{ "id": "01c1af8c-02c5-4190-9e80-f988cb5c8c3c", "created_at": "2026-04-06T00:19:57.810277Z", "updated_at": "2026-04-10T03:23:51.383684Z", "deleted_at": null, "sha1_hash": "7114ef042467d8a6a8270214f930912b2a0530fa", "title": "Sophisticated FritzFrog P2P Botnet Returns After Long Break", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 285806, "plain_text": "Sophisticated FritzFrog P2P Botnet Returns After Long Break\r\nBy Eduard Kovacs\r\nPublished: 2022-02-14 · Archived: 2026-04-05 17:38:19 UTC\r\nA sophisticated botnet named FritzFrog has returned after a long break with new capabilities, and\r\nresearchers believe it may be linked to Chinese threat actors.\r\nFritzFrog is a Golang-based malware that can be compiled to run on various architectures and it operates\r\ncompletely in memory. The FritzFrog botnet uses a proprietary peer-to-peer (P2P) architecture for command and\r\ncontrol (C\u0026C) communications — the bots don’t get commands from a central server, but from any other device\r\non its network.\r\nFritzFrog has targeted SSH servers — it uses a simple brute-force technique to obtain their credentials — and\r\nonce it has established an SSH session, it drops the malware and executes it.\r\nThe malware then waits for commands from its operators, including for transferring files, running scripts and\r\nbinary payloads, deploying a cryptocurrency miner, and eliminating other miners from the compromised system. It\r\nalso starts scanning IP addresses to spread further.\r\nFritzFrog emerged in January 2020 and it was detailed by micro-segmentation technology startup Guardicore in\r\nAugust 2020. Shortly after Guardicore’s warning, the botnet seemed to disappear. However, it returned in\r\nDecember 2021 with new capabilities and many attack attempts — attacks peaked at 500 per day.\r\nAkamai, which acquired Guardicore in 2021, warned last week that at least 1,500 hosts had been infected. The\r\ncontent delivery and security giant said the botnet has been seen targeting cloud instances, routers, and data center\r\nservers around the world.\r\nAdvertisement. Scroll to continue reading.\r\nhttps://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break\r\nPage 1 of 3\n\nA large concentration of victims has been seen in China, Central Europe and the United States. Targeted sectors\r\ninclude healthcare, higher education and government, and the list of victims singled out by Akamai includes a\r\nEuropean TV network, a Russian healthcare equipment manufacturer, and East Asian universities.\r\nAccording to Akamai, FritzFrog is often updated and there is some indication that its developers might be\r\npreparing to target WordPress servers. The company’s researchers also noticed that FritzFrog contains\r\nfunctionality for creating a Tor proxy chain that would help it become more resilient. However, the Tor proxy\r\nchain functionality has yet to be used by the malware.\r\nOther changes observed by Akamai include the use of a public Secure Copy Protocol (SCP) library that the\r\nmalware leverages to copy itself to a compromised server, and a hardcoded blocklist for ensuring that the malware\r\navoids systems with low resources and certain IP addresses — for instance, ones that may be botnet sinkholes.\r\nThe SCP library used by FritzFrog appears to have been developed by someone in China, and the cryptocurrency\r\nmining activity has been linked to wallets previously tied to Chinese threat actors. In addition, roughly one-third\r\nof the infected systems appear to be located in China.\r\n“These points of evidence, while not damning, lead us to believe a possible link exists to an actor operating in\r\nChina, or an actor masquerading as Chinese,” Akamai said.\r\nThe company has shared indicators of compromise (IOCs), as well as a free tool that can be used to detect the\r\npresence of FritzFrog on SSH servers.\r\nRelated: Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance\r\nRelated: Mirai-Based ‘Manga’ Botnet Targets Recent TP-Link Vulnerability\r\nRelated: Massive Android Botnet Hits Smart TV Ad Ecosystem\r\nhttps://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break\r\nPage 2 of 3\n\nSource: https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break\r\nhttps://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break" ], "report_names": [ "sophisticated-fritzfrog-p2p-botnet-returns-after-long-break" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434797, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7114ef042467d8a6a8270214f930912b2a0530fa.pdf", "text": "https://archive.orkl.eu/7114ef042467d8a6a8270214f930912b2a0530fa.txt", "img": "https://archive.orkl.eu/7114ef042467d8a6a8270214f930912b2a0530fa.jpg" } }