Security Experts:

Connect with us

Hi, what are you looking for?



Sophisticated FritzFrog P2P Botnet Returns After Long Break

A sophisticated botnet named FritzFrog has returned after a long break with new capabilities, and researchers believe it may be linked to Chinese threat actors.

A sophisticated botnet named FritzFrog has returned after a long break with new capabilities, and researchers believe it may be linked to Chinese threat actors.

FritzFrog is a Golang-based malware that can be compiled to run on various architectures and it operates completely in memory. The FritzFrog botnet uses a proprietary peer-to-peer (P2P) architecture for command and control (C&C) communications — the bots don’t get commands from a central server, but from any other device on its network.

FritzFrog has targeted SSH servers — it uses a simple brute-force technique to obtain their credentials — and once it has established an SSH session, it drops the malware and executes it.

The malware then waits for commands from its operators, including for transferring files, running scripts and binary payloads, deploying a cryptocurrency miner, and eliminating other miners from the compromised system. It also starts scanning IP addresses to spread further.

FritzFrog emerged in January 2020 and it was detailed by micro-segmentation technology startup Guardicore in August 2020. Shortly after Guardicore’s warning, the botnet seemed to disappear. However, it returned in December 2021 with new capabilities and many attack attempts — attacks peaked at 500 per day.

Akamai, which acquired Guardicore in 2021, warned last week that at least 1,500 hosts had been infected. The content delivery and security giant said the botnet has been seen targeting cloud instances, routers, and data center servers around the world.

A large concentration of victims has been seen in China, Central Europe and the United States. Targeted sectors include healthcare, higher education and government, and the list of victims singled out by Akamai includes a European TV network, a Russian healthcare equipment manufacturer, and East Asian universities.

FritzFrog infections

According to Akamai, FritzFrog is often updated and there is some indication that its developers might be preparing to target WordPress servers. The company’s researchers also noticed that FritzFrog contains functionality for creating a Tor proxy chain that would help it become more resilient. However, the Tor proxy chain functionality has yet to be used by the malware.

Other changes observed by Akamai include the use of a public Secure Copy Protocol (SCP) library that the malware leverages to copy itself to a compromised server, and a hardcoded blocklist for ensuring that the malware avoids systems with low resources and certain IP addresses — for instance, ones that may be botnet sinkholes.

The SCP library used by FritzFrog appears to have been developed by someone in China, and the cryptocurrency mining activity has been linked to wallets previously tied to Chinese threat actors. In addition, roughly one-third of the infected systems appear to be located in China.

“These points of evidence, while not damning, lead us to believe a possible link exists to an actor operating in China, or an actor masquerading as Chinese,” Akamai said.

The company has shared indicators of compromise (IOCs), as well as a free tool that can be used to detect the presence of FritzFrog on SSH servers.

Related: Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance

Related: Mirai-Based ‘Manga’ Botnet Targets Recent TP-Link Vulnerability

Related: Massive Android Botnet Hits Smart TV Ad Ecosystem

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...