{
	"id": "7ca237e3-8748-4be0-ade3-4a26c8c87a7f",
	"created_at": "2026-04-10T03:22:00.104281Z",
	"updated_at": "2026-04-10T13:11:25.390089Z",
	"deleted_at": null,
	"sha1_hash": "34988b509794584b120e041b122eabbe3a81facd",
	"title": "FBI Takedown: IPStorm Botnet Infrastructure Dismantled",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1462538,
	"plain_text": "FBI Takedown: IPStorm Botnet Infrastructure Dismantled\r\nBy Research Team\r\nPublished: 2023-11-14 · Archived: 2026-04-10 02:54:19 UTC\r\nWritten by Nicole Fishbein and Avigayil Mechtinger \r\nUPDATE NOVEMBER 2023: IPStorm Infrastructure Dismantled by FBI\r\nThe FBI today revealed US law enforcement’s dismantlement of a botnet proxy network, along with a guilty plea\r\nfor the individual responsible for the botnet infrastructure which was associated with the IPStorm malware. This\r\nachievement is a significant milestone in ongoing efforts to combat cyber threats. The research team at Intezer\r\nassisted in the FBI’s case, sharing our findings and analysis about the new IPStorm malware variants and\r\ncapabilities as it expanded to infect Linux, Mac, and Android devices around the world.\r\nBelow is Intezer’s research about IPStorm that was originally published on October 1, 2020.\r\nA Storm is Brewing: IPStorm Now Has Linux Malware\r\nThe development of cross-platform malware is not new, however, we continue to observe a number of malware\r\nthat were previously documented only targeting Windows now targeting the Linux platform. One of these threats\r\nis IPStorm.\r\nIn May 2019, researchers from Anomali discovered a new Golang malware targeting Windows, which they\r\ndubbed IPStorm (InterPlanetary Storm). IPStorm is a botnet that abuses a legitimate Peer-to-peer (p2p)\r\nnetwork called InterPlanetary File System (IPFS) as a means to obscure malicious traffic. It was found the\r\nmalware eventually allowed attackers to execute arbitrary PowerShell commands on the victim’s Windows\r\nmachine.\r\nOur research team recently identified new Linux variants of IPStorm targeting various Linux architectures (ARM,\r\nAMD64, Intel 80386) and platforms (servers, Android, IoT). We have also detected a macOS variant. The macOS\r\nvariant and most of the Linux samples are fully undetected in VirusTotal at the time of this publication. IPStorm is\r\nwritten in Golang, which enabled Intezer to detect cross-platform code connections between the Linux samples\r\nand the Windows malware first reported by Anomali.\r\nThe Linux variant has additional features over the documented Windows version, such as using SSH brute-force\r\nas a means to spread to additional victims and fraudulent network activity abusing Steam gaming and\r\nadvertising platforms. The Linux variant has adjusted some features in order to account for the fundamental\r\ndifferences that exist between this operating system and Windows.\r\nIn this post, we will present a code relations graph between the IPStorm Windows and Linux samples, analyze one\r\nof the Linux variant’s behavior, and compare its features and capabilities to the old Windows samples to track its\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 1 of 14\n\nevolution. Following we will take a deeper dive into some notable features and explain how to respond to this\r\nthreat.\r\nTechnical Analysis of IPStorm\r\nMost of the IPStorm Linux samples were fully undetected before we submitted them for genetic analysis in\r\nIntezer.\r\nIn this post, we will focus on the 658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117\r\nLinux sample.\r\n658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117 sample undetected in\r\nVirusTotal.\r\nBecause IPStorm is written in Golang, not only can we observe strong code connections between the different\r\nLinux variants, we can also identify connections to IPStorm’s Windows samples uploaded to Intezer in 2019.\r\nSamples analyzed and classified by Intezer in the IPStorm malware family.\r\nThe following map emphasizes code similarities between the different versions and operating systems. The nodes\r\nrepresent the individual samples and the lines are the code relations between them. All samples are linked to each\r\nother in some way:\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 2 of 14\n\nIPStorm PE files from 2019\r\nIPStorm ELF files from 2020\r\nMap showing IPStorm code similarities between different samples analyzed. Nodes represent the\r\nindividual samples and the lines show code relations between them.\r\nThe graph depicts three main clusters, with each cluster containing samples that have strong code connections\r\nbetween them:\r\nPE, intel 80386 architecture\r\nELF, intel 80386 architecture\r\nELF, amd x86-64 architecture\r\nYou will also notice shared code exists between the ELF clusters and the ELF and PE intel 80386 architecture\r\nclusters.\r\nYou can use the cluster_directory.py API script in this GitHub repository to create a cluster graph of your own.\r\nIPStorm Linux Variant Behavior Flow\r\nThe Linux variant symbols are stripped. Using the plugin IDAGolangHelper we retrieved the file’s symbols and\r\nsaw exactly which packages the malware contains. A package in Go is a bundle of Go source files which make up\r\na specific functionality. Every Go source file belongs to a package.\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 3 of 14\n\nThe Linux malware’s main logic is implemented in a package called storm_starter, a new package that was not\r\nin the Windows version. All logic was implemented via the main function in the Windows version.\r\nBoth versions have similarities in the way the main flow is implemented, however, the Linux instances have\r\nadditional features and adjusted some logic due to the differences that exist between the two operating systems.\r\nThe Linux iteration starts by disabling the out-of-memory (OOM) killer in order to prevent it from terminating the\r\nmalware. It then proceeds to check for any processes related to antiviruses or other security tools that may prevent\r\nfurther execution of the malware. Next the malware generates and saves pubkeys in a file called strom.key. The\r\nlocation of where this key is saved is based on privileges that the malware was executed with. If the malware was\r\nexecuted with root privileges, the key will be stored at /etc/storm.key. Otherwise, it will be saved at\r\n/tmp/storm.key. The malware then tries to establish connections with other nodes in the peer to peer network.\r\nThe malware sends HTTP requests to different services such as diagnostic[.]opendns[.]com/myip,\r\nifconfig[.]io/ip, and myip[.]dnsomatic[.]com to receive the external IP address of the victim server. If the\r\nmalware is running as root, it will create a service under systemd to achieve persistence and copy itself to\r\n/usr/bin/storm. Otherwise, it will be copied to /tmp/storm. The malware will then relaunch itself from the new\r\ninstallation path.\r\nThis new process is responsible for executing the main features of the IPStorm malware, including reverse shell,\r\nwhich was previously seen in the Windows variant—maintaining connection with other peers in the P2P network\r\nand a new feature for spreading the malware to other victims.\r\nIPStorm Linux output non-privileged user.\r\nLinux vs. Windows Comparison\r\nComparing IPStorm Linux version 0.2.05a to Windows version 0.0.2m, it became clear the developer added\r\nfeatures and altered existing ones to attack Linux platforms.\r\nPackages Comparison\r\nThe malware is composed of different Golang packages with each package providing a different feature. The\r\nfollowing table categorizes package comparisons between the two versions:\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 4 of 14\n\nGolang\r\nPackage\r\nFunctionality\r\nLinux Version\r\nVersion\r\n0.2.05a (2020)\r\nWindows\r\nVersion\r\nVersion\r\n0.0.2m\r\n(2019)\r\nscan_tools Scans for potential victims + –\r\nweb_api_client Handles HTTP requests and responses + –\r\np2p (part of the\r\nweb API)\r\nHTTP over P2P + –\r\nreque_client\r\nHandles the communication of peers in\r\nthe network\r\n+ –\r\ncommander Handles HTTP requests + –\r\nstarter\r\nImplements the main logic of the\r\nmalware (basically the “main function”)\r\n+ –\r\nmalware-guard Antivirus evasion + –\r\navbypass Antivirus evasion – +\r\nbackshell In charge of the reverse shell + +\r\nddb Database + +\r\nfiletransfer\r\nPersistence and managing file\r\ntransfering to other peers\r\n+ +\r\nlogging Output log + +\r\nnode\r\nResponsible for advertising the node,\r\ngetting the external IP, and maintaining\r\nconnection with other nodes.\r\n+ +\r\npowershell\r\nIn Windows, in charge of the powershell\r\nartifact in the backdoor. In the Linux\r\nvariant, the package has only one\r\nfunction copied from the Windows\r\nversion and is used for achieving reverse\r\nshell.\r\n+  \r\nutil Utility functions + +\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 5 of 14\n\nddbinterface DB functions + +\r\nproxy Implements Socks5 Proxy + +\r\nNote: We compared Linux version 0.2.05a to Windows version 0.0.2m which was analyzed in Anomali’s report.\r\nHowever, the malware is frequently being updated and we have observed multiple different versions since, so\r\nfunctionalities may differ between them.\r\nFeatures Comparison\r\nScanning tools – Android and SSH brute-force\r\nThe Linux variant attempts to spread and infect other victims on the internet by using SSH brute-force. Once a\r\nconnection is established, the malware will check if the victim server is a honeypot by comparing the hostname of\r\nthe attacked server to the string “svr04”, which is the default hostname of Cowrie SSH honeypot. If the malware\r\nidentifies a honeypot it will close the connection, otherwise it will proceed to download the payload and infect the\r\nserver.\r\nValidation of whether the server is a honeypot or not.\r\nAnother spreading method that is unique to the Linux version is searching for potential Android victims. The\r\nmalware checks for devices connected with ADB (Android Debug Bridge) to the victim node. Once identified, it\r\nwill upload an Android version of IPStorm to the device, which was previously downloaded from the P2P\r\nnetwork.\r\nScreen capture from the log of the storm service showing the downloaded file.\r\nAntivirus Evasion\r\nBoth IPStorm Windows and Linux versions implement features related to detection evasion and each variant uses\r\na different technique. In the Linux version, the package in charge of this logic is called storm_malware_guard.\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 6 of 14\n\nThe file iterates through all current running processes in order to find and terminate ones that might detect the\r\nmalware’s activity.\r\nThe function under the storm_malware_guard package that implements this technique is called\r\nKillSuspiciousProcesses. Other functions in this package are responsible for obtaining information about the CPU\r\nand memory usage, number of I/O ports, and functions that return information about processes and threads.\r\nIn the Windows version, the AV evasion logic is implemented in a package called avbypass.\r\nThis technique is based on random sleep times and multiple function calls. The purpose of this method is to make\r\ntracing the original process harder for Antivirus solutions.\r\nIt appears that due to the different operating systems, each IPStorm version has its own way to evade detection.\r\nReverse Shell\r\nBoth IPStorm versions use the name backshell to refer to the feature of reverse shell.\r\nThe backshell functions of the Linux variant are identical to those of the Windows variant.\r\nThe Windows variant has a package called powershell which contains functions for achieving reverse shell. The\r\nsame package is present in the Linux variant but it contains only one function:\r\nstorm_powershell__ptr_Backend_StartProcess. The function is used to get a reverse shell on the infected\r\nsystem.\r\nThe implementation of the reverse shell is a clear example of the code reuse connections between the two IPStorm\r\nvariants. The screengrabs below demonstrate changes in the file names and the identical function names found in\r\nthe two versions:\r\nLinux:\r\nWindows:\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 7 of 14\n\nPersistence\r\nThe Linux version will attempt to gain persistence only if it was executed with root privileges. The Windows\r\nversion, on the other hand, will always look to gain persistence. It is evident that each variant of the malware,\r\nLinux and Windows, uses a different technique to gain persistence since the operating systems they target are\r\nfundamentally different.\r\nThe Windows variant achieves persistence by copying itself to a random location and adding the program to the:\r\nHKCU:SoftwareMicrosoftWindowsCurrentVersionRunregistry key.\r\nThe Linux version achieves persistence by creating a systemd service under /etc/systemd/system/storm.service.\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 8 of 14\n\n/etc/systemd/system/storm.service\r\nThe function that archives persistence in the Linux variant.\r\nAnother difference is the location to which the file is copied. The Windows variant uses random file paths while\r\nthe Linux version uses fixed paths.\r\nNetwork Traffic\r\nOn top of creating a reverse shell, we have detected that IPStorm’s Linux variant takes advantage of its being\r\nwidespread to perform different fraudulent activity in the background, abusing gaming and ads monetization.\r\nBecause it’s a botnet, the malware utilizes the large amount of requests from different trusted sources, thus not\r\nbeing blocked nor traceable. This activity was not observed in the Windows variant.\r\nSteam Gaming Fraud\r\nSteam is a popular gaming service from Valve Corporation and is used by hundreds of millions users worldwide.\r\nIt also provides an API for developers who want to use Steam data on their own websites.\r\nAs part of the monetization process for game developers, Steam users can buy and sell different items such as\r\nequipment, skins, and other in-game elements. This platform is so popular that it has become a hot target for\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 9 of 14\n\ncybercriminals. A known method used by attackers is creating phishing websites to lure users to submit their\r\nSteam login credentials. With access to a user’s credentials the attacker has full access to the the account, API key\r\nincluded.\r\nWe noticed IPStorm generates a large amount of traffic to Steam’s API, querying data pertaining to various Steam\r\nusers and using multiple valid API keys.\r\nWe suspect these are stolen accounts that are being monitored as part of a fake trade scam. Browse here for more\r\ninformation about this scam.\r\nAd Fraud\r\nThe malware generates requests which imitate fake advertisements clicks. All the ads we have traced are related to\r\npornographic websites. The malware crawls through different predefined sites, searches for advertisement iframes,\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 10 of 14\n\nand imitates a user “click” by browsing through the iframes.\r\nExample of a request the malware generates to an ad platform.\r\nWebsites the malware crawls through.\r\nIPStorm Detection and Response\r\nCompromised System Detection\r\nYou can take the following steps to check if your system has been attacked by the IPStorm malware.\r\nHow to Terminate IPStorm on a Compromised System\r\nIf the malware runs as a service you should stop the service by executing the command:\r\nsudo systemctl stop storm.service\r\nDelete all the files that are related to the IPStorm malware. The file paths are mentioned in the previous\r\nsection.\r\nKill the process by running: sudo pkill -9 storm\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 11 of 14\n\nResponse\r\nWe are providing a YARA rule intended to be run against in-memory artifacts in order to be able to detect these\r\nimplants.\r\nSystem Security Hardening\r\nMake sure your SSH connection is secured. Use a key instead of a password or use multi-factor\r\nauthentication. Browse here for more tips about SSH hardening.\r\nMake sure your system is updated to the latest software and aligned with most recent security best\r\npractices.\r\nUse a runtime cloud workload protection solution such as Intezer Protect. Protect provides full runtime\r\nvisibility over the code in your system and alerts on any suspicious or unauthorized code that deviates from\r\nthe secure baseline.\r\nSummary\r\nIPStorm now with Linux malware is the latest example of a cross-platform malware developed in Golang.\r\nPlatforms that are compromised by IPStorm are not only exposed to a backdoor to their services but are also\r\nadded to the IPStorm Botnet which attempts to spread to other victims. The attackers behind IPStorm are very\r\nactive evidenced by the frequent release of updated versions with new features and improvements, as well as the\r\nexpansion to several different platforms and architectures.\r\nIPStorm is part of a growing list of Golang ELF malware that have been spotted attacking live servers in the past\r\nsix months alone, together with Kaiji, Kinsing, and FritzFrog.\r\nWe want to give a special thanks to Paul Litvak and Michael Kajiloti for their help contributing to this\r\nanalysis.\r\nBoth IPStorm Linux and Windows samples are indexed in Intezer and you can detect this and other cross-platform\r\nmalware with the code reuse feature for Golang, just by uploading a file or hash to the system. Below is the\r\nanalysis of one of the Linux samples.\r\nIOCs\r\nLinux\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 12 of 14\n\n3aff4695c73709e2e0e55665c4850aa45064723a2c83e75325b27e77ec5f6d97\r\nb80346c4d31d77fba9427024d34af2f43e64a5272b5bbef28c6bf045a06143ff\r\nd233c37f2d49badbf53d054bce7fb8e787c9973067e8dcd79835d7816aacfa43\r\n658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117\r\nbfb69eadee1918a9402478c76dd15696bbac3e3e3e57c9a94c7d51e594b8c657\r\n64abc2cf5866e932b0731a6deb487aa3d9756724250de26bac2fb930cd478dc0\r\n52f215521ba59cb6a51314bd1527f1c540ffc04df924ad971ca2160405879778\r\naa7639b11f7c852005110e5ac34c9a2c94c562bcc95dbf6f60a1a7192cf8ea77\r\ncae8a782765dd0f97e7a812a245cc5b94b3179ced9c8181d0fda13978c9f17be\r\n5103133574615fb49f6a94607540644689be017740d17005bc08b26be9485aa7\r\n08bf31862577567a56bf3be6425f1ddf4ac90914efd883a75a5a53dbcabd28a2\r\n984c5e980fb8a5b7bbc673f923f22ddf06c5dd89fcd0acf774d79d4d193b44c8\r\n591770835066958e912ceb445bd865e961ac946e8cf70ced9f0bd75c851d9478\r\n69ea7bcf3da16d968e6104745c1f015f6371c093188f1061a311a6385985b45b\r\nfbd5e48ee691df949e0dd3687755c80cc5b9d1a1a89e7dc486694370697de893\r\nc247b3c07b4bf13da67c51d5834193d128c45c7e41214096090b5d2610313783\r\nf4f1fb65df80666fe67b22b84d9d8f967449d1249c33ad97f4305784fa41e747\r\nef226de8cc53e59c9431838085f3bbd1b8a32f7cc135682033a3fdba19a0ee97\r\ndfeecdd23f28f80e42e58c87c9a4858648964b3100dfb899c61b54aed7856cf7\r\ndb9c95bdc4247ff6cdaf8a8e47b4add21a730461d8f6e2693136aecd346b3fb5\r\nb4c75e1d94bc4c8affd6d9f433585ace2738772e6a04403ab67cce3df9574068\r\nb07c2dfb4c57175446b6188bb4b1722272f63a301f18c5f46ee6401347894fea\r\na5468b6130d90bc74cf8e458297f6d4c7fc42b87184623aefd535bca658542ed\r\n7c41de95313dc98a3fc4f6fe3910759c3561743dacc629dab11e754290f8c7aa\r\n7b044b8eddd20d8e1c7d499a6c34b1bc373f5fe9d59bab7b4e3a341a5f4ce0b5\r\n79ec318a968679f94d2ab0ba15daaeeb71406d2f744eb0cd1b314c4bb403114d\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 13 of 14\n\n52b081dbaafbbae8ad812f9c50a1a5f7d8b0850b3c6dc69eccb3322f34286c2e\r\n50406ec7fa22c78e9b14da4ccc127a899db21f7a23b1916ba432900716e0db3d\r\n1d0e003ee653d1a7b80ff5e69c33689af04e45fc836a29e0853219dd100fd534\r\n16bcb323bfb464f7b1fcfb7530ecb06948305d8de658868d9c3c3c31f63146d4\r\nmacOS\r\n522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434\r\nWhat is Intezer Autonomous SOC? Check out our blogs about how Intezer works or how Intezer investigates and\r\ntriages alerts.\r\nSource: https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nhttps://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/"
	],
	"report_names": [
		"a-storm-is-brewing-ipstorm-now-has-linux-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791320,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34988b509794584b120e041b122eabbe3a81facd.pdf",
		"text": "https://archive.orkl.eu/34988b509794584b120e041b122eabbe3a81facd.txt",
		"img": "https://archive.orkl.eu/34988b509794584b120e041b122eabbe3a81facd.jpg"
	}
}