XorDDoS is a Linux-targeting distributed denial-of-service (DDoS) trojan and botnet malware family first identified in 2014. It compromises Linux systems, including exposed servers and Docker servers, and turns them into zombie bots for high-capacity DDoS operations; reporting cited in the content notes attacks exceeding 150 Gbps. The malware commonly gains initial access through SSH brute-force attacks to obtain valid credentials, after which attackers execute scripts with root privileges to download and install the malware. Persistence is maintained through init scripts and cron job scripts on compromised hosts.
The malware uses XOR-based encryption to conceal communications and to decrypt embedded configuration data; Cisco Talos reported recent versions still using the XOR key "BB2FA36AAA9541F0" for configuration decryption. The decrypted configuration contains URLs or IP addresses used for command-and-control communication. XorDDoS is also described as having rootkit capabilities to evade detection. Talos documented encrypted phone-home traffic that includes a CRC header, uname release and machine strings, a magic string, and a hardcoded version string; after successful connection establishment, the CRC header changes to "5343f096000000000200000000000000000000000000000000000000". Talos also observed controller and sub-controller traffic using incrementing message numbers and commands to start or stop SYN DDoS attacks against IP or domain targets.
Cisco Talos observed XorDDoS continuing to spread globally between November 2023 and February 2025, with nearly 50% of successfully compromised victims in the United States and more than 70% of observed attack attempts targeting the U.S. Talos assessed with high confidence that the operators are Chinese-speaking individuals based on simplified Chinese interfaces and instructions found in the builder, sub-controller, and controller-binding tools. Talos also identified a newer "VIP" sub-controller and a previously unreported central controller capable of managing multiple sub-controllers simultaneously via a controller binder that injects a DLL into controller processes. The content indicates these tools are likely part of a product suite sold on underground markets, supported by embedded feature descriptions, version references, and a Tencent QQ contact left by the creator.
XorDDoS is referenced in multiple Linux detection and hunting contexts focused on ingress tool transfer, cron-based persistence, and credential-file access. High-confidence defensive indicators mentioned in the content include unusual network traffic, spikes in CPU usage, unexpected Linux processes, unauthorized SSH access attempts, cron/init persistence artifacts, and the CRC header value observed after C2 connection establishment.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
14 distinct techniques documented for this family, organized by ATT&CK tactic.
To maintain persistence, the malware installs an init script and a cron job script.
it also drops a script file with a rather recognisable path (/etc/cron.hourly/gcc4.sh) which gets added to /etc/crontab to run every 3 minutes
It employs XOR-based encryption to conceal its communications and utilizes rootkit capabilities to evade detection.
It employs XOR-based encryption to conceal its communications...
The central controller can generate a controller binder that will inject a DLL file to the XorDDoS controller to bind network connection and command operation to the sub-controller... allowing the central controller to fully remote control the sub-controllers.
Once the URLs or IPs are decrypted, they are added to a remote list. This list is then used to establish communication and retrieve commands from the C2 server.
Talos discovered the latest version of the XorDDoS controller, called the “VIP version,” and its corresponding central controller were used to build the DDoS bot network... Talos' analysis exposes the network connection between central controller, sub-controller and XorDDoS malware.
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named Linux botnet malware family included in the report tags related to SSH server attacks.
Linux malware associated with persistence and scheduled task abuse; the content references it as relevant to cron-based persistence detection on Unix-like systems.
Associated Analytic Story China-Nexus Threat Activity ... Salt Typhoon ... XorDDos
XorDDos is referenced as an associated analytic story in the context of Linux ingress tool transfer activity using curl, implying relevance to Linux-based malware operations that download remote files or binaries.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.