Sophos reported that the Chalubo botnet is infecting exposed Linux servers and IoT devices and repurposing them for distributed denial-of-service operations. The malware was observed targeting internet-facing systems, using compromised devices as part of a broader botnet capable of launching disruptive traffic floods against downstream victims.
The activity highlights continued risk from poorly secured embedded devices and servers that can be silently enrolled into attack infrastructure. By abusing both enterprise and consumer-connected systems, Chalubo expands the pool of available bots and increases the scale and resilience of DDoS campaigns launched from compromised hosts.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Sophos published a report describing the Chalubo botnet as malware targeting servers and IoT devices for distributed denial-of-service activity.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.