{
	"id": "916d2081-137e-4212-ba6f-d2cbf52e071c",
	"created_at": "2026-04-06T00:11:07.386177Z",
	"updated_at": "2026-04-10T13:12:44.134384Z",
	"deleted_at": null,
	"sha1_hash": "c94d90366159c1cec815f416115037c0bc9f5921",
	"title": "Linux Malware RapperBot Brute Forcing SSH Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54484,
	"plain_text": "Linux Malware RapperBot Brute Forcing SSH Servers\r\nPublished: 2022-08-08 · Archived: 2026-04-05 14:51:38 UTC\r\n1. Home\r\n2. Blog\r\n3. Cyber News\r\n4. Linux Malware RapperBot Brute Forcing SSH Servers\r\nRapperBot is an IoT botnet malware that has spread through brute force since it was first identified in June 2022. Over 3,500\r\nunique IPs were utilized by the RapperBot to brute force into a rising number of hacked SSH servers. \r\n“RapperBot has switched from self-propagation to maintaining remote access into the brute-forced SSH\r\nservers,” researchers say. \r\nRapperBot works as a DDoS tool for SSH. The attacks leverage a credentials list obtained from a remote server to perform\r\nbrute force on targets. After a successful SSH server hack, the malware exfiltrates the newly acquired valid credentials to\r\nthe C2.\r\nAttack Details \r\nA unique file named /.ssh/authorized_keys is used to get access by inserting the operators’ SSH public key. This enables the\r\nattacker to log in and authenticate to the server using the associated private key without providing a password. As a result,\r\nthreat actors can access hacked SSH servers even after changing their SSH credentials or disabling SSH password\r\nauthentication. \r\nIn addition, since the file is changed, all currently allowed keys are removed, preventing authorized users from connecting\r\nto the SSH server using public key authentication.\r\nRapperBot’s attack scenario (Source: Fortinet)\r\nA Possible Mirai Malware Variant \r\nDespite having many similarities to the original Mirai source code, RapperBot differs from other IoT malware families in\r\nthat it can brute force credentials and connect to SSH servers rather than Telnet, which was how Mirai implemented their\r\nattacks.\r\nAlso, RapperBot’s developers have begun adding code to preserve persistence. This gives threat actors access to\r\ncompromised devices via SSH after the device reboots, or the malware is deleted. \r\nThe motive behind RapperBot’s botnet creation attacks is still unclear since there’s no evidence of post-compromise activity.\r\nSSH servers with default or weak passwords are being targeted; thus, using strong passwords is advised, and password\r\nauthentication for SSH should be disabled if possible.\r\nRapperBot IoCs\r\nFiles:\r\n92ae77e9dd22e7680123bb230ce43ef602998e6a1c6756d9e2ce5822a09b37b4 \r\na31f4caa0be9e588056c92fd69c8ac970ebc7e85a68615b1d9407a954d4df45d \r\ne8d06ac196c7852ff71c150b2081150be9996ff670550717127db8ab855175a8 \r\n23a415d0ec6d3131f1d537836d3c0449097e98167b18fbdbf2efca789748818a \r\nc83f318339e9c4072010b625d876558d14eaa0028339db9edf12bbcafe6828bb \r\n05c78eaf32af9647f178dff981e6e4e43b1579d95ccd4f1c2f1436dbfa0727ad \r\n88bbb772b8731296822646735aacbfb53014fbb7f90227b44523d7577e0a7ce6 \r\ne8f1e8ec6b94ea54488d5f714e71e51d58dcdfe4be3827c55970d6f3b06edf73 \r\n23256f231f3d91b0136b44d649b924552607a29b43a195024dbe6cde5b4a28ad \r\n77b2e5fb5b72493bde35a6b29a66e6250b6a5a0c9b9c5653957f64a12c793cd5 \r\ndcdeedee4736ec528d1a30a585ec4a1a4f3462d6d25b71f6c1a4fef7f641e7ae \r\nebb860512a55c1cdc8be1399eec44c4481aedb418f15dbda4612e6d38e9b9010 \r\n9d234e975e4df539a217d1c4386822be1f56cea35f7dd2aa606ae4995894da42 \r\n1975851c916587e057fa5862884cbac3fa1e80881ddd062392486f5390c86865 \r\n8380321c1bd250424a0a167e0f319511611f73b53736895a8d3a2ad58ffcd5d5 \r\nf5ff9d1261af176d7ff1ef91aa8c892c70b40caa02c17a25de22539e9d0cdd26 \r\n2298071b6ba7baa5393be064876efcdbd9217c212e0c764ba62a6f0ffc83cc5a \r\nhttps://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/\r\nPage 1 of 2\n\n2479932a6690f070fa344e5222e3fbb6ad9c880294d5b822d7a3ec27f1b8b8d5 \r\n1d5e6624a2ce55616ef078a72f25c9d71a3dbc0175522c0d8e07233115824f96 \r\n746106403a98aea357b80f17910b641db9c4fedbb3968e75d836e8b1d5712a62 \r\nddf5aff0485f395c7e6c3de868b15212129962b4b9c8040bef6679ad880e3f31 \r\ne56edaa1e06403757e6e2362383d41db4e4453aafda144bb36080a1f1b899a02 \r\n55ff25b090dc1b380d8ca152428ba28ec14e9ef13a48b3fd162e965244b0d39b \r\n8e9f87bb25ff83e4ad970366bba47afb838028f7028ea3a7c73c4d08906ec102 \r\nd86d158778a90f6633b41a10e169b25e3cb1eb35b369a9168ec64b2d8b3cbeec \r\nff09cf7dfd1dc1466815d4df098065510eec504099ebb02b830309067031fe04\r\nDownload URLs:\r\nhxxp://31[.]44[.]185[.]235/x86 \r\nhxxp://31[.]44[.]185[.]235/mips \r\nhxxp://31[.]44[.]185[.]235/arm7 \r\nhxxp://2[.]58[.]149[.]116/arm \r\nhxxp://2[.]58[.]149[.]116/spc \r\nhxxp://2[.]58[.]149[.]116/mips \r\nhxxp://2[.]58[.]149[.]116/x86_64 \r\nhxxp://2[.]58[.]149[.]116/ssh/arm7 \r\nhxxp://2[.]58[.]149[.]116/ssh/mips \r\nhxxp://2[.]58[.]149[.]116/ssh/x86 \r\nhxxp://2[.]58[.]149[.]116/ssh/spc \r\nhxxp://194[.]31[.]98[.]244/ssh/new/spc \r\nhxxp://194[.]31[.]98[.]244/ssh/new/x86 \r\nhxxp://194[.]31[.]98[.]244/ssh/new/mips \r\nhxxp://194[.]31[.]98[.]244/ssh/new/arm7 \r\nhxxp://194[.]31[.]98[.]244/ssh/new/arm \r\nhxxp://194[.]31[.]98[.]244/ssh/new/x86 \r\nhxxp://194[.]31[.]98[.]244/ssh/new/mips \r\nhxxp://194[.]31[.]98[.]244/ssh/new/arm7 \r\nhxxp://194[.]31[.]98[.]244/ssh/new/arm \r\nhxxp://185[.]225[.]73[.]196/ssh/new/arm \r\nhxxp://185[.]225[.]73[.]196/ssh/new/arm7 \r\nhxxp://185[.]225[.]73[.]196/ssh/new/mips \r\nhxxp//185[.]225[.]73[.]196/ssh/new/x86 \r\nC2 Servers:\r\n31[.]44[.]185[.]235 \r\n2[.]58[.]149[.]116 \r\n194[.]31[.]98[.]244 \r\n185[.]225[.]73[.]196 \r\nThreat Actor SSH Public Key:\r\nAAAAB3NzaC1yc2EAAAADAQABAAACAQC/yU0iqklqw6etPlUon4mZzxslFWq8G8sRyluQMD3i8tpQWT2cX/mwGgSRCz7HMLyxt87olYIPemTIR\r\nGGm1KpWg8lrXeMW+5jIXTFmEFhbJ18wc25Dcds4QCM0DvZGr/Pg4+kqJ0gLyqYmB2fdNzBcU05QhhWW6tSuYcXcyAz8Cp73JmN6TcPuVqHeFY\r\nNBa5W2LyZ4b1v6324IEJuxImARIxTc96Igaf30LUza8kbZyc3bewY6IsFUN1PjQJcJi0ubVLyWyyJ554Tv8BBfPdY4jqCr4PzaJ2Rc1JFJYUSVVT4yX2p\r\ngiIlb+0EHtFWc2QH7yz/ZBjnun7opIoslLVvYJ9cxMoLeLr5Ig+zny+IEA3x090xtcL62X0jea6btVnYo7UN2BARziisZze6oVuOTCBijuyvOM6ROZ6s/wl4\r\nBAodNaUPFfTxggH3tZrnnU8Dge5/1JNa08F3WNUPM1S1x8L2HMatwc82x35jXyBSp3AMbdxMPhvyYI8v2J1PqJH8OqGTVjdWe40mD2osRgLo1EO\r\nThreat Actor Root User:\r\n/etc /passwd suhelper:x:0:0::/:\r\n/etc /shadow suhelper:$1$1OJBlhUV$E9DMK0xdoZb8W8wVOibPQ/:19185:0:99999:7:::\r\nSource: https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/\r\nhttps://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/"
	],
	"report_names": [
		"linux-malware-rapperbot-brute-forcing-ssh-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434267,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c94d90366159c1cec815f416115037c0bc9f5921.pdf",
		"text": "https://archive.orkl.eu/c94d90366159c1cec815f416115037c0bc9f5921.txt",
		"img": "https://archive.orkl.eu/c94d90366159c1cec815f416115037c0bc9f5921.jpg"
	}
}