The sub-techniques beta is now live! Read the release blog post for more info.


Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[1]

ID: S0341
Platforms: Windows, Linux
Version: 1.1
Created: 30 January 2019
Last Modified: 28 June 2019

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force

Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[1][2]

Enterprise T1485 Data Destruction

Xbash has destroyed Linux-based databases as part of its ransomware capabilities. [1]

Enterprise T1486 Data Encrypted for Impact

Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.[1]

Enterprise T1203 Exploitation for Client Execution

Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.[1][2]

Enterprise T1168 Local Job Scheduling

Xbash can create a cronjob for persistence if it determines it is on a Linux system.[1]

Enterprise T1170 Mshta

Xbash can use mshta for executing scripts.[1]

Enterprise T1046 Network Service Scanning

Xbash can perform port scanning of TCP and UDP ports.[1]

Enterprise T1086 PowerShell

Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Xbash can create a Startup item for persistence if it determines it is on a Windows system.[1]

Enterprise T1117 Regsvr32

Xbash can use regsvr32 for executing scripts.[1]

Enterprise T1105 Remote File Copy

Xbash can download additional malicious files from its C2 server.[1]

Enterprise T1064 Scripting

Xbash can execute malicious JavaScript and VBScript payloads on the victim’s machine.[1]

Enterprise T1071 Standard Application Layer Protocol

Xbash uses HTTP for C2 communications.[1]

Enterprise T1016 System Network Configuration Discovery

Xbash can collect IP addresses and local intranet information from a victim’s machine.[1]

Enterprise T1102 Web Service

Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.[1]