Hackers Use New XorDDoS Malware to Assemble Advanced DDoS Networks

18.04.2025

A newly evolved version of the XorDDoS malware has been actively spreading between November 2023 and February 2025, targeting Linux systems worldwide. This trojan turns compromised machines into “zombie bots” capable of launching large-scale distributed denial-of-service (DDoS) attacks on command.

The malware spreads primarily through SSH brute-force attacks, where it attempts to gain root access to vulnerable Linux servers by cycling through common credential combinations. Once it infiltrates a system, XorDDoS installs persistence mechanisms that ensure it runs automatically at startup, while cleverly avoiding detection by security tools.

Cisco Talos researchers revealed that more than 70% of XorDDoS attacks during this period were directed at systems in the United States, though the malware’s impact extends to countries such as Spain, Taiwan, Canada, Japan, Brazil, and various parts of Europe. Language analysis of the malware’s internal tools points to Chinese-speaking operators behind the campaign.

The latest “VIP version” of XorDDoS includes a centralized controller capable of managing multiple sub-controllers, allowing attackers to orchestrate complex, widespread DDoS operations more efficiently. This central infrastructure significantly enhances the scale and coordination of attacks.

To maintain control and evade detection, the malware uses encrypted configurations and a custom command-and-control protocol. It employs a consistent XOR key to decrypt command server URLs and IP addresses, then establishes authenticated communication to receive instructions—enabling ongoing, stealthy coordination between infected devices and threat actors.