The Ebury group [1] [2], a long-standing server-side malware campaign active since 2009 [2] [3], has compromised nearly 400,000 Linux [1], FreeBSD [1] [2], and OpenBSD servers worldwide [1] [2].


Over 100,000 servers are still compromised as of late 2023. Ebury has expanded its tactics to include credit card compromise and cryptocurrency theft [2], targeting universities, enterprises [1], internet providers [1], cryptocurrency traders [1] [2] [3], Tor exit nodes [1], hosting providers [1], and dedicated server nodes [1]. The group’s recent attack methods involve intercepting SSH traffic to steal credentials and cryptocurrency wallets [2]. ESET experts recommend basic cybersecurity practices to mitigate the risks of infection by similar threats, such as creating strong passwords [1], using multi-factor authentication [1], avoiding unknown email links [1], timely software updates [1], and deploying solutions to protect corporate network devices from modern attack vectors [1]. Ebury’s new major version update [2], version 1.8 [2], includes new obfuscation techniques and improvements in hiding itself from system administrators [2]. In 2023, the group’s activity reached record levels [3], with over 6000 compromised servers recorded in August [3]. Overall, Ebury has targeted over 200 victims across 34 countries between February 2022 and May 2023 [2]. The group has also targeted Bitcoin and Ethereum nodes [3], using advanced methods like ARP spoofing to steal cryptocurrency wallets and has updated its malware family with a domain generation algorithm [3].


The impact of Ebury’s activities is significant, with a large number of compromised servers and victims across multiple countries. Mitigating the risks of infection requires implementing basic cybersecurity practices recommended by experts. The group’s evolving tactics and advanced methods highlight the importance of staying vigilant and proactive in protecting against cyber threats in the future.