Threat Actor Profile
High APT
Description

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)

Confidence Score
90%
Known Aliases
Windigo
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (7)
T1005 - Data from Local System
Collection
T1090 - Proxy
Command and Control
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1518 - Software Discovery
Discovery
T1059 - Command and Scripting Interpreter
Execution
T1189 - Drive-by Compromise
Initial Access
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Windigo'],
 'created': '2021-02-10T19:57:38.042Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'The [Windigo](https://attack.mitre.org/groups/G0124) group '
                'has been operating since at least 2011, compromising '
                'thousands of Linux and Unix servers using the '
                '[Ebury](https://attack.mitre.org/software/S0377) SSH backdoor '
                'to create a spam botnet. Despite law enforcement intervention '
                'against the creators, '
                '[Windigo](https://attack.mitre.org/groups/G0124) operators '
                'continued updating '
                '[Ebury](https://attack.mitre.org/software/S0377) through '
                '2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo '
                'June 2019)',
 'external_references': [{'external_id': 'G0124',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0124'},
                         {'description': 'Bilodeau, O., Bureau, M., Calvet, '
                                         'J., Dorais-Joncas, A., Léveillé, M., '
                                         'Vanheuverzwijn, B. (2014, March 18). '
                                         'Operation Windigo – the vivisection '
                                         'of a large Linux server‑side '
                                         'credential‑stealing malware '
                                         'campaign. Retrieved February 10, '
                                         '2021.',
                          'source_name': 'ESET Windigo Mar 2014',
                          'url': 'https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/'},
                         {'description': 'CERN. (2019, June 4). 2019/06/04 '
                                         'Advisory: Windigo attacks. Retrieved '
                                         'February 10, 2021.',
                          'source_name': 'CERN Windigo June 2019',
                          'url': 'https://security.web.cern.ch/advisories/windigo/windigo.shtml'}],
 'id': 'intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a',
 'modified': '2025-04-25T14:49:09.909Z',
 'name': 'Windigo',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (7)
Data from Local System
Collection
Proxy
Command and Control
System Information Discovery
Discovery
File and Directory Discovery
Discovery
Software Discovery
Discovery
View All 7 TTPs
Back to Threat Actors
Dashboard Home