{ "id": "ad22d6f2-a256-4670-ae88-d7f5fa38f0bc", "created_at": "2026-04-06T00:22:32.416175Z", "updated_at": "2026-04-10T03:34:57.28307Z", "deleted_at": null, "sha1_hash": "18d4dd5f95289e67238fff8aa36f8fa02e553fb0", "title": "Operation Windigo – the vivisection of a large Linux server-side credential-stealing malware campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43439, "plain_text": "Operation Windigo – the vivisection of a large Linux server-side\r\ncredential-stealing malware campaign\r\nBy Pierre-Marc Bureau\r\nArchived: 2026-04-02 12:47:54 UTC\r\nESET Research\r\nOur report titled “Operation Windigo – the vivisection of a large Linux server-side credential-stealing malware\r\ncampaign\" details our analysis of a set of malicious programs that infect servers and desktop PCs, and send nearly\r\n500,000 web users to malicious content daily.\"\r\n18 Mar 2014  •  , 2 min. read\r\nA month ago, ESET published a technical analysis on Linux/Ebury. This malware is a clever OpenSSH backdoor\r\nand credential stealer. Since last year, ESET’s research team has been investigating the operation behind\r\nLinux/Ebury. We discovered an infrastructure used for malicious activities that is all hosted on compromised\r\nservers. We were also able to find a link between different malicious components such as Linux/Cdorked,\r\nPerl/Calfbot and Win32/Glupteba.M and realized they are all operated by the same group.\r\nToday, we are publishing the results of significant amounts of research effort in a report titled “Operation Windigo\r\n– The vivisection of a large Linux server-side credential stealing malware campaign”. This report details our\r\nanalysis of a set of malicious programs that are used together to infect servers and desktop computers. We chose\r\nthe name “Windigo” for its North American first nation roots and for its references to a malevolent half-beast.\r\nThe gang behind Operation Windigo uses infected systems to steal credentials, redirect web traffic to malicious\r\ncontent, and send spam messages. According to our analysis, over 25,000 servers have been affected over the last\r\ntwo years. More than 10,000 of them are still infected today. These servers have all been compromised with the\r\nLinux/Ebury OpenSSH backdoor. This number is significant if you consider each of these systems have access to\r\nsignificant bandwidth, storage, computing power and memory. Well known organizations such as cPanel and\r\nkernel.org were on the list of victims, although they have now cleaned their systems.\r\nThe infected servers are used to redirect half of a million web visitors to malicious content on a daily basis. Our\r\nresearch also shows that the attacker is able to send more than 35,000,000 spam messages per day with his current\r\ninfrastructure. Operating systems affected by the spam component include Linux, FreeBSD, OpenBSD, OS X, and\r\neven Windows (with Perl running under Cygwin).\r\nDuring the course of our analysis, we have had the opportunity to collaborate with various international\r\norganizations, including CERT ‑Bund, the Swedish National Infrastructure for Computing, the European\r\nOrganization for Nuclear Research (CERN) and others forming an international Working Group. With the help of\r\nthe working group, thousands of victims have been notified that their servers were infected, in an effort to clean as\r\nhttps://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/\r\nPage 1 of 2\n\nmany systems as possible. We are now releasing a complete white paper in hopes of raising awareness around\r\nOperation Windigo and motivating administrators to clean up their compromised servers.\r\nWe have been working hard to prepare this report. First of all because the threats we have analyzed are complex\r\nand stealthy. Secondly, because we have accumulated massive amounts of data, ranging from traffic capture to\r\nmalicious URLs and binaries. Lastly, because we wanted to provide extensive guidance to help system\r\nadministrators and network operators determine if servers are compromised and what can be done about it. We\r\nhope you enjoy reading our report as much as we enjoyed putting it together.\r\nOperation Windigo Whitepaper [PDF]\r\nIndicators of Compromise (IOCs)\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malwar\r\ne-campaign/\r\nhttps://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" ], "report_names": [ "operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign" ], "threat_actors": [ { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d", "created_at": "2022-10-25T16:07:24.526179Z", "updated_at": "2026-04-10T02:00:05.023222Z", "deleted_at": null, "main_name": "Operation Windigo", "aliases": [ "G0124" ], "source_name": "ETDA:Operation Windigo", "tools": [ "CDorked", "CDorked.A", "Calfbot", "Ebury" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434952, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18d4dd5f95289e67238fff8aa36f8fa02e553fb0.pdf", "text": "https://archive.orkl.eu/18d4dd5f95289e67238fff8aa36f8fa02e553fb0.txt", "img": "https://archive.orkl.eu/18d4dd5f95289e67238fff8aa36f8fa02e553fb0.jpg" } }