As per a report from CrowdStrike, attacks against devices running Linux have risen over 35% in 2021, when compared to 2020.

The report also stated top Linux malware families that are responsible for the majority of the attacks. These are XorDDoS, Mozi, and Mirai, which accounted for more than 22% of the total attacks last year, said, researchers.

Rise of Linux Malware Attacks

Operating systems like Android, Windows, iOS, and macOS are all customer-facing since they’re simple. But, most of them run on one critical thing called Linux kernel, which is an important base for all of the above OS’. And there are many projects which tweak Linux to form several distributions, to build desired applications.

Since it’s the core of all, attacking Linux is a usual thought for many threat actors. And they’re doing so, very rapidly in 2021! As per a report from CrowdStrike, the Linux malware attacks have grown by over 35% in 2021, when compared to its previous year. Also, the report stated three malware families that are prominent in these attacks;


This Linux malware family has risen over 123% last year, and targets systems running on ARM (IoT) to x64 (servers). It derived its name from the usage of XOR encryption for C2 communications and uses brute-forcing of vulnerable devices via SSH for access. It uses port 2375 to breach in for root access, in IoT devices.


Next up is the Mozi botnet, which works on a P2P model and uses the distributed hash table (DHT) lookup system for hiding its suspicious C2 communications. As per researchers, Mozi has been in operation for a long time and has been developing gradually by adding new features regularly.


The last one is Mirai, an open-source botnet that has many forks of it crawling in the wild. It’s a pain for the IoT industry, as several variants of it like the Dark Mirai and Moobot have made notable hits last year. They target IoT devices with weak credentials to brute-force and gain access.

All the above three malware families (including their sub-variants) have together contributed to 22% of the total Linux attacks last year. These are used for various purposes like DDoS attacks, mining cryptocurrency, facilitating spam mail campaigns, serving as relays, entry points to corporate networks, and even acting as C2 servers for hackers.


Please enter your comment!
Please enter your name here