G0124 · 7 ATT&CK techniques · 0 correlated reports

Windigo

Aliases: None listed

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.

Open interactive actor investigation

ATT&CK techniques

T1082
System Information Discovery T1005
Data from Local System T1518
Software Discovery T1090
Proxy T1059
Command and Scripting Interpreter T1083
File and Directory Discovery T1189
Drive-by Compromise

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research