{ "id": "103904b8-f2c0-485b-9fa2-1e59bd661724", "created_at": "2026-04-06T00:18:00.803122Z", "updated_at": "2026-04-10T03:34:57.328275Z", "deleted_at": null, "sha1_hash": "d03fd6cfa288891bcdd277a9061f08114e41ca00", "title": "Ebury (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48331, "plain_text": "Ebury (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 22:42:19 UTC\r\nelf.ebury (Back to overview)\r\nEbury\r\nThis payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in\r\nturn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords,\r\nand potentially other credentials.\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by\r\nESET.\r\nReferences\r\n2024-05-14 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé\r\nEbury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain\r\nEbury\r\n2024-05-13 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé\r\nEbury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain\r\nEbury\r\n2021-04-21 ⋅ CSIRT Italia ⋅ CSIRT Italia\r\nWindigo footprints: an Ebury variant\r\nEbury\r\n2019-06-04 ⋅ CERN ⋅ CERN Computer Security\r\nAdvisory: Windigo attacks\r\nEbury\r\n2018-12-05 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé\r\nThe Dark Side of the ForSSHe\r\nEbury\r\n2018-12-01 ⋅ ESET Research ⋅ Hugo Porcher, Marc-Etienne M.Léveillé, Romain Dumont\r\nTHE DARK SIDE OF THE FORSSHE: A landscape of OpenSSH backdoors\r\nEbury\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury\r\nPage 1 of 2\n\n2017-10-30 ⋅ ESET Research ⋅ Frédéric Vachon\r\nWindigo Still not Windigone: An Ebury Update\r\nEbury\r\n2017-03-28 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nRussian Citizen Pleads Guilty for Involvement in Global Botnet Conspiracy\r\nEbury\r\n2014-10-15 ⋅ ESET Research ⋅ Olivier Bilodeau\r\nOperation Windigo: “Good job, ESET!” says malware author\r\nEbury\r\n2014-03-01 ⋅ ESET Research ⋅ Alexis Dorais-Joncas, Benjamin Vanheuverzwijn, Joan Calvet, Marc-Etienne M.Léveillé, Olivier\r\nBilodeau, Pierre-Marc Bureau\r\nOPERATION WINDIGO\r\nEbury\r\n2014-02-21 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé\r\nAn In‑depth Analysis of Linux/Ebury\r\nEbury\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury" ], "report_names": [ "elf.ebury" ], "threat_actors": [ { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d", "created_at": "2022-10-25T16:07:24.526179Z", "updated_at": "2026-04-10T02:00:05.023222Z", "deleted_at": null, "main_name": "Operation Windigo", "aliases": [ "G0124" ], "source_name": "ETDA:Operation Windigo", "tools": [ "CDorked", "CDorked.A", "Calfbot", "Ebury" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434680, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d03fd6cfa288891bcdd277a9061f08114e41ca00.pdf", "text": "https://archive.orkl.eu/d03fd6cfa288891bcdd277a9061f08114e41ca00.txt", "img": "https://archive.orkl.eu/d03fd6cfa288891bcdd277a9061f08114e41ca00.jpg" } }