Cybersecurity researchers have found new details about the dangerous XorDDoS malware. This malware has become more powerful and widespread in recent years. It used to target only Linux systems, but now it attacks more devices. These include Docker servers and Internet of Things (IoT) gadgets. Experts are concerned because the attacks are growing in both number and complexity.
The Rise of XorDDoS Malware
XorDDoS malware has been around for a while, but it is now more dangerous. From November 2023 to February 2025, researchers found that 71.3% of XorDDoS attacks targeted the United States. This makes the U.S. the biggest target. However, countries like Japan, Canada, Denmark, Italy, Morocco, and China were also affected by the malware.
XorDDoS is a type of malware that causes DDoS attacks. A DDoS attack happens when many devices work together to overload and block a website or online service. This makes the website shut down. For years, XorDDoS mainly targeted Linux systems, which are used in servers and many internet-connected devices. Now, XorDDoS is spreading to other devices, including Docker servers, which run apps in separate containers, and IoT devices like smart home gadgets and cameras.
How XorDDoS Infects Devices
The way XorDDoS spreads and infects devices is through a common method called a brute-force attack. In this case, the attackers try to guess passwords for a device by repeatedly trying different combinations until they get it right. Once they break into a device, they install the XorDDoS malware.
This malware doesn’t stay inactive. It sets itself to run automatically whenever the device starts. This allows it to keep causing damage. It uses a special key to find and save details about the device’s connection to a central control system. This lets the attackers control the device remotely. Once infected, the device becomes part of a larger “botnet.” A botnet is a network of hacked devices used to launch DDoS attacks on websites and services.
Critical Vulnerabilities: The Dark Side of Pacemaker Technology
The New XorDDoS Controller and Its Expanding Reach
One of the most concerning new developments in the world of XorDDoS is the introduction of a new version of the malware, which includes a central controller system. This central controller manages multiple smaller parts, called sub-controllers, which each take control of a set of infected devices. These sub-controllers work together to send out DDoS attack commands, making the attack much more powerful and difficult to stop. Each sub-controller uses its own botnet of infected devices, and the central controller ensures they all work in sync.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
Researchers have also discovered a “builder” tool that can create new versions of the malware, indicating that XorDDoS is being marketed and sold, likely to other cybercriminals. This makes the malware even more dangerous, as it could be spread and used by many different groups, further increasing the number of attacks happening worldwide.
There are also signs that the creators of XorDDoS may be Chinese-speaking, based on the language settings of the tools used to manage the malware. This is important because it gives experts clues about who might be behind the attacks and their possible motivations.
