{
	"id": "39e4bde8-b8b7-428f-8b4c-fa130dbb6ca9",
	"created_at": "2026-04-06T00:09:26.620939Z",
	"updated_at": "2026-04-10T03:21:29.963671Z",
	"deleted_at": null,
	"sha1_hash": "1bf9b07e3a15779a32450702325849bbd8ebcbbf",
	"title": "Linux-Targeted Malware Increases by 35% in 2021 | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1247738,
	"plain_text": "Linux-Targeted Malware Increases by 35% in 2021 | CrowdStrike\r\nBy Mihai Maganu\r\nArchived: 2026-04-05 16:19:50 UTC\r\nMalware targeting Linux systems increased by 35% in 2021 compared to 2020\r\nXorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed\r\nby CrowdStrike in 2021\r\nTen times more Mozi malware samples were observed in 2021 compared to 2020\r\nMalware targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, have\r\nincreased by 35% in 2021 compared to 2020, according to current CrowdStrike threat telemetry, with the top three\r\nmalware families accounting for 22% of all Linux-based IoT malware in 2021. XorDDoS, Mirai and Mozi are the\r\nmost prevalent Linux-based malware families observed in 2021, with Mozi registering a significant tenfold\r\nincrease in the number of in-the-wild samples in 2021 compared to 2020. The primary purpose of these malware\r\nfamilies is to compromise vulnerable internet-connected devices, amass them into botnets, and use them to\r\nperform distributed denial of service (DDoS) attacks.\r\nLinux-based Malware and IoT\r\nLinux powers most of today’s cloud infrastructure and web servers, yet it also powers mobile and IoT devices. It’s\r\npopular because it offers scalability, security features and a wide range of distributions to support multiple\r\nhardware designs and great performance on any hardware requirements. With various Linux builds and\r\ndistributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat\r\nactors. For example, whether using hardcoded credentials, open ports or unpatched vulnerabilities, Linux-running\r\nIoT devices are a low-hanging fruit for threat actors — and their en masse compromise can threaten the integrity\r\nof critical internet services. More than 30 billion IoT devices are projected to be connected to the internet by the\r\nend of 2025, creating a potentially very large attack surface for threats and cybercriminals to create massive\r\nbotnets. A botnet is a network of compromised devices connected to a remote command-and-control (C2) center.\r\nIt functions as a small cog in the larger network, and can infect other devices. Botnets are often used for DDoS\r\nattacks, spamming targets, gaining remote control and performing CPU-intensive activities like cryptomining.\r\nDDoS attacks use multiple internet-connected devices to access a specific service or gateway, preventing\r\nlegitimate traffic from passing through by consuming the entire bandwidth, causing it to crash. The 2016 Mirai\r\nbotnet incident serves as a reminder that a large number of seemingly benign devices performing a DDoS attack\r\ncan disrupt critical internet services, affecting both organizations and average users.\r\nTop Linux Threats in Today’s Landscape\r\nAnalyzing the current Linux threat landscape, the XorDDoS, Mirai and Mozi malware families and variants have\r\nemerged as the most prolific in 2021, accounting for over 22% of all IoT Linux-targeting malware.\r\nXorDDoS: 123% Increase in Malware Samples\r\nhttps://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/\r\nPage 1 of 4\n\nXorDDoS is a Linux trojan compiled for multiple Linux architectures, ranging from ARM to x86 and x64. Its\r\nname is derived from using XOR encryption in malware and network communication to the C2 infrastructure.\r\nWhen targeting IoT devices, the trojan is known to use SSH brute-forcing attacks to gain remote control on\r\nvulnerable devices. On Linux machines, some variants of XorDDoS show that its operators scan and search for\r\nDocker servers with the 2375 port open. This port offers an unencrypted Docker socket and remote root\r\npasswordless access to the host, which attackers can abuse to get root access to the machine. CrowdStrike\r\nresearchers have found that the number of XorDDoS malware samples throughout 2021 has increased by almost\r\n123% compared to 2020.\r\nFig. 2 - Falcon detection for Linux XorDDoS malware sample (Click to enlarge)\r\nMozi: 10 Times More Prevalent in 2021\r\nMozi is a peer-to-peer (P2P) botnet network that utilizes the distributed hash table (DHT) system, implementing\r\nits own extended DHT. The distributed and decentralized lookup mechanism provided by DHT enables Mozi to\r\nhide C2 communication behind a large amount of legitimate DHT traffic. The use of DHT is interesting because it\r\nallows Mozi to quickly grow a P2P network. And, because it uses an extension over DHT, it’s not correlated with\r\nnormal traffic, so detecting the C2 communication becomes difficult. Mozi infects systems by brute-forcing SSH\r\nand Telnet ports. It then blocks those ports so that it is not overwritten by other malicious actors or malware.\r\nhttps://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/\r\nPage 2 of 4\n\nFig. 4 - Falcon detection for Linux Mozi malware sample (Click to enlarge)\r\nMirai: The Common Ancestor\r\nMirai malware has made a name for itself in the last few years, especially after its developer published Mirai’s\r\nsource code. Similar to Mozi, Mirai abuses weak protocols and weak passwords, such as Telnet, to compromise\r\ndevices using brute-forcing attacks. With multiple Mirai variants emerging since its source code became public,\r\nthe Linux trojan can be considered the common ancestor to many of today’s Linux DDoS malware. While most\r\nvariants add onto existing Mirai features or implement different communication protocols, at their core they share\r\nthe same Mirai DNA. Some of the most prevalent variants tracked by CrowdStrike researchers involve Sora,\r\nIZIH9 and Rekai. Compared to 2020, the numbers of identified samples for all three variants have increased by\r\n33%, 39% and 83% respectively in 2021.\r\nhttps://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/\r\nPage 3 of 4\n\nFig. 5 - Falcon detection for Linux Mirai malware sample (Click to enlarge)\r\nCrowdStrike Protection for Linux\r\nLinux is one of the primary operating systems for many business-critical applications. As Linux servers can be\r\nfound on premises and in private and public clouds, protecting them requires a solution that provides runtime\r\nprotection and visibility for all Linux hosts, regardless of location. The CrowdStrike Falcon® platform protects\r\nLinux workloads, including containers, running in all environments, from public and private clouds to on-premises and hybrid data centers. Using machine learning, artificial intelligence, behavior-based indicators of\r\nattack (IOAs) and custom hash blocking to defend Linux workloads against malware and sophisticated threats, the\r\nFalcon platform delivers complete visibility and context into any attack on Linux workloads.\r\nIndicators of Compromise (IOCs)\r\nAdditional Resources\r\nLearn more about how the Falcon platform protects Linux systems in this solution brief.\r\nRead this press release about CrowdStrike Falcon®’s enhanced Linux protection.\r\nFind out how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your\r\norganization, workers, data and identities.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/\r\nhttps://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/\r\nPage 4 of 4\n\nthe same Mirai IZIH9 and Rekai. DNA. Some Compared of the most prevalent to 2020, the variants numbers of identified tracked by CrowdStrike samples researchers for all three variants involve have increased Sora, by\n33%, 39% and 83% respectively in 2021.  \n   Page 3 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/"
	],
	"report_names": [
		"linux-targeted-malware-increased-by-35-percent-in-2021"
	],
	"threat_actors": [],
	"ts_created_at": 1775434166,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1bf9b07e3a15779a32450702325849bbd8ebcbbf.pdf",
		"text": "https://archive.orkl.eu/1bf9b07e3a15779a32450702325849bbd8ebcbbf.txt",
		"img": "https://archive.orkl.eu/1bf9b07e3a15779a32450702325849bbd8ebcbbf.jpg"
	}
}