XorDDoS malware continues to pose significant risks, especially to the United States, which accounted for 71.3% of attacks between November 2023 and February 2025. This malware, which primarily targets Linux machines, has evolved to expand its reach, now also infecting Docker servers. According to Cisco Talos researcher Joey Chen, the rise in XorDDoS activity is linked to a surge in malicious DNS requests related to its command-and-control (C2) infrastructure. The malware’s growing prevalence is attributed to its ability to compromise devices worldwide, particularly in the United States, Japan, Canada, and several European countries.
XorDDoS has been active for over a decade, with a marked increase in its use since 2020.
Initially, it was used to enable cryptocurrency mining malware like Tsunami, as reported by Microsoft in May 2022.
The primary method of initial infection involves brute-forcing Secure Shell (SSH) credentials on vulnerable IoT devices. Once the malware gains access, it installs itself on the target system and ensures persistence through an embedded initialization script and cron jobs, which allow it to restart automatically after reboots.
The malware uses XOR encryption with a key “BB2FA36AAA9541F0” to decrypt configuration data that includes the IP addresses required for communication with its C2 server. This sophisticated mechanism helps the malware evade detection and maintain control over compromised devices. The increasing sophistication of XorDDoS is also evident in the release of a new sub-controller, called the VIP version, which is capable of managing multiple botnets simultaneously.
These developments suggest that XorDDoS is now being marketed as a service, with the central controller capable of managing a large-scale botnet and launching coordinated DDoS attacks.
Talos researchers also found that the XorDDoS infrastructure appears to be operated by Chinese-speaking individuals, based on language settings in its multi-layer controller and builder tools. This indicates a potential shift towards more organized and commercially available malware, where XorDDoS and its sub-components are sold as tools for launching powerful DDoS attacks.