Dropbear
Dropbear is Secure Shell (SSH) software that, in the provided reporting, is used by threat actors as a remote-access backdoor on victim systems. CERT-UA and ESET reported that BlackEnergy used its modular plugin architecture to download and maintain a variant of the Dropbear SSH backdoor during the Ukraine attacks, alongside the destructive KillDisk plugin. Separate U.S. government reporting states that Iran-affiliated actors targeting internet-facing operational technology environments deployed Dropbear on victim endpoints to establish command-and-control and remote access over port 22. In those OT intrusions, Dropbear enabled extraction of PLC project files and manipulation of data shown on HMI and SCADA displays, affecting sectors including government services and facilities, water and wastewater, and energy, with Rockwell Automation/Allen-Bradley CompactLogix and Micro850 devices specifically cited. High-confidence behavior directly described in the content is remote SSH access via port 22 on compromised endpoints; no standalone malware-specific persistence, propagation, or additional IOC details for Dropbear itself are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Additionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219].
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...
Execution
1 techniqueAn os command injection vulnerability exists in the Openvpn configuration restore route_up functionality... A specially crafted configuration value can lead to arbitrary command execution... if we include in our restored configuration the following xml line: <route_up>"/usr/sbin/dropbear -g -w -C -B -L -p 22"</route_up> This command will be put into the configuration of the openvpn server and run immediately after a vpn connection is established.
Persistence
3 techniques...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...
...connect via openvpn to start up a dropbear server that allows for remote logins... resulting in a remote shell...
Privilege Escalation
1 techniqueStealth
1 techniqueDefense Impairment
1 techniqueCredential Access
1 techniqueLateral Movement
1 techniqueUpon obtaining initial access, the threat actors established command-and-control by deploying Dropbear, a Secure Shell (SSH) software, on victim endpoints to enable remote access through port 22...
Command and Control
1 techniqueUpon obtaining initial access, the threat actors established command-and-control by deploying Dropbear... Public-facing domains and Telegram channels serve as the primary dissemination and amplification hub, with the messaging platform also playing a huge role in command-and-control (C2) operations by allowing the malware to communicate with threat actor-controlled bots...
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
SSH software deployed on victim endpoints to establish command-and-control and remote access over port 22 in OT intrusions.
SSH backdoor variant deployed as a plugin alongside BlackEnergy in the Ukraine attacks.
SSH software deployed on victim endpoints to provide remote access over port 22.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.