Q1 2026 Malware Statistics Report for Linux SSH Servers

Analysis of attacks against Linux SSH servers during Q1 2026 reveals P2PInfect worm as the dominant threat, representing 70.3% of all attack sources. DDoS botnets including Mirai, XMRig, Prometei, and CoinMiner were identified as primary threats. A notable campaign involved installing V2Ray proxy tools on compromised systems, attributed to a suspected Chinese threat actor. Attackers employed SSH brute-force techniques to gain access, executed reconnaissance commands to assess system information, and deployed V2Ray for proxy node operations. The campaign targeted poorly secured SSH servers with weak credentials, emphasizing the need for strong password policies, access controls, and network monitoring to detect unusual outbound connections and proxy-related activities.

Pulse ID: 69de00c30406a5cbb6ba9eef
Pulse Link: https://otx.alienvault.com/pulse/69de00c30406a5cbb6ba9eef
Pulse Author: AlienVault
Created: 2026-04-14 08:54:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CoinMiner #CyberSecurity #DDoS #DoS #ICS #InfoSec #Linux #Malware #Mirai #OTX #OpenThreatExchange #Password #Proxy #RAT #RCE #SSH #Word #Worm #bot #botnet #AlienVault

ASO RAT: Arabic-Language Android Surveillance Platform Targeting Syria

ASO RAT is a custom Android Remote Access Trojan featuring comprehensive device compromise capabilities including SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS functionality. Operating from Frankfurt-based infrastructure with connections to Syria, the platform disguises itself as PDF readers and Syrian government applications. Investigation revealed two active C2 servers, four DDNS domains, eight malicious APK samples with the newest achieving 0/66 antivirus detections, and complete reverse-engineered panel architecture exposing 21 API endpoints. The multi-user panel with role-based access control suggests RAT-as-a-Service operations. Infrastructure includes historical VPS providers and Starlink satellite connections geolocated to Syria. The developer's Arabic-language interface and Syria-themed lures indicate targeting of opposition figures, journalists, and military personnel within the Syrian conflict theater.

Pulse ID: 69dd062fb9ecc388e52457d3
Pulse Link: https://otx.alienvault.com/pulse/69dd062fb9ecc388e52457d3
Pulse Author: AlienVault
Created: 2026-04-13 15:05:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Arabic #CyberSecurity #DDoS #DNS #DoS #ELF #Endpoint #Government #InfoSec #Military #OTX #OpenThreatExchange #PDF #RAT #RCE #RemoteAccessTrojan #SMS #Syria #Trojan #bot #AlienVault

Alleged German cybercrime figure Noah Christopher has been arrested in Thailand after years running global DDoS-for-hire services, including Fluxstress and Neldowner, worldwide.

Read: https://hackread.com/german-ddos-for-hire-kingpin-fluxstress-thailand/

#CyberCrime #CyberSecurity #DDoS #Fluxstress #Neldowner

New report from our ERT: #Maskify.

The operator built what a Series A deck would call "decentralized edge infrastructure": ENS for service discovery, IPFS for binary distribution, a custom P2P mesh network, QUIC transport.

In practice it is a DDoS botnet running on Android TV boxes that did not opt in.

https://github.com/deepfield/public-research/blob/main/maskify/report.md

#threatintel #ddos

Bug-Reports mit #KI-Unterstützung werden wohl langsam immer besser. Für Open-Source-Projekte ist das trotzdem nicht nur eine gute Nachricht.

Jetzt kommen diese Meldungen teilweise so schnell und zahlreich, dass sie quasi eine Art #DDoS für die Maintainer darstellen und manche Projekte auch keine #Bug Bounties mehr bezahlen können.

https://www.golem.de/news/wichtiges-bug-bounty-programm-pausiert-ki-reports-ueberlasten-open-source-projekte-2604-207325.html