{
	"id": "b3d931ee-6dd6-438d-a8c4-1fcb3654b968",
	"created_at": "2026-04-06T00:07:55.819884Z",
	"updated_at": "2026-04-10T13:11:47.490674Z",
	"deleted_at": null,
	"sha1_hash": "787d740a6b5899337375db8011f5026fa8c78d60",
	"title": "Xor DDoS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61790,
	"plain_text": "Xor DDoS\r\nBy Contributors to Wikimedia projects\r\nPublished: 2016-03-18 · Archived: 2026-04-05 21:17:32 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nXOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks.\r\nIts name stems from the heavy usage of XOR encryption in both malware and network communication to the\r\nC\u0026Cs. It is built for multiple Linux architectures like ARM, x86 and x64. Noteworthy about XOR DDoS is the\r\nability to hide itself with an embedded rootkit component which is obtained by multiple installation steps.[1] It\r\nwas discovered in September 2014 by MalwareMustDie, a white hat malware research group.[2][3][4] From\r\nNovember 2014 it was involved in massive brute force campaign that lasted at least for three months.[5]\r\nIn order to gain access it launches a brute force attack in order to discover the password to Secure Shell services\r\non Linux.[6] Once Secure Shell credentials are acquired and login is successful, it uses root privileges to run a\r\nscript that downloads and installs XOR DDoS.[7] It is believed to be of Asian origin based on its targets, which\r\ntend to be located in Asia.[8]\r\nApplication layer DDoS attack\r\nBASHLITE\r\nBotnet\r\nDendroid (Malware)\r\nDenial-of-service attack\r\nRootkit\r\nZombie (computer science)\r\nZeroAccess botnet\r\n1. ^ \"Linux DDoS Trojan hiding itself with an embedded rootkit\". Avast. January 6, 2015. Archived from the\r\noriginal on September 16, 2025. Retrieved September 7, 2019.\r\n2. ^ \"MMD-0028-2014 - Linux/XOR.DDoS : Fuzzy reversing a new China ELF\". Malware Must Die!.\r\nArchived from the original on October 2, 2014. Retrieved September 7, 2019.\r\n3. ^ Constantin, Lucian (February 6, 2015). \"Sneaky Linux malware comes with sophisticated custom-built\r\nrootkit\". PCWorld (From IDG). Retrieved February 6, 2015.\r\n4. ^ Cimpanu, Catalin (September 29, 2015). \"XOR DDoS Botnet Uses Compromised Linux Machines to\r\nLaunch 150+ Gbps Attacks\". Softpedia News. Retrieved September 29, 2015.\r\n5. ^ \"Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited\". Threat Research Blog. FireEye.\r\nArchived from the original on March 18, 2015. Retrieved March 18, 2016.\r\n6. ^ \"New Botnet Hunts for Linux — Launching 20 DDoS Attacks/Day at 150Gbps\". thehackernews.com.\r\nArchived from the original on March 18, 2016. Retrieved March 18, 2016.\r\nhttps://en.wikipedia.org/wiki/Xor_DDoS\r\nPage 1 of 2\n\n7. ^ \"XOR DDoS Botnet Launching 20 Attacks a Day From Compromised Linux Machines, Says Akamai\"\r\n(Press release). Cambridge, MA: Reuters. Archived from the original on March 18, 2016. Retrieved March\r\n18, 2016.\r\n8. ^ \"Threat Advisory: XOR DDoS | DDoS mitigation, YARA, Snort\" (PDF). stateoftheinternet.com. Archived\r\nfrom the original on March 23, 2021. Retrieved March 18, 2016.\r\nSource: https://en.wikipedia.org/wiki/Xor_DDoS\r\nhttps://en.wikipedia.org/wiki/Xor_DDoS\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Xor_DDoS"
	],
	"report_names": [
		"Xor_DDoS"
	],
	"threat_actors": [],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/787d740a6b5899337375db8011f5026fa8c78d60.pdf",
		"text": "https://archive.orkl.eu/787d740a6b5899337375db8011f5026fa8c78d60.txt",
		"img": "https://archive.orkl.eu/787d740a6b5899337375db8011f5026fa8c78d60.jpg"
	}
}