025 targeted the United States.

• The malware uses SSH brute-force attacks to gain access to vulnerable systems.

• A new VIP version of the XorDDoS sub-controller has been discovered, indicating a commercial aspect to its distribution.

Overview of XorDDoS Malware

XorDDoS has been a persistent threat in the cybersecurity landscape for over a decade, primarily targeting Linux systems. Recent analyses reveal that the malware has evolved, with a notable increase in its prevalence from 2020 to 2023. The malware's ability to adapt and expand its target base is concerning for cybersecurity professionals.

Attack Patterns and Methods

The XorDDoS malware typically infiltrates systems through the following methods:

1. SSH Brute-Force Attacks: Attackers use brute-force techniques to guess valid SSH credentials, allowing them to install the malware on compromised devices.

2. Persistence Mechanisms: Once installed, XorDDoS sets up persistence through an embedded initialization script and cron jobs, ensuring it runs automatically upon system startup.

3. Command-and-Control Communication: The malware employs an XOR key to decrypt configuration data, which includes IP addresses for its command-and-control (C2) communication.

Geographic Distribution of Attacks

The distribution of compromised devices highlights the global nature of the threat:

• United States: 42% of infected devices

• Japan: Significant number of attacks

• Other Countries: Canada, Denmark, Italy, Morocco, and China also report infections.

New Developments in XorDDoS

In 2024, researchers observed the emergence of a new version of the XorDDoS sub-controller, referred to as the VIP version. This version, along with a central controller and a builder, suggests that the malware is being marketed for sale, indicating a shift towards a more organized cybercrime model.

The central controller manages multiple sub-controllers, allowing for coordinated DDoS attacks across a botnet of infected devices. The language settings of these tools suggest that the operators are likely Chinese-speaking individuals, pointing to a specific demographic behind the malware's development.

The discovery of the new XorDDoS controller underscores the evolving landscape of cyber threats, particularly as malware increasingly targets Docker and IoT devices. Organizations must remain vigilant and implement robust security measures to protect against such sophisticated attacks. As the malware continues to adapt, the need for proactive cybersecurity strategies has never been more critical.

As cyber threats grow more sophisticated, staying informed is more important than ever. BetterWorld Technology delivers advanced cybersecurity solutions designed to adapt with the threat landscape—ensuring your business stays protected while continuing to innovate. Take the first step toward stronger security—contact us today for a consultation!

Sources

• Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT, The Hacker News.