In 2021, malware attacking Linux computers reached a new peak

According to a Crowdstrike analysis, the Linux operating system is becoming more appealing to hostile actors.

According to the latest threat telemetry data from the business, malware for the popular OS climbed by more than a third (35%) in 2021 compared to the previous year.

Linux is a prominent target for cyber criminals, according to Crowdstrike, owing to its prominence among cloud infrastructure developers and web server manufacturers. It also powers the majority of mobile and IoT devices.


Only three malware families account for over a quarter (22 percent) of all Linux-based malware discovered in 2021. XorDDoS, Mirai, and Mozi are the three. Their major purpose is to collect target endpoints and turn them into a botnet that can be used to launch Distributed Denial of Service (DDos) attacks.

For example, XorDDoS malware had a 123 percent rise in samples in 2021 compared to the previous year, while Mozi saw a tenfold increase in the same time frame.

Mirai and its offshoots are the third most common malware. It is a “common ancestor” for several of today’s new malware variants, according to Crowdstrike, including Sora (33 percent increase), IZIH9 (39 percent), and Rekai (83 percent ).

Cryptominers and DDoS assaults

Malicious actors may attack Linux-powered devices in a variety of methods, including searching for devices with hardcoded credentials, targeting those with open ports, and targeting those with known, unpatched vulnerabilities.

Things aren’t going to get much better in the future, either. Within three years, Crowdstrike estimates that more than 30 billion IoT devices will be linked to the internet, providing a potentially enormous attack surface.

A botnet is a network of bots that execute specified activities for their administrator, as the name implies. They’re usually employed to counter DDoS assaults, but they may also be used to mine bitcoins. Mirai, one of the biggest and most well-known botnets, was used in 2016 to attack Dyn, a domain name server provider, among others. Mirai was decommissioned three years later in a combined raid involving numerous law enforcement agencies.