Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Windigo

🌐Windigo

🌐 Windigo is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 7 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0124) ↗
14Use cases
0Articles
7Techniques
0IOCs

About this actor (MITRE)

The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)

Known aliases

Windigo

Top techniques

T1005 · Data from Local SystemT1059 · Command and Scripting InterpreterT1082 · System Information Discovery

All other tracked techniques

T1083 · File and Directory DiscoveryT1090 · ProxyT1189 · Drive-by CompromiseT1518 · Software Discovery

Detection use cases (14)

Windigo / Ebury — trojanized libkeyutils.so or OpenSSH binary tampering on Linux servers AI · profile SΣ Windigo / Ebury — sshd-initiated DNS exfiltration of stolen SSH credentials (long-label TXT/A queries) AI · profile S Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Command injection exploited (WAF detection) MITRE match Crypto-wallet file/keystore access by non-wallet process MITRE match Falco runtime-security alert MITRE match Log4Shell RCE attempts (CVE-2021-44228) MITRE match Spring4Shell RCE attempts (CVE-2022-22963) MITRE match Cisco ASA - Device File Copy Activity MITRE match Cisco ASA - Device File Copy to Remote Location MITRE match Cisco ASA - Reconnaissance Command Activity MITRE match Cisco IOS XE Reconnaissance Command Activity MITRE match