Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0377: Ebury

Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[1][2][3][4]

EnterpriseS0377MalwareObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Ebury matters because it targets Linux servers and container hosts at the authentication layer: OpenSSH, shared libraries, PAM/authentication behavior, and credential material. For executives, this is not just “malware on Linux”; it is a risk to trusted administrative access, server integrity, and incident confidence. If an attacker can backdoor SSH or authentication components, normal logins and trusted binaries may become unreliable evidence, and stolen credentials or private keys can extend the incident beyond one host.

Executive priority

Prioritize Ebury-relevant readiness where Linux systems provide business-critical services, remote administration, container hosting, or access to sensitive credentials. Leaders should ask whether Linux authentication components are integrity-monitored, whether SSH keys and private keys are governed and rotated after compromise, whether DNS/C2 and exfiltration visibility exists, and whether audit/logging agents can detect tampering. This object also supports audit and compliance discussions around privileged access, credential protection, change control for system libraries, and incident response procedures for potentially untrustworthy hosts.

Technical view

ATT&CK describes Ebury as an OpenSSH backdoor and credential stealer for Linux servers and container hosts, commonly involving modified shared libraries executed by legitimate OpenSSH. Relationship context links it to shared module loading, dynamic linker hijacking, compromised host software binaries, authentication process/PAM modification, private key theft, rootkit-style hiding, obfuscation/deobfuscation, Unix shell and Python execution, DNS/DGA C2, encoded/encrypted C2, fallback channels, automated exfiltration, exfiltration over C2, and disabling or modifying Linux audit logging. SOC and IR teams should validate host integrity around OpenSSH, PAM, shared objects, dynamic linker configuration, auditd state, and credential stores, while also checking network telemetry for suspicious DNS/C2 patterns and possible exfiltration paths.

Likely telemetry

  • Linux file integrity and package verification data for OpenSSH binaries, PAM files, shared libraries, and dynamic linker-related configuration
  • Process execution telemetry for sshd, shells, Python, unusual child processes, and unexpected module loading behavior
  • Linux authentication logs and PAM-related events, with attention to gaps or inconsistencies
  • Linux auditd status, rule/configuration changes, service stops, log deletion, or logging gaps
  • File access telemetry for SSH private keys and other private key/certificate locations such as user .ssh directories

Detection direction

  • Do not rely only on OpenSSH process names or successful login logs; the object is specifically relevant to legitimate OpenSSH execution paths and modified shared libraries.
  • Validate integrity monitoring coverage for OpenSSH, PAM modules, shared objects, and dynamic linker configuration. Tune for unauthorized changes rather than generic file churn alone.
  • Correlate host evidence with network evidence: DNS-based C2, fallback channels, standard encoding, symmetric encryption, and exfiltration-over-C2 relationships indicate that network visibility can provide independent confirmation when host telemetry is impaired.
  • Treat Linux auditd tampering as high-signal context. Missing logs, stopped audit services, or modified audit rules should be investigated alongside authentication and SSH anomalies.
  • Expect blind spots on lightly monitored Linux servers, container hosts, and systems without EDR, file integrity monitoring, DNS logging, or centralized authentication logs.

Mitigation priorities

  • Establish strong change control and integrity verification for OpenSSH, PAM, shared libraries, and dynamic linker-related files on Linux servers and container hosts.
  • Protect and govern SSH private keys and other private key material: minimize local storage, restrict permissions, inventory key use, and rotate credentials after suspected compromise.
  • Centralize and protect Linux authentication, auditd, process, file integrity, and DNS/network logs so responders are not dependent on a potentially compromised host.
  • Harden privileged administration paths, including limiting SSH exposure, enforcing least privilege, and reviewing authentication mechanisms for unauthorized modification.
  • Prepare incident response playbooks for Linux authentication backdoors: isolate affected hosts, verify binaries/libraries from trusted sources, rotate exposed credentials/keys, and rebuild systems when integrity cannot be trusted.
Analyst notes and limits

The strongest decision value is around Linux identity and server trust. Ebury is associated in ATT&CK with Windigo, and ATT&CK describes it as an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts. The relationship set is broad and points defenders toward authentication tampering, shared library abuse, rootkit-style stealth, DNS/C2 resilience, and exfiltration risk. Because official detection text is not provided, local validation should be based on the related ATT&CK techniques and the organization’s actual Linux telemetry.

MITRE did not provide an official detection section for this malware object, and the object itself lists Linux as the platform with no object-level tactics specified. The related techniques include some platforms beyond Linux, but this take treats them only as behavioral context and does not expand Ebury platform support beyond the supplied Linux platform. No claim is made here about current exploitation, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Ebury

Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[1][2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

21 rows
Domain ID Name Relationship / procedure
Enterprise T1014 Rootkit

Ebury acts as a user land rootkit using the SSH service.[3][4]
Enterprise T1059.004 Unix Shell Sub-technique

Ebury can use the commands `Xcsh` or `Xcls` to open a shell with Ebury level permissions and `Xxsh` to open a shell with root level.[4]
Enterprise T1556.003 Pluggable Authentication Modules Sub-technique

Ebury can deactivate PAM modules to tamper with the sshd configuration.[3]
Enterprise T1071.004 DNS Sub-technique

Ebury has used DNS requests over UDP port 53 for C2.[1]
Enterprise T1008 Fallback Channels

Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days.[3]
Enterprise T1140 Deobfuscate/Decode Files or Information

Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.[3]
Enterprise T1556 Modify Authentication Process

Ebury can intercept private keys using a trojanized ssh-add function.[1]
Enterprise T1020 Automated Exfiltration

If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.CitationESET Windigo Mar 2014[4]
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[1]
Enterprise T1685.004 Disable or Modify Linux Audit System Log Sub-technique

Ebury disables OpenSSH, system (`systemd`), and audit logs (`/sbin/auditd`) when the backdoor is active.[4]
Enterprise T1554 Compromise Host Software Binary

Ebury modifies the `keyutils` library to add malicious behavior to the OpenSSH client and the curl library.[1][4]
Enterprise T1027 Obfuscated Files or Information

Ebury has obfuscated its strings with a simple XOR encryption with a static key.[1]
Enterprise T1685 Disable or Modify Tools

Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.[3]
Enterprise T1132.001 Standard Encoding Sub-technique

Ebury has encoded C2 traffic in hexadecimal format.[1]
Enterprise T1059.006 Python Sub-technique

Ebury has used Python to implement its DGA.[3]
Enterprise T1574.006 Dynamic Linker Hijacking Sub-technique

When Ebury is running as an OpenSSH server, it uses LD_PRELOAD to inject its malicious shared module in to programs launched by SSH sessions. Ebury hooks the following functions from `libc` to inject into subprocesses; `system`, `popen`, `execve`, `execvpe`, `execv`, `execvp`, and `execl`.[3][4]
Enterprise T1129 Shared Modules

Ebury is executed through hooking the keyutils.so file used by legitimate versions of `OpenSSH` and `libcurl`.[4]
Enterprise T1553.002 Code Signing Sub-technique

Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.[1]
Enterprise T1552.004 Private Keys Sub-technique

Ebury has intercepted unencrypted private keys as well as private key pass-phrases.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Ebury exfiltrates a list of outbound and inbound SSH sessions using OpenSSH's `known_host` files and `wtmp` records. Ebury can exfiltrate SSH credentials through custom DNS queries or use the command `Xcat` to send the process's ssh session's credentials to the C2 server.CitationESET Windigo Mar 2014[4]
Enterprise T1568.002 Domain Generation Algorithms Sub-technique

Ebury has used a DGA to generate a domain name for C2.[1][3]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0124: Windigo

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1014: Rootkit Enterprise uses · Technique T1059.004: Unix Shell Enterprise uses · Technique T1556.003: Pluggable Authentication Modules Enterprise uses · Technique T1071.004: DNS Enterprise uses · Technique T1008: Fallback Channels Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1556: Modify Authentication Process Enterprise uses · Group G0124: Windigo Enterprise uses · Technique T1020: Automated Exfiltration Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1685.004: Disable or Modify Linux Audit System Log Enterprise uses · Technique T1554: Compromise Host Software Binary Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1059.006: Python Enterprise uses · Technique T1574.006: Dynamic Linker Hijacking Enterprise uses · Technique T1129: Shared Modules Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1552.004: Private Keys Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1568.002: Domain Generation Algorithms Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
f6d32b7781e406e5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle f6d32b7781e4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ESET Ebury Feb 2014

    M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.

    Open source URL
  2. [2]
    BleepingComputer Ebury March 2017

    Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019.

    Open source URL
  3. [3]
    ESET Ebury Oct 2017

    Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.

    Open source URL
  4. [4]
    ESET Ebury May 2024

    Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.

    Open source URL
  5. [5]
    Ebury

    (Citation: ESET Ebury Feb 2014)

  6. [6]
    mitre-attack S0377
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use