Dropbear SSH
Dropbear SSH is SSH software observed being deployed by threat actors as a remote access backdoor and persistence mechanism. The provided content states that actors deployed Dropbear Secure Shell on victim endpoints to gain remote access over port 22, mapped to MITRE ATT&CK T1219 (Remote Access Tools). In the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client on target systems and used it as a backdoor; the content further states Sandworm used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. More recently, a joint U.S. government advisory published on 2026-04-07 reported Iranian-affiliated APT actors exploiting internet-facing operational technology devices in U.S. critical infrastructure sectors, including Government Services and Facilities, Water and Wastewater Systems, and Energy, and noted deployment of Dropbear SSH on victim endpoints for remote access. That activity involved targeting Rockwell Automation/Allen-Bradley PLC environments, including CompactLogix and Micro850 devices, with associated malicious traffic observed on port 22 alongside OT-related ports 44818, 2222, 102, and 502. High-confidence indicators in the advisory associated with the broader activity include IP addresses 135.136.1[.]133 and 185.82.73[.]162, 185.82.73[.]164, 185.82.73[.]165, 185.82.73[.]167, 185.82.73[.]168, 185.82.73[.]170, and 185.82.73[.]171.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Additionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219].
During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems... Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Lateral Movement
1 techniqueSeveral attack vectors, including Rockwell Automation’s programming software Studio 5000 Logix Designer, are mentioned, along with common access ports and remote access tools that it has seen deployed on vulnerable devices, including Dropbear SSH software using port 22.
Command and Control
1 techniqueAdditionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219].
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modified Dropbear SSH client used as a backdoor for persistent remote access (including use of a hardcoded backdoor password).
A modified Dropbear SSH client was deployed as a backdoor/persistence mechanism, including use of a hardcoded backdoor password for continued access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.