{
	"id": "9b42c320-36ef-42a2-81cb-dd6c76367d15",
	"created_at": "2026-04-06T00:21:02.074485Z",
	"updated_at": "2026-04-10T03:34:57.304809Z",
	"deleted_at": null,
	"sha1_hash": "2e70f66ee5ef5e3daa2b68a9624f76dc879d8cbf",
	"title": "Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1378376,
	"plain_text": "Ebury is alive but unseen: 400k Linux servers compromised for\r\ncryptotheft and financial gain\r\nBy Marc-Etienne M.Léveillé\r\nArchived: 2026-04-05 16:37:34 UTC\r\nESET Research\r\nOne of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of\r\ncompromised servers, and it has diversified to include credit card and cryptocurrency theft\r\n14 May 2024  •  , 3 min. read\r\nTen years ago we raised awareness of Ebury by publishing a white paper we called Operation Windigo, which\r\ndocumented a campaign that leveraged Linux malware for financial gain. Today we publish a follow-up paper on\r\nhow Ebury has evolved, and the new malware families its operators use to monetize their botnet of Linux servers.\r\nThe arrest and conviction of one of the Ebury perpetrators following the Operation Windigo paper did not stop the\r\nbotnet from expanding. Ebury, the OpenSSH backdoor and credential stealer, was still being updated, as we\r\nreported in 2014 and 2017.\r\nWe maintain honeypots to track new samples and network indicators. However, it has become more and more\r\ndifficult to run such honeypots as Ebury evolved. For instance, one of our honeypots did not react exactly as\r\nexpected when Ebury was installed. After spending hours trying to debug what was going on, Ebury operators\r\nhttps://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nPage 1 of 7\n\nfinally abandoned the server and sent a message to show that they knew about our attempts at tricking them, as\r\nshown in Figure 1.\r\nFigure 1. Interactions between the Ebury perpetrators and an ESET-operated honeypot, showing that\r\nthe operators had flagged this system as a honeypot\r\nIn 2021, the Dutch National High Tech Crime Unit (NHTCU) reached out to ESET after they had found Ebury on\r\nthe server of a victim of cryptocurrency theft. Working together, we gained great visibility into the recent activities\r\nof the group and the malware it uses.\r\nEbury, Ebury everywhere\r\nThis paper reveals new methods used to propagate Ebury to new servers. Figure 2 summarizes the methods we\r\ncould document.\r\nhttps://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nPage 2 of 7\n\nFigure 2. Different methods used by the Ebury gang to compromise new servers\r\nAmong the victims are many hosting providers. The gang leverages its access to the hosting provider’s\r\ninfrastructure to install Ebury on all the servers that are being rented by that provider. As an experiment, we rented\r\na virtual server from one of the compromised hosting providers: Ebury was installed on our server within seven\r\ndays.\r\nAnother interesting method is the use of adversary in the middle to intercept SSH traffic of interesting targets\r\ninside data centers and redirect it to a server used to capture credentials, as summarized in Figure 3. Ebury\r\noperators leverage existing Ebury-compromised servers in the same network segment as their target to perform\r\nARP spoofing. According to internet telemetry, more than 200 servers were targeted in 2023. Among the targets\r\nare Bitcoin and Ethereum nodes. Ebury automatically steals cryptocurrency wallets hosted on the targeted server\r\nonce the victim types the password to log into it.\r\nhttps://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nPage 3 of 7\n\nFigure 3. Overview of AitM attacks perpetrated by the Ebury gang\r\nSo how effective are all these methods? Combined, about 400,000 servers have been compromised by Ebury since\r\n2009, and more than 100,000 were still compromised as of late 2023. The perpetrators keep track of the systems\r\nthey compromised, and we used that data to draw a timeline of the number of new servers added to the botnet each\r\nmonth (Figure 4). It is shown using two scales, to demonstrate some of the major incidents where Ebury was\r\ndeployed on tens of thousands of servers at once.\r\nFigure 4. Ebury deployments per month using two different scales on the Y axis, according to the\r\ndatabase of compromised servers maintained by the perpetrators\r\nMonetization\r\nThis new paper uncovers new malware families used to leverage the Ebury botnet (Figure 5). In addition to spam\r\nand web traffic redirection that are still perpetrated by the gang, HTTP POST requests made to, and from, the\r\nhttps://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nPage 4 of 7\n\nservers are leveraged to steal financial details from transactional websites.\r\nFigure 5. Multiple malware families deployed on Ebury-infested servers and the impact for potential\r\nvictims\r\nHiding deeper\r\nThe Ebury malware family itself has also been updated. The new major version update, 1.8, was first seen in late\r\n2023. Among the updates are new obfuscation techniques, a new domain generation algorithm (DGA), and\r\nimprovements in the userland rootkit used by Ebury to hide itself from system administrators. When active, the\r\nprocess, the file, the socket, and even the mapped memory (Figure 6) are hidden.\r\nhttps://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nPage 5 of 7\n\nFigure 6. Differences (in unified format) in OpenSSH server and Bash maps files when under the\r\nEbury userland rootkit\r\nWant to know more? Am I compromised?\r\nThe new paper, Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial\r\ngain, goes into more details about each of Ebury’s aspects, including many technical specifics.\r\nIndicators of compromise are also available in ESET’s malware-ioc GitHub repository, and a detection script is in\r\nthe malware-research repository.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nPage 6 of 7\n\nSource: https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nhttps://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/"
	],
	"report_names": [
		"ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain"
	],
	"threat_actors": [
		{
			"id": "1934b371-2525-4615-a90a-772182bc4184",
			"created_at": "2022-10-25T15:50:23.396576Z",
			"updated_at": "2026-04-10T02:00:05.341979Z",
			"deleted_at": null,
			"main_name": "Windigo",
			"aliases": [
				"Windigo"
			],
			"source_name": "MITRE:Windigo",
			"tools": [
				"Ebury"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d",
			"created_at": "2022-10-25T16:07:24.526179Z",
			"updated_at": "2026-04-10T02:00:05.023222Z",
			"deleted_at": null,
			"main_name": "Operation Windigo",
			"aliases": [
				"G0124"
			],
			"source_name": "ETDA:Operation Windigo",
			"tools": [
				"CDorked",
				"CDorked.A",
				"Calfbot",
				"Ebury"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434862,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e70f66ee5ef5e3daa2b68a9624f76dc879d8cbf.pdf",
		"text": "https://archive.orkl.eu/2e70f66ee5ef5e3daa2b68a9624f76dc879d8cbf.txt",
		"img": "https://archive.orkl.eu/2e70f66ee5ef5e3daa2b68a9624f76dc879d8cbf.jpg"
	}
}