Windigo

Windigo is a threat actor known for its malicious campaign, Operation Windigo, which was first brought to light in a white paper published by ESET in 2014. This operation involved the use of multiple malware families, with the Ebury malware family at its core. The campaign leveraged Linux malware for financial gain, infecting systems to steal credentials, redirect web traffic to malicious content, and send spam messages. Over the past decade, the Ebury botnet has compromised nearly 400,000 servers since its inception in 2009. Despite the arrest and conviction of Russian national Maxim Senakh, one of the Ebury operators, at the Finland-Russia border in 2015, the Windigo operation remains active and continues to expand. After Senakh's extradition to the US, further investigation revealed that the infrastructure for exfiltrating credentials was still operational and that Ebury was still being actively used by the Windigo gang. This illustrates the resilience of the operation and the persistent threat it poses. Today, ESET researchers are publishing a report titled “Operation Windigo – The vivisection of a large Linux server-side credential stealing malware campaign”. This report provides an in-depth analysis of the set of malicious programs used together to infect servers and desktop computers. It is noteworthy that Windigo’s operators regularly monitor publicly shared IoCs (Indicators of Compromise) and quickly adapt to fool available indicators, demonstrating their technical sophistication and ability to evade detection.