Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers

Operation Windigo Infects Linux Servers

A team of security researchers has uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world.

Operation Windigo Infects Linux Servers

A team of security researchers has uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world.

The finding was made by researchers from ESET, CERT-Bund, the Swedish National Infrastructure for Computing and other agencies. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling ‘Operation Windigo.’ Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day.

“Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,” said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement. “This number is significant if you consider each of these systems have access to significant bandwidth, storage, computing power and memory.”

Infected servers have been identified in the U.S., Germany, France and the U.K. According to the researchers, they are believed to redirect as many as half a million web visitors a day to malicious content. Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, while Mac users are typically served advertisements for dating sites. iPhone owners are redirected to sites with adult content. 

Operating systems altered by the spam component include Linux, FreeBSD, OpenBSD, Mac OS X and Windows, ESET said.

ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present. 

According to ESET, Unix system administrators and webmasters can run the following command to see if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

If systems are found to be infected, ESET has advised administrators to wipe affected computers and reinstall the operating system and software. For a higher level of security in the future, technology such as two-factor authentication should be considered, ESET said.

As SecurityWeek highlighted last month, there are many misconceptions around Linux security and attacks are not something only Windows users need to worry about.

“There is a perception out there that Linux systems don’t need additional security,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab, said at the Kaspersky Lab Security Analyst Summit last month. “This is a problem since Linux servers are increasingly coming under attack, he said.” The main threats facing Linux systems aren’t zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. 

In October 2012, attackers breached several Web servers and installed a version of the“itsoknoproblembro” toolkit in order to launch a series of powerful DDoS attacks against banks and other financial institutions in the United States. The toolkit runs on both Linux and Windows.

In November 2013, Symantec discovered that a group of sophisticated attackers developed a way to evade detection by using a Linux backdoor designed to hide communications.

The full report on Operation Windigo from ESET is available here

*Additional reporting by Mike Lennon

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.