Linux.Darlloz is a Linux worm and botnet malware family targeting embedded Linux Internet of Things devices. It was first discovered by Symantec in 2013 and is described as infecting routers, security cameras, and set-top boxes. The malware spreads by exploiting a PHP vulnerability, specifically CVE-2012-1823, and was based on proof-of-concept code released in October 2013. Reporting from March 2014 indicated that Linux.Darlloz evolved beyond worm/botnet behavior to mine cryptocurrencies, including Mincoin and Dogecoin. The content characterizes it as notable Linux IoT malware affecting embedded systems.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. The worm was based on a Proof of concept code that was released in October 2013. Linux.Darlloz utilizes vulnerability (CVE-2012-1823) to exploit systems in order to compromise systems. | Linux.Darlloz is a worm which infects Linux embedded systems. Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability.
2 distinct techniques documented for this family, organized by ATT&CK tactic.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Notable IoT malware BASHLITE BrickerBot Carna Hajime Linux.Darlloz Linux.Wifatch Mirai Remaiten
Mentioned as notable IoT malware in related listing only; no further details provided in the content.
A Linux IoT worm/botnet targeting embedded systems such as routers, security cameras, and set-top boxes. It exploits a PHP vulnerability to compromise devices and was later observed mining cryptocurrencies including Mincoin and Dogecoin.
Referenced as another notable IoT malware.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.