Windigo

Threat Actor updated 2 months ago (2024-06-28T08:17:58.987Z)

Download STIX

Preview STIX

Windigo is a threat actor known for its malicious campaign, Operation Windigo, which was first brought to light in a white paper published by ESET in 2014. This operation involved the use of multiple malware families, with the Ebury malware family at its core. The campaign leveraged Linux malware for financial gain, infecting systems to steal credentials, redirect web traffic to malicious content, and send spam messages. Over the past decade, the Ebury botnet has compromised nearly 400,000 servers since its inception in 2009. Despite the arrest and conviction of Russian national Maxim Senakh, one of the Ebury operators, at the Finland-Russia border in 2015, the Windigo operation remains active and continues to expand. After Senakh's extradition to the US, further investigation revealed that the infrastructure for exfiltrating credentials was still operational and that Ebury was still being actively used by the Windigo gang. This illustrates the resilience of the operation and the persistent threat it poses. Today, ESET researchers are publishing a report titled “Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign”. This report provides an in-depth analysis of the set of malicious programs used together to infect servers and desktop computers. It is noteworthy that Windigo’s operators regularly monitor publicly shared IoCs (Indicators of Compromise) and quickly adapt to fool available indicators, demonstrating their technical sophistication and ability to evade detection.

Description last updated: 2024-06-28T08:16:14.973Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Ebury	3	Ebury is a sophisticated malware that has been causing havoc in the cyber world for over 15 years, with its main target being Linux servers. The first significant investigation into Ebury was conducted by ESET in 2014, revealing it as a key component of Operation Windigo. Ten years later, this threa

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Linux

Eset

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Windigo Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	2 months ago	ESET Threat Report H1 2024
ESET	4 months ago	Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain
InfoSecurity-magazine	4 months ago	Ebury Botnet Operators Diversify with Financial and Crypto Theft
MITRE	2 years ago	Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign \| WeLiveSecurity
MITRE	2 years ago	CERN Computer Security Information
MITRE	2 years ago	Windigo Still not Windigone: An Ebury Update \| WeLiveSecurity