{
	"id": "fe7e1b0c-f40b-4da6-9080-961e1697c867",
	"created_at": "2026-04-06T00:08:24.295844Z",
	"updated_at": "2026-04-10T03:22:12.023846Z",
	"deleted_at": null,
	"sha1_hash": "bf4d5367ab2739eda5cd2ce63fc6ad34902e31a7",
	"title": "Old Botnets never Die, and DDG REFUSE to Fade Away",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 189174,
	"plain_text": "Old Botnets never Die, and DDG REFUSE to Fade Away\r\nBy JiaYu\r\nPublished: 2018-07-12 · Archived: 2026-04-05 13:43:25 UTC\r\nDDG is a mining botnet that specializes in exploiting SSH, Redis database and OrientDB database servers. We\r\nfirst caught it on October 25, 2017, at that time, DDG used version number 2020 and 2021, and we noticed that\r\nthe botnet has two internally reserved domain names that had not been registered. So we went ahead and\r\nregistered the two domain names so we were able to measure the infections, (4,391 infected IPs) The original blog\r\nis here.\r\nSome botnet goes away after we release the analysis report, such as http81 (persirai), but the DDG stays.\r\nThree months after the release of our first DDG report, in May 2018, DDG got some major updates. Version 3010\r\nand 3011 appeared, we also witnessed the authors effort to polish the 3011 so he can get the mining part work.\r\nOn June 12, we captured that DDG.Mining.Botnet released yet another new version 3012 with yet another c2\r\naddress. For all the technical details, please check our detailed DDG blog here.\r\nList of DDG Updates\r\nThe following figures describe some high level overview and comparison between different DDG versions.\r\nhttps://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/\r\nPage 1 of 3\n\nFrom the figure we can see:\r\nVersion Update: Starting from October 2017, DDG has released three major version of 201x, 202x, and\r\n301x, and six minor-versions.\r\nC2 IP address: Four major C2 IPs have bee used.\r\nModule structure: Three major modules, propagate, keep-live, and mining\r\nInfection method: Brute force attacks on the SSH server and unauthorized access by the Redis server\r\n(2017-10 to date). In versions 201x and 202x, the Struts2 and OrientDB database servers were also targeted\r\nfor infection.\r\nWallet Address: Three wallet addresses. And the file name of the mining program normally the same as\r\nthe last 5 to 6 strings of the wallet address.\r\nRedundancy: The author always keeps two versions of the botnet running at the same time to provide fault\r\ntolerance. After the 301x version, the author also started to use multiple mine pools for redundancy. Such\r\nas mining pool hk02.supportxmr.com, pool.supportxmr.com, xmr-asia1.nanopool.org, xmr-us-west1.nanopool.org, and mining pool proxy 47.52.57.128,165.225.157.157\r\nIn addition:\r\nProfit: According to our incomplete statistics, DDG's wallet addresses have received at least 7,425 Monroe\r\ncoins just from Monero.crypto-pool.fr.\r\nHUB: DDG uses a group of hacked servers to provide download service to infected hosts. Each DDG\r\nversion update refreshes this HUB_IP list. See the IoC section at the end of this article for infected IPs.\r\nFor Sinkhole, we sinkholed two unregistered domain names for DDG version 2020. Although the DDG 2021\r\nversion were quickly released and removed these two domain names, we were still able to get an accurate number\r\nhttps://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/\r\nPage 2 of 3\n\nof the infections. At that time, we recorded a total of 4,391 victim IP addresses. The main victims were China\r\n(73%) and the United States (11%):\r\nIoC\r\nDDG C2 List\r\n218.248.40.228 India/IN National Capital Territory of Delhi/New Delhi\r\n202.181.169.98 Hong Kong/HK Central and Western District/Central\r\n165.225.157.157 United States/US Nevada/Las Vegas\r\n69.64.32.12 United States/US Missouri/St Louis\r\nIP_HUB list\r\nv2011\r\nv2020~v2021\r\nv3011\r\nv3011 patched\r\nv3012\r\nSource: https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/\r\nhttps://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/"
	],
	"report_names": [
		"old-botnets-never-die-and-ddg-refuse-to-fade-away"
	],
	"threat_actors": [],
	"ts_created_at": 1775434104,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf4d5367ab2739eda5cd2ce63fc6ad34902e31a7.pdf",
		"text": "https://archive.orkl.eu/bf4d5367ab2739eda5cd2ce63fc6ad34902e31a7.txt",
		"img": "https://archive.orkl.eu/bf4d5367ab2739eda5cd2ce63fc6ad34902e31a7.jpg"
	}
}