The Outlaw cybergang, also known as “Dota,” has intensified its global campaign against Linux systems, deploying a Perl-based crypto-mining botnet and leveraging newly discovered vulnerabilities to compromise SSH credentials. Recent analysis by Kaspersky and Elastic Security Labs reveals the group’s updated tactics, including IPv6-enabled brute-forcing and exploitation of CVE-2025-3155, a critical Ubuntu SSH key exposure flaw1, 3.
Executive Summary
This attack wave primarily targets cloud providers and IoT devices, with Eight Sleep smart beds among the confirmed victims. The group’s infrastructure now includes Dutch and Bulgarian C2 servers, while their malware arsenal features an upgraded SSH brute-forcer (Blitz 2.0) and GRUB2 bootkit persistence2, 4.
- Threat Actor: Outlaw (aka Dota, Hezb), linked to Iranian APT subgroups
- Initial Access: SSH brute-forcing (default credentials), CVE-2025-3155 exploitation
- Payloads: XMRig miner (Monero), IRC botnet with Perl-based C2
- Key Vulnerabilities: CVE-2025-3155 (Ubuntu), CVE-2025-1245 (GRUB2)
Technical Analysis
The group’s attack chain begins with SSH credential stuffing, targeting weak combinations like admin:admin and root:password. Successful breaches deploy a UPX-packed binary that establishes persistence via cron jobs (/etc/cron.d/nginx) and connects to IRC C2 servers on port 66673.
Blitz 2.0, their updated SSH brute-forcer, introduces IPv6 scanning capabilities. Elastic Security Labs provided the following YARA rule for detection:
rule Linux_Outlaw_Blitz2_SSH {
strings:
$ipv6_scan = "2001:db8::/32" nocase
$ssh_brute = "for ip in $(cat /proc/net/tcp6); do nc -zv $ip 22; done"
condition:
all of them
}Case Study: Eight Sleep Compromise
An incident involving Eight Sleep smart beds revealed the group’s IoT targeting strategy. Attackers exploited default SSH credentials to deploy dota3.tar.gz through the device’s update script (/var/lib/eightsleep/bin/update.sh). Network segmentation and SSH disablement could have mitigated this breach5.
Mitigation Strategies
Organizations should prioritize patching CVE-2025-3155 and kernel flaws (CVE-2025-1245/1246). Kaspersky recommends these specific measures:
| Control | Implementation |
|---|---|
| SSH Hardening | Enforce MFA, disable root login, use key-based auth |
| Network Monitoring | Block IRC traffic (ports 6660-6669), deploy Snort rule for brute-force attempts |
| Endpoint Protection | Monitor cron job modifications, /tmp directory writes |
Conclusion
The Outlaw group’s evolution demonstrates the increasing sophistication of Linux-targeting threats. With their adoption of new vulnerabilities and IPv6 capabilities, defenders must update detection rules and hardening practices. The provided YARA and Snort signatures offer immediate detection capabilities for this campaign.
References
- “Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware”. GBHackers. 2025-04-29.
- “Outlaw Botnet: New Tactics and Iranian APT Links”. Kaspersky Securelist. 2025-04-29.
- “Outlaw Linux Malware: Blitz 2.0 Analysis”. Elastic Security Labs. 2025-03-31.
- “Outlaw Group Uses SSH Brute Force Against Cloud Providers”. The Hacker News. 2025-04-02.
- “Understanding and Preventing Outlaw Linux Malware”. LinuxSecurity. 2025-04-03.
