Malware targeting Linux systems hit a new high in 2021

The Linux penguin.
(Image credit: Image Credit: Pixabay)

The Linux operating system is growing more and more interesting for malicious actors, a report from Crowdstrike has claimed.

The company’s latest threat telemetry data has shown that malware for the popular OS increased by more than a third (35%) in 2021, compared just to the year prior. 

According to Crowdstrike, Linux is a popular target for cyber crooks due to its popularity among cloud infrastructure developers and web servers manufacturers. What’s more, it powers most mobile and IoT devices, as well. 


Among all malware present, just three families account for almost a quarter (22%) of all Linux-based malware found in 2021. Those are XorDDoS, Mirai, and Mozi. Their main goal is to assimilate target endpoints into a botnet, to be used for Distributed Denial of Service (DDos) attacks.

XorDDoS malware, for example, has had 123% more samples in 2021, compared to the previous year, while Mozi registered an increase of ten times for the same time period.

The third-most-popular malware is Mirai and all its offshoots. Crowdstrike says it is a “common ancestor” for many of today’s emerging malware samples, such as Sora (33% up), IZIH9 (39%), or Rekai (83%).

DDoS attacks and cryptominers

There are many ways which malicious actors can use to attack Linux-powered devices, from scanning for those with hardcoded credentials, to targeting those with open ports, to those with known, unpatched vulnerabilities. 

Going forward, things won’t be getting any better, either. Crowdstrike expects more than 30 billion IoT devices to be connected to the internet within tree years, creating a potentially large attack surface.

A botnet is, as the name suggests, a network of bots, performing specific tasks for their administrator. Usually, they’re tasked with DDoS attacks, but can often be used for mining cryptocurrencies. One of the largest, and most popular botnets, was Mirai, which was used in 2016 to attack the domain name server operator Dyn, among others. Mirai was dismantled three years later, through a joint raid from multiple law enforcement agencies. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.