SophosLabs reported a Linux botnet dubbed Chalubo that compromises Internet-facing SSH servers through brute-force credential attacks and can also run on IoT hardware across multiple CPU architectures. The malware uses a layered infection chain in which a downloader establishes persistence, disguises its process name, retrieves an encrypted and LZMA-compressed payload, and launches the main bot; later campaigns also used the Elknot dropper. Researchers said Chalubo encrypts both its core bot and Lua-based command scripts with the ChaCha stream cipher and includes anti-analysis features more commonly associated with Windows malware.
The botnet was built to conduct distributed denial-of-service activity, with Lua scripts enabling DNS, UDP, and SYN flood attacks. Sophos observed one command directing infected systems to launch a SYN flood against IP address 59.56.76.41 on port 10100, while excluding several hardcoded addresses from targeting. Although the malware shares some code with Xor.DDoS and Mirai, researchers assessed it as a distinct family and urged defenders to harden SSH access, replace default credentials, and monitor suspicious outbound traffic to TCP port 8852.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
SophosLabs published research on a newly discovered Linux denial-of-service bot family named Chalubo, describing its layered infection chain, ChaCha-encrypted payloads and Lua scripts, and anti-analysis techniques. The report also noted code overlap with Xor.DDoS and Mirai but assessed Chalubo as a distinct malware family.
SophosLabs said that in later campaigns, operators used the Elknot dropper to deliver the Chalubo malware package. This reflected an evolution in the infection chain beyond the original downloader-based delivery.
SophosLabs reported that the Linux DDoS bot family Chalubo had been targeting Internet-facing SSH servers via brute-force credential attacks since late August and early September 2018. The activity marked the start of the observed Chalubo campaign.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.