The threat actors behind ShellBot are leveraging IP addresses transformed into hexadecimal notation to infiltrate Linux SSH servers and deploy distributed denial-of-service (DDoS) malware.

ShellBot (aka PerlBot) is known to breach servers that have weak SSH credentials by means of a dictionary attack. The malware is used to conduct DDoS attacks and deliver cryptocurrency miners.

The malware, developed in Perl, uses the IRC protocol to communicate with a command-and-control (C2) server.

The most recent attacks install the malware using hexadecimal IP addresses. The hex IP is used to evade URL-based detection signatures.


This threat is of medium severity. The initial vector is via credential theft or dictionary attacks.

ShellBot supports hexadecimal addresses just like a web browser. This means it can be downloaded successfully on a Linux system environment and executed through Perl.

DXC perspective

Mitigation tactics should include securing external-facing servers; implementing Privileged Access Management tooling to secure credentials; monitoring for abnormal user behavior; installing and regularly updating antivirus software on all hosts; and enabling real-time detection. 

Explore DXC Security