S0377: Ebury
Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[1][2][3][4]
Analyst context for executives and security teams
Ebury matters because it targets Linux servers and container hosts at the authentication layer: OpenSSH, shared libraries, PAM/authentication behavior, and credential material. For executives, this is not just “malware on Linux”; it is a risk to trusted administrative access, server integrity, and incident confidence. If an attacker can backdoor SSH or authentication components, normal logins and trusted binaries may become unreliable evidence, and stolen credentials or private keys can extend the incident beyond one host.
Executive priority
Prioritize Ebury-relevant readiness where Linux systems provide business-critical services, remote administration, container hosting, or access to sensitive credentials. Leaders should ask whether Linux authentication components are integrity-monitored, whether SSH keys and private keys are governed and rotated after compromise, whether DNS/C2 and exfiltration visibility exists, and whether audit/logging agents can detect tampering. This object also supports audit and compliance discussions around privileged access, credential protection, change control for system libraries, and incident response procedures for potentially untrustworthy hosts.
Technical view
ATT&CK describes Ebury as an OpenSSH backdoor and credential stealer for Linux servers and container hosts, commonly involving modified shared libraries executed by legitimate OpenSSH. Relationship context links it to shared module loading, dynamic linker hijacking, compromised host software binaries, authentication process/PAM modification, private key theft, rootkit-style hiding, obfuscation/deobfuscation, Unix shell and Python execution, DNS/DGA C2, encoded/encrypted C2, fallback channels, automated exfiltration, exfiltration over C2, and disabling or modifying Linux audit logging. SOC and IR teams should validate host integrity around OpenSSH, PAM, shared objects, dynamic linker configuration, auditd state, and credential stores, while also checking network telemetry for suspicious DNS/C2 patterns and possible exfiltration paths.
Likely telemetry
- Linux file integrity and package verification data for OpenSSH binaries, PAM files, shared libraries, and dynamic linker-related configuration
- Process execution telemetry for sshd, shells, Python, unusual child processes, and unexpected module loading behavior
- Linux authentication logs and PAM-related events, with attention to gaps or inconsistencies
- Linux auditd status, rule/configuration changes, service stops, log deletion, or logging gaps
- File access telemetry for SSH private keys and other private key/certificate locations such as user .ssh directories
Detection direction
- Do not rely only on OpenSSH process names or successful login logs; the object is specifically relevant to legitimate OpenSSH execution paths and modified shared libraries.
- Validate integrity monitoring coverage for OpenSSH, PAM modules, shared objects, and dynamic linker configuration. Tune for unauthorized changes rather than generic file churn alone.
- Correlate host evidence with network evidence: DNS-based C2, fallback channels, standard encoding, symmetric encryption, and exfiltration-over-C2 relationships indicate that network visibility can provide independent confirmation when host telemetry is impaired.
- Treat Linux auditd tampering as high-signal context. Missing logs, stopped audit services, or modified audit rules should be investigated alongside authentication and SSH anomalies.
- Expect blind spots on lightly monitored Linux servers, container hosts, and systems without EDR, file integrity monitoring, DNS logging, or centralized authentication logs.
Mitigation priorities
- Establish strong change control and integrity verification for OpenSSH, PAM, shared libraries, and dynamic linker-related files on Linux servers and container hosts.
- Protect and govern SSH private keys and other private key material: minimize local storage, restrict permissions, inventory key use, and rotate credentials after suspected compromise.
- Centralize and protect Linux authentication, auditd, process, file integrity, and DNS/network logs so responders are not dependent on a potentially compromised host.
- Harden privileged administration paths, including limiting SSH exposure, enforcing least privilege, and reviewing authentication mechanisms for unauthorized modification.
- Prepare incident response playbooks for Linux authentication backdoors: isolate affected hosts, verify binaries/libraries from trusted sources, rotate exposed credentials/keys, and rebuild systems when integrity cannot be trusted.
Analyst notes and limits
The strongest decision value is around Linux identity and server trust. Ebury is associated in ATT&CK with Windigo, and ATT&CK describes it as an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts. The relationship set is broad and points defenders toward authentication tampering, shared library abuse, rootkit-style stealth, DNS/C2 resilience, and exfiltration risk. Because official detection text is not provided, local validation should be based on the related ATT&CK techniques and the organization’s actual Linux telemetry.
MITRE did not provide an official detection section for this malware object, and the object itself lists Linux as the platform with no object-level tactics specified. The related techniques include some platforms beyond Linux, but this take treats them only as behavioral context and does not expand Ebury platform support beyond the supplied Linux platform. No claim is made here about current exploitation, customer exposure, or guaranteed detection coverage.
Ebury
Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1014 | Rootkit | Ebury acts as a user land rootkit using the SSH service.CitationESET Ebury Oct 2017CitationESET Ebury May 2024 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | |
| Enterprise | T1556.003 | Pluggable Authentication Modules Sub-technique | Ebury can deactivate PAM modules to tamper with the sshd configuration.CitationESET Ebury Oct 2017 |
| Enterprise | T1071.004 | DNS Sub-technique | Ebury has used DNS requests over UDP port 53 for C2.CitationESET Ebury Feb 2014 |
| Enterprise | T1008 | Fallback Channels | Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days.CitationESET Ebury Oct 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.CitationESET Ebury Oct 2017 |
| Enterprise | T1556 | Modify Authentication Process | Ebury can intercept private keys using a trojanized |
| Enterprise | T1020 | Automated Exfiltration | If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.CitationESET Windigo Mar 2014CitationESET Ebury May 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.CitationESET Ebury Feb 2014 |
| Enterprise | T1685.004 | Disable or Modify Linux Audit System Log Sub-technique | Ebury disables OpenSSH, system (`systemd`), and audit logs (`/sbin/auditd`) when the backdoor is active.CitationESET Ebury May 2024 |
| Enterprise | T1554 | Compromise Host Software Binary | Ebury modifies the `keyutils` library to add malicious behavior to the OpenSSH client and the curl library.CitationESET Ebury Feb 2014CitationESET Ebury May 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | Ebury has obfuscated its strings with a simple XOR encryption with a static key.CitationESET Ebury Feb 2014 |
| Enterprise | T1685 | Disable or Modify Tools | Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.CitationESET Ebury Oct 2017 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Ebury has encoded C2 traffic in hexadecimal format.CitationESET Ebury Feb 2014 |
| Enterprise | T1059.006 | Python Sub-technique | Ebury has used Python to implement its DGA.CitationESET Ebury Oct 2017 |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | When Ebury is running as an OpenSSH server, it uses LD_PRELOAD to inject its malicious shared module in to programs launched by SSH sessions. Ebury hooks the following functions from `libc` to inject into subprocesses; `system`, `popen`, `execve`, `execvpe`, `execv`, `execvp`, and `execl`.CitationESET Ebury Oct 2017CitationESET Ebury May 2024 |
| Enterprise | T1129 | Shared Modules | Ebury is executed through hooking the keyutils.so file used by legitimate versions of `OpenSSH` and `libcurl`.CitationESET Ebury May 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.CitationESET Ebury Feb 2014 |
| Enterprise | T1552.004 | Private Keys Sub-technique | Ebury has intercepted unencrypted private keys as well as private key pass-phrases.CitationESET Ebury Feb 2014 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Ebury exfiltrates a list of outbound and inbound SSH sessions using OpenSSH's `known_host` files and `wtmp` records. Ebury can exfiltrate SSH credentials through custom DNS queries or use the command `Xcat` to send the process's ssh session's credentials to the C2 server.CitationESET Windigo Mar 2014CitationESET Ebury May 2024 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Ebury has used a DGA to generate a domain name for C2.CitationESET Ebury Feb 2014CitationESET Ebury Oct 2017 |
Groups, software, and campaigns
G0124: Windigo
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | f6d32b7781e4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Ebury Feb 2014
M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
Open source URL -
[2]
BleepingComputer Ebury March 2017
Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019.
Open source URL -
[3]
ESET Ebury Oct 2017
Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
Open source URL -
[4]
ESET Ebury May 2024
Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
Open source URL -
[5]
Ebury
(Citation: ESET Ebury Feb 2014)
-
[6]
mitre-attack S0377Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.