Operation Windigo - Threat Group Cards: A Threat Actor
Encyclopedia
Archived: 2026-04-05 19:47:01 UTC
Home > List all groups > Operation Windigo
 Other threat group: Operation Windigo
Names
Operation Windigo (ESET)
G0124 (MITRE)
Country Russia
Motivation Financial gain
First seen 2011
Description
(ESET) This document details a large and sophisticated operation, code named
“Windigo”, in which a malicious group has compromised thousands of Linux and Unix
servers. The compromised servers are used to steal SSH credentials, redirect web
visitors to malicious content and send spam.
This operation has been ongoing since at least 2011 and has affected high profile
servers and companies, including cPanel – the company behind the famous web hosting
control panel – and Linux Foundation’s kernel.org – the main repository of source code
for the Linux kernel. However this operation is not about stealing company resources or
altering Linux’s source code as we will unveil throughout the report.
The complexity of the backdoors deployed by the malicious actors shows out of the
ordinary knowledge of operating systems and programming. Additionally, extra care
was given to ensure portability, meaning the various pieces of malware will run on a
wide range of server operating systems and to do so in an extremely stealthy fashion.
The Windigo operation does not leverage any new vulnerability against Linux or Unix
systems. Known systemic weaknesses were exploited by the malicious actors in order
to build and maintain their botnet.
Observed Countries: Worlwide.
Tools used Calfbot, CDorked, Ebury.
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=59bca5af-b3b0-4973-8988-e8c011dccbae
Page 1 of 2

Counter operations Mar 2017
Russian Citizen Pleads Guilty for Involvement in Global Botnet
Conspiracy
Information MITRE ATT&CK Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=59bca5af-b3b0-4973-8988-e8c011dccbae
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=59bca5af-b3b0-4973-8988-e8c011dccbae
Page 2 of 2