The ShellBot malware [2] [3] [5], also known as PerlBot [1] [4], is a threat that specifically targets poorly managed Linux SSH servers. It is used by malicious actors to deploy DDoS malware and has recently adopted a new distribution method to evade detection.


These threat actors have started using hexadecimal IP addresses [6] [7], such as “0x2763da4e” and “0x74cc54bd,” to hide their activity and make it harder to detect their actions. This change in distribution method was identified by the AhnLab Security Emergency response Center (ASEC) and is an attempt to avoid detection based on behavior.

To infect Linux systems, ShellBot can be downloaded and executed using curl and Perl. It gains access to servers with weak SSH credentials through brute-force and dictionary attacks. Once installed, ShellBot acts as a conduit for launching DDoS attacks and delivering cryptocurrency miners [4].

To protect against ShellBot and similar threats [2], it is crucial to use strong passwords and regularly change them [1] [2]. This will help defend against brute-force and dictionary attacks. It is essential to continually enhance cybersecurity defenses and remain vigilant against evolving attack techniques in the face of an ever-evolving threat landscape.


The use of ShellBot malware poses significant risks to poorly managed Linux SSH servers. By adopting new distribution methods and targeting weak credentials, threat actors can successfully compromise systems and launch DDoS attacks. To mitigate these risks, it is crucial to implement strong password practices and regularly update them. Additionally, organizations must prioritize the enhancement of cybersecurity defenses to stay ahead of evolving attack techniques. By remaining vigilant and proactive, we can better protect against the ever-changing threat landscape.