Cybersecurity experts are sounding the alarm about a dangerous piece of malware called XorDDoS. It’s used to launch DDoS attacks, which flood a system with traffic to crash it, and over 70% of these attacks between November 2023 and February 2025 targeted the United States.
According to Cisco Talos researcher Joey Chen, XorDDoS has become much more common since 2020. It’s being spread all over the world and
there’s been a rise in suspicious internet activity (DNS requests) linked to its command-and-control (C2) infrastructure.
It mostly infects Linux systems, but now it’s also going after Docker servers. Once infected, these computers are turned into “zombie bots” to help carry out attacks. In short, it’s spreading more, hitting more targets, and becoming more dangerous.
About 42% of the hacked devices infected by XorDDoS are in the U.S. Other affected countries include Japan, Canada, Denmark, Italy, Morocco, and China.
XorDDoS is a well-known malware that has been attacking Linux systems for over 10 years. Back in May 2022, Microsoft observed a sudden rise in XorDDos infections. These attacks often lead to even more malware being installed, like Tsunami, which is used for cryptocurrency mining.
For a long time, XorDDos has leaned on SSH brute-force attacks to spread infections. Once it gets the right login, it installs itself on IOT devices and other internet-connected systems.
Once XorDDoS gets into a device, it makes sure that it can stay there permanently by adding a startup script and a cron job. This means the malware automatically runs every time the device is turned on.
It also used a special code- BB2FA36AAA9541F0- to unlock hidden settings inside itself, like the IP addresses it needs to connect with its control system (C2).
In 2024, researchers found a new version of XorDDoS called the VIP version, along with a central controller and a tool used to build the malware. It signals that XorDDoS is probably being sold to other hackers.
The central controller manages many sub-controllers, and each sub-controller controls a group of infected devices (botnets) to carry out DDoS attacks. Experts also noticed that the tools and settings used in the malware are mostly in Chinese, suggesting the people behind it likely speak Chinese.
