{ "Event": { "analysis": "1", "date": "2026-04-13", "extends_uuid": "", "info": "[Threat Intel] Q1 2026 Malware Statistics Report for Linux SSH Servers", "protected": false, "publish_timestamp": "1776682889", "published": true, "threat_level_id": "3", "timestamp": "1776682889", "uuid": "672dd405-2e91-4032-9f89-ec505a8b3ee8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#bb889f", "local": false, "name": "misp-galaxy:producer=\"AhnLab\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Guessing - T1110.001\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#657ac3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol Tunneling - T1572\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#70b0b5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Brute Force - T1110\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#57b2ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#c295b4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Proxy - T1090.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#670080", "local": false, "name": "ms-caro-malware:malware-platform=\"Linux\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776164413", "to_ids": false, "type": "link", "uuid": "80329231-2ce2-4456-ab2f-9de152c9e0aa", "value": "https://asec.ahnlab.com/en/93336/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776164413", "to_ids": false, "type": "text", "uuid": "b5f57839-a505-4c38-8856-00a82457e7d1", "value": "Analysis of attacks against Linux SSH servers during Q1 2026 reveals P2PInfect worm as the dominant threat, representing 70.3% of all attack sources. DDoS botnets including Mirai, XMRig, Prometei, and CoinMiner were identified as primary threats. A notable campaign involved installing V2Ray proxy tools on compromised systems, attributed to a suspected Chinese threat actor. Attackers employed SSH brute-force techniques to gain access, executed reconnaissance commands to assess system information, and deployed V2Ray for proxy node operations. The campaign targeted poorly secured SSH servers with weak credentials, emphasizing the need for strong password policies, access controls, and network monitoring to detect unusual outbound connections and proxy-related activities." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776164413", "to_ids": false, "type": "text", "uuid": "86293195-eee9-45f2-b3f0-8aaf2c67b092", "value": "Name: Q1 2026 Malware Statistics Report for Linux SSH Servers\nAuthor: AlienVault\nAdversary: \nTags: [\"shellbot\", \"prometei\", \"credential attacks\", \"ddos botnet\", \"chinese attribution\", \"mirai\", \"xorddos\", \"p2pinfect\", \"v2ray\", \"v2ray proxy\", \"honeypot analysis\", \"xmrig\", \"linux servers\", \"coinminer\", \"ssh brute-force\", \"gafgyt\", \"tsunami\"]\nTgtd countries: []\nMlwr families: [\"P2PInfect\", \"Mirai\", \"XMRig\", \"Prometei\", \"CoinMiner\", \"Gafgyt\", \"ShellBot\", \"Tsunami\", \"Xorddos\", \"V2Ray\"]\nAttack_ids: [\"T1110.001\", \"T1489\", \"T1021.004\", \"T1082\", \"T1071\", \"T1583.001\", \"T1572\", \"T1090\", \"T1083\", \"T1057\", \"T1110\", \"T1059.004\", \"T1571\", \"T1496\", \"T1105\", \"T1090.001\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776654509", "to_ids": true, "type": "ip-dst", "uuid": "042e0664-35bc-43c5-bd89-ceeba883c505", "value": "149.104.29.165", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776654530", "uuid": "4c3810a7-5f89-4fd4-93e3-36ce19ff9596", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776654530", "to_ids": true, "type": "md5", "uuid": "4d350a24-44e5-414a-9e69-f33997c84b37", "value": "bc72ff889e2b2a92834d5d88a97236e5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776654471", "to_ids": true, "type": "sha1", "uuid": "8c75e995-f168-4a21-9bd7-c7fc72b8b344", "value": "bd8e419231ad71f3aadaca92a6138570471c68a4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776654471", "to_ids": true, "type": "sha256", "uuid": "eb6100a8-9bec-4f46-b460-0038ad7ffd82", "value": "64e01e5ff54e611f1ab61a80feb2479fd305fde5dc9a557162ca6aa43119af3c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776653837", "to_ids": true, "type": "ssdeep", "uuid": "1935d8ee-dd33-4f9a-adf5-1f38d59df32b", "value": "192:4XHj3O7lD76pIuFfUZ8cLxpZLXJHiBl0oT/r3r4a8H+VPnL+3ShD3cpdj+T5rs3W:IHL2p6pIuFIxLXJHiBl0oDvlnL/gyT51" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776653837", "to_ids": false, "type": "size-in-bytes", "uuid": "e8c16565-2504-45cd-bc33-ece37e7f6833", "value": "11153" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776653837", "to_ids": true, "type": "filename", "uuid": "89169fb6-5b67-488a-9948-4f4f419835dc", "value": "install.sh" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776653837", "to_ids": false, "type": "text", "uuid": "7a6a8787-6725-4a6a-bf80-8f9a72251a89", "value": "Type Description: Shell script\nMicrosoft: None\nVT Total Detection:2/62\nFirst Submission:2025-10-31T07:17:52.000000+00:00\nLast Submission:2026-02-16T09:20:21.000000+00:00" } ] } ] } }