ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers

Threat actors behind ShellBot are using hexadecimal notated IP addresses to breach weakly managed Linux SSH servers and deploy DDoS malware. The malware uses a dictionary attack to breach servers with weak SSH credentials for staging DDoS attacks and delivering cryptocurrency miners. It’s recommended users switch to stronger passwords and routinely change them. Attackers are also using abnormal certificates to spread data stealer malware such as Lumma Stealer and RecordBreaker.