🇷🇺

Windigo

APT Group ETDA ✓

Also Known As

No alias recorded

Target Countries 14

Countries highlighted in red

Canada Germany Spain France United Kingdom Italy Japan Mexico Netherlands Russian Federation Province of China Taiwan Ukraine United States South Africa

Sectors Targeted

Insurance Carriers and Related Activities 524 Educational Services 61 Finance and Insurance 52 Gaming Electronic Shopping and Mail-Order Houses 4541 Information 51 Publishing Industries (except Internet) 511 Software Publishers 5112 NAICS:44 44 Arts, Entertainment, and Recreation 71 Public Administration 92 Other Information Services 519 Financial

Details

Origin 🇷🇺 RU

Last Updated 18 Apr 2025

Malware Families 1

glupteba_proxy

MITRE ATT&CK 8

T1005 - Data from Local System T1059 - Command and Scripting Interpreter T1082 - System Information Discovery T1083 - File and Directory Discovery T1090 - Proxy T1189 - Drive by Compromise T1518 - Software Discovery T1543 - Create or Modify System Process

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 2 entries

Operation Windigo ESET

G0124 MITRE

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

Worlwide

Description

(ESET) This document details a large and sophisticated operation, code named “Windigo”, in which a malicious group has compromised thousands of Linux and Unix servers. The compromised servers are used to steal SSH credentials, redirect web visitors to malicious content and send spam. This operation has been ongoing since at least 2011 and has affected high profile servers and companies, including cPanel – the company behind the famous web hosting control panel – and Linux Foundation’s kernel.org – the main repository of source code for the Linux kernel. However this operation is not about stealing company resources or altering Linux’s source code as we will unveil throughout the report. The complexity of the backdoors deployed by the malicious actors shows out of the ordinary knowledge of operating systems and programming. Additionally, extra care was given to ensure portability, meaning the various pieces of malware will run on a wide range of server operating systems and to do so in an extremely stealthy fashion. The Windigo operation does not leverage any new vulnerability against Linux or Unix systems. Known systemic weaknesses were exploited by the malicious actors in order to build and maintain their botnet.

Tools Used 3

Calfbot CDorked Ebury

Reports & References 1

https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

ETDA Profile

Operation Windigo

Origin

Russia

First Seen 2011

Motivation

Financial gain

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0124/

View on ETDA APT Groups ↗