{ "id": "7eb3dfbf-94e0-4eb3-acd5-a3407a64ea5d", "created_at": "2026-04-06T00:15:31.995477Z", "updated_at": "2026-04-10T03:34:57.288239Z", "deleted_at": null, "sha1_hash": "b01cdda28f17ad3b0d88ccbfd58f832994e5e36d", "title": "Operation Windigo - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47492, "plain_text": "Operation Windigo - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:47:01 UTC\r\nHome \u003e List all groups \u003e Operation Windigo\r\n Other threat group: Operation Windigo\r\nNames\r\nOperation Windigo (ESET)\r\nG0124 (MITRE)\r\nCountry Russia\r\nMotivation Financial gain\r\nFirst seen 2011\r\nDescription\r\n(ESET) This document details a large and sophisticated operation, code named\r\n“Windigo”, in which a malicious group has compromised thousands of Linux and Unix\r\nservers. The compromised servers are used to steal SSH credentials, redirect web\r\nvisitors to malicious content and send spam.\r\nThis operation has been ongoing since at least 2011 and has affected high profile\r\nservers and companies, including cPanel – the company behind the famous web hosting\r\ncontrol panel – and Linux Foundation’s kernel.org – the main repository of source code\r\nfor the Linux kernel. However this operation is not about stealing company resources or\r\naltering Linux’s source code as we will unveil throughout the report.\r\nThe complexity of the backdoors deployed by the malicious actors shows out of the\r\nordinary knowledge of operating systems and programming. Additionally, extra care\r\nwas given to ensure portability, meaning the various pieces of malware will run on a\r\nwide range of server operating systems and to do so in an extremely stealthy fashion.\r\nThe Windigo operation does not leverage any new vulnerability against Linux or Unix\r\nsystems. Known systemic weaknesses were exploited by the malicious actors in order\r\nto build and maintain their botnet.\r\nObserved Countries: Worlwide.\r\nTools used Calfbot, CDorked, Ebury.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=59bca5af-b3b0-4973-8988-e8c011dccbae\r\nPage 1 of 2\n\nCounter operations Mar 2017\nRussian Citizen Pleads Guilty for Involvement in Global Botnet\nConspiracy\nInformation MITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=59bca5af-b3b0-4973-8988-e8c011dccbae\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=59bca5af-b3b0-4973-8988-e8c011dccbae\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=59bca5af-b3b0-4973-8988-e8c011dccbae" ], "report_names": [ "showcard.cgi?u=59bca5af-b3b0-4973-8988-e8c011dccbae" ], "threat_actors": [ { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d", "created_at": "2022-10-25T16:07:24.526179Z", "updated_at": "2026-04-10T02:00:05.023222Z", "deleted_at": null, "main_name": "Operation Windigo", "aliases": [ "G0124" ], "source_name": "ETDA:Operation Windigo", "tools": [ "CDorked", "CDorked.A", "Calfbot", "Ebury" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434531, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b01cdda28f17ad3b0d88ccbfd58f832994e5e36d.pdf", "text": "https://archive.orkl.eu/b01cdda28f17ad3b0d88ccbfd58f832994e5e36d.txt", "img": "https://archive.orkl.eu/b01cdda28f17ad3b0d88ccbfd58f832994e5e36d.jpg" } }