Botnet Encyclopedia
Get in-depth analyses of attack campaigns captured by Guardicore Global Sensors Network (GGSN).
Learn about each botnet’s scope, its associated indicators of compromise (IOCs), and the attack flow.
A Telnet DDoS campaign, whose command-and-control is mainly hosted by an inactive hosting company.
This campaign, operated (supposedly) by a Romanian hacker, brute-forces SSH servers, uses an obfuscated tool called RootHelper for privilege escalation and runs XMRig to mine Monero.
A long-running campaign in which a Mirai-variant named “Sora” is deployed. The malware scans for additional victims over Telnet port 23.
In this mass-scale attack campaign, active since January, a sophisticated Golang binary is deployed on brute-forced SSH servers.
Vollgar is a mass-scale botnet deploying a remote access tool and cryptominers on its victim machines.
Dota is a cryptomining botnet exploiting SSH machines and attempting to propagate to other machines in the network.
PLEASE_READ_ME_VVV is a mass-scale ransom attack, in which the attackers choose to leave the ransom note within MySQL database tables.
The Smominru botnet and its variants MyKings and Hexmen managed to infect thousands of MS-SQL machines on a daily basis
An individual hacker based in Romania is breaching machines over SSH and executing a Monero cryptominer on them.
k8h3d is the name of the backdoor user created as part of this large cryrptomining campaign. MS-SQL servers with weak passwords are infected with a variety of malware files – a Trojan, a Monero miner and more.
Nansh0u demonstrates how attackers’ arsenal is growing stronger with fake digital certificates and advanced rootkits.
UwUsh is a Mirai-like botnet, breaching SSH machines and dropping malware supported on many difference architectures.
This campaign drops a downloader file via MySQL user-defined functions. Dating back to 2012, the malware has been in use to download a variety of malware, including the recent GandCrab ransomware.