G0124: Windigo
Analyst context for executives and security teams
Windigo matters because it shows how compromised Linux and Unix servers can become long-lived criminal infrastructure rather than a one-time incident. The supplied ATT&CK context ties the group to Ebury, an OpenSSH backdoor and credential stealer, and to behaviors such as discovery, local data collection, command execution, proxying, and drive-by compromise. For leaders, the practical issue is whether server, SSH, and web-facing telemetry would expose a backdoored host before it is reused for spam, credential theft, or command-and-control activity.
Executive priority
Prioritize this as an operational resilience and identity-control concern for environments that depend on Linux/Unix servers, SSH administration, public web services, or container hosts. Key executive questions: Do we know which servers are externally reachable? Can we prove SSH access is monitored and credentials can be rotated quickly? Do we have integrity evidence for critical OpenSSH-related files and shared libraries? Can incident response isolate and rebuild compromised servers rather than simply removing visible malware?
Technical view
The group object has no official ATT&CK detection text and no group-level platforms or tactics, so validation should be driven by the supplied relationships. Ebury is described as an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts, primarily through modified shared libraries executed by OpenSSH. SOC and IR teams should test whether they can correlate suspicious SSH authentication, shell execution, system/file/software discovery, local data access, unusual proxy behavior, and web/drive-by related activity on exposed servers.
Likely telemetry
- Linux/Unix authentication logs for SSH logins, failures, source addresses, and account usage
- Process execution and shell command telemetry for command interpreters and discovery commands
- File integrity or package integrity evidence for OpenSSH binaries, related shared libraries, and other security-sensitive system files
- Endpoint or host logs showing file and directory enumeration, system information discovery, and software inventory commands
- Network egress logs, flow records, proxy logs, and DNS evidence for unusual intermediary or relay behavior
Detection direction
- Because MITRE provides no official detection guidance for this group, start by validating telemetry coverage rather than writing group-name-only detections.
- Tune for combinations of behaviors: anomalous SSH access plus shell execution, discovery activity, local data access, or unusual outbound proxy-like connections is more actionable than any single event alone.
- Validate integrity monitoring for OpenSSH-adjacent files and shared libraries; blind spots commonly occur when servers lack EDR, FIM, or reliable package baseline data.
- Use asset criticality and exposure to reduce false positives: administrative discovery commands may be normal on managed servers, but unusual timing, source account, source network, or follow-on network egress should raise priority.
- Review web-facing telemetry where drive-by compromise is relevant, especially evidence of unauthorized content or script changes, while avoiding assumptions without local logs.
Mitigation priorities
- Maintain an accurate inventory of Linux/Unix servers, container hosts, SSH exposure, and public web assets.
- Restrict and monitor SSH administrative access, enforce strong credential and key management, and prepare rapid credential rotation for suspected compromise.
- Baseline and monitor integrity of OpenSSH-related binaries, shared libraries, and critical system files; rebuild hosts from trusted sources when integrity is uncertain.
- Centralize server authentication, process, file integrity, and network egress telemetry so SOC and IR teams can investigate linked behaviors across hosts.
- Harden public-facing web services and content update paths, and ensure incident response playbooks cover server isolation, forensic preservation, credential reset, and clean rebuild.
Analyst notes and limits
The supplied ATT&CK object identifies Windigo as operating since at least 2011, compromising thousands of Linux and Unix servers using Ebury to create a spam botnet, with Ebury updates continuing through 2019 despite law enforcement action. The most decision-useful relationship is to Ebury, because it anchors the defensive focus on SSH backdoor and credential-stealing risk. Related techniques add context for execution, discovery, collection, command-and-control proxying, and drive-by compromise.
This take is limited to the supplied ATT&CK fields, external references, and relationships. The group object does not provide official detection text, group-level tactics, or group-level platforms. Linux relevance is supported by the official description and Ebury relationship, but local applicability depends on the organization’s actual server estate, SSH exposure, logging coverage, and incident history. No claim is made about current activity or customer exposure.
Windigo
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | Windigo has used a script to detect which Linux distribution and version is currently installed on the system.CitationESET ForSSHe December 2018 |
| Enterprise | T1005 | Data from Local System | Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.CitationESET ForSSHe December 2018 |
| Enterprise | T1518 | Software Discovery | Windigo has used a script to detect installed software on targeted systems.CitationESET ForSSHe December 2018 |
| Enterprise | T1090 | Proxy | |
| Enterprise | T1059 | Command and Scripting Interpreter | Windigo has used a Perl script for information gathering.CitationESET ForSSHe December 2018 |
| Enterprise | T1083 | File and Directory Discovery | Windigo has used a script to check for the presence of files created by OpenSSH backdoors.CitationESET ForSSHe December 2018 |
| Enterprise | T1189 | Drive-by Compromise | Windigo has distributed Windows malware via drive-by downloads.CitationESET Windigo Mar 2014 |
Groups, software, and campaigns
S0377: Ebury
Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 798b38b04324… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Windigo Mar 2014
Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
Open source URL -
[2]
CERN Windigo June 2019
CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021.
Open source URL -
[3]
mitre-attack G0124Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.