Windigo

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.[1][2]

Techniques Used

Domain ID Name Use
Enterprise VT0012 Command and Scripting Interpreter

Windigo has used a Perl script for information gathering.[3]

Enterprise VT0020 .001 Remote Services: SSH

Windigo uses SSH Remote Services to persist on infected machines.

References

Attachments

ID
VG0014
Version
1.0

Created: 09 May 2021

Last Modified: 09 May 2021