SVF Botnet Targets Linux SSH Servers: A New DDoS Threat Emerges

On July 22, 2025, cybersecurity researchers from AhnLab Security Intelligence Center (ASEC) reported active attacks deploying the SVF botnet, a Python-based DDoS malware targeting poorly managed Linux SSH servers. Threat actors exploit weak SSH credentials through brute-force attacks, installing payloads that enable DDoS capabilities, credential theft, and proxy networks for further compromises. Shared by users like @R4yt3d on X, this campaign highlights the persistent risks to exposed Linux systems. With no specific attribution to groups, the botnet's use of Discord for command-and-control (C2) adds a layer of stealth. Below, we explore the botnet's mechanics, infection methods, implications, and essential hardening measures.

The SVF Botnet: Python-Powered DDoS Malware

SVF is a sophisticated DDoS botnet written in Python, designed for Linux environments. It supports multiple attack types, including HTTP floods and UDP floods, leveraging infected devices as proxies to amplify assaults. The malware uses Discord webhooks for C2 communication, allowing operators to issue commands discreetly without traditional servers.Key features include:

• Modular Design: Payloads are downloaded via wget or curl, often disguised as legitimate tools like TinyProxy or Sing-Box for proxy creation.
• Persistence Mechanisms: Modifies cron jobs and SSH configurations to ensure survival across reboots.
• Evasion Tactics: Deletes logs, kills competing processes, and uses obfuscated scripts to avoid detection.

Observed since mid-July 2025, SVF has been tracked through honeypots, with infections leading to botnet expansion for DDoS-for-hire services.

Infection Methods: Brute-Force and Exploitation

The primary vector is brute-force attacks on SSH servers with weak or default credentials. Attackers scan for open SSH ports (typically 22), attempting common username-password combinations like "root" with simple passwords.Post-compromise steps include:

1. Initial Access: SSH login followed by execution of shell scripts to download malware.
2. Payload Deployment: Installation of TinyProxy/Sing-Box for proxy chains and SVF binaries for DDoS functionality.
3. Lateral Movement: Harvesting SSH keys and configs for propagation to other servers.

Attacks originate from IPs like 185.234.218.40, with payloads hosted on domains such as 185.234.218.40. No advanced exploits like zero-days are used; reliance is on poor configurations.

Observed Tactics and Evolution

SVF's tactics emphasize stealth and scalability. Once installed, it communicates via Discord for commands like "httpflood" or "udpflood," using infected proxies to mask origins. It also disables security tools, clears histories, and sets up backdoors.While not linked to specific nations, patterns suggest opportunistic actors, possibly from Russia based on some reports. The botnet is evolving, with updates incorporating better obfuscation and multi-architecture support.

Implications: DDoS Capabilities and Broader Compromises

SVF infections enable powerful DDoS attacks, disrupting services and extorting victims. Beyond DDoS, compromised servers can serve as pivots for deeper network intrusions, data theft, or cryptocurrency mining. This urges organizations to prioritize SSH security, as weak policies expose critical infrastructure to botnet recruitment.In cloud-heavy environments, such bots can inflate costs through resource abuse. The use of Discord for C2 complicates detection, as legitimate traffic blends with malicious.

Defenses: Strengthening Password Policies and SSH Hardening

To mitigate SVF and similar threats, implement these measures:

• Enforce Strong Credentials: Use complex passwords or disable password auth in favor of key-based authentication.
• SSH Hardening: Change default ports, limit login attempts with Fail2Ban, and restrict access via firewalls or IP whitelisting.
• Monitoring and Logging: Enable detailed SSH logging and monitor for unusual patterns like brute-force attempts or Discord outbound traffic.
• Regular Updates and Scans: Patch systems, scan for malware, and use tools like ClamAV or endpoint protection.
• Multi-Factor Authentication (MFA): Add MFA to SSH for an extra layer of security.

Organizations should conduct vulnerability assessments and educate admins on best practices. For IOCs, refer to ASEC's report and monitor for indicators like specific IPs or file hashes. As botnets like SVF evolve, proactive defenses are crucial to prevent recruitment into malicious networks.