December 5, 2023

Researchers discovered a new peer-to-peer botnet and SSH worm that has been actively breaching Linux servers, dubbed as “Panchan,” the botnet and SSH worm and is written in the Golang programming language.

Panchan utilizes built-in concurrency features to maximize spread ability and execute malware modules on targeted systems. It harvests SSH keys to perform lateral movement.


The botnet also features a god mode  in which an administration panel is baked directly into the malware. A specific key is required to access the panel, but researchers were able to reverse-engineer it to override that and analyze the infection scope of the malware.

It was in designed in such a way to avoid detection and reduce traceability  by dropping crypto miners as memory-mapped files without any disk presence. If Panchan detects any process monitoring, it kills the crypto miner processes.

Telecommunications companies and the education sector are the primary victims. It’s believed that the sectors are likely targeted as SSH harvesting relies on simple passwords to succeed. With education, different academic institutions may share SSH keys across networks, making them easier to obtain.

The threat actor is believed to be Japanese based on the malware’s activity and victim geolocation, admin panel language and the threat actor’s Discord user activity. Asia tops the list of Panchan targets, leading to the belief that it may be easier for the threat actor to stick to countries close and familiar.

To protect against Panchan, it’s recommended that secure and complex passwords be used, since the malware uses limited default username and password combinations. Multifactor authentication should be used where possible to prevent any unauthorized login attack.

Organizations should also monitor their virtual machines for resource activities as botnets like these can raise machine resource usage to abnormal levels.


Indicators of Compromise

xinetd – main malware

  • 00411a05a7374d64ce8be4ef85999c1434d867cd8db46c38cd03f76072c91460
  • b9e643a8e78d2ce745fbe73eb505c8a0cc49842803077809b2267817979d10b0

extracted cryptominers

  • a819b4a95f386ae3bd8f0edc64e8e10fae0c21c9ae713b73dfc64033e5a845a1
  • 6f445252494a0908ab51d526e09134cebc33a199384771acd58c4a87f1ffc063

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.