What’s Driving the Surge of Linux‑Based IoT Malware in 2021?

Linux‑based systems are ubiquitous, forming the backbone of internet infrastructure, while low‑power IoT devices have become the primary focus of Linux malware.

With billions of connected devices—cars, refrigerators, and low‑energy network gear—online, IoT devices are now a major target for malicious campaigns such as distributed denial‑of‑service (DDoS) attacks that flood targets with junk traffic to take them offline.

Security vendor CrowdStrike reports that in 2021 the most prevalent Linux‑based IoT malware families were XorDDoS, Mirai and Mozi, accounting for 22% of all Linux IoT malware samples that year, and overall malware volume grew 35% compared with 2020.

Linux‑Based IoT Malware

Linux powers most cloud infrastructure, web servers, mobile and IoT devices because of its scalability, security features, and the wide variety of distributions that support many hardware architectures, even on constrained hardware.

These distributions provide attractive attack surfaces for threat actors who exploit hard‑coded credentials, open ports, or unpatched vulnerabilities, allowing large‑scale intrusions that can jeopardize critical internet services.

By the end of 2025, more than 300 billion IoT devices are expected to be online, offering cybercriminals a massive pool for building botnets.

A botnet is a network of compromised devices controlled by a remote command‑and‑control (C2) server. Botnets are commonly used for DDoS attacks, spam distribution, remote control, and CPU‑intensive activities such as cryptocurrency mining.

The 2016 Mirai botnet incident reminded developers and operators that large numbers of seemingly benign devices can be weaponized to disrupt essential internet services.

Current Major Threats to Linux

Analysis of the current threat landscape shows that XorDDoS, Mirai and Mozi families and their variants accounted for over 22% of all Linux IoT malware in 2021.

XorDDoS: Malware Samples Increased 123%

XorDDoS is a Linux trojan compiled for multiple architectures—from ARM to x86‑64—that uses XOR encryption for its payload and C2 communications.

When targeting IoT devices, it performs SSH brute‑force attacks to gain remote control, and some variants scan for Docker daemons exposed on port 2375, exploiting the unencrypted Docker socket to obtain root access.

CrowdStrike noted that the number of XorDDoS samples in 2021 grew by nearly 123% compared with the previous year.

Mozi: 2021 Outbreak Ten‑Times Larger Than 2020

Mozi is a peer‑to‑peer (P2P) botnet that leverages a distributed hash table (DHT) to hide its C2 traffic among legitimate DHT traffic, making detection difficult.

It infects Linux systems by brute‑forcing SSH and Telnet ports, then closes those ports to prevent other malware from overwriting its foothold.

Mirai: The Common Ancestor of Many Linux DDoS Malware

Since its source code was released, Mirai has become notorious for exploiting weak protocols and passwords (e.g., Telnet) via brute‑force attacks.

More than ten Mirai variants have emerged, serving as the genetic backbone for many contemporary Linux DDoS malware families. Popular variants include Sora, IZIH9 and Rekai, with identified sample counts rising 33%, 39% and 83% respectively in 2021 compared with 2020.

Summary

Linux is widely deployed, and the threat landscape is real and evolving. A reliable mitigation strategy is to schedule automatic updates and scans via cron, and to perform an initial security scan as soon as a new system is brought online.