The FritzFrog botnet has resurfaced and is spreading with an alarming infection rate. The botnet has grown tenfold in just a month, mostly targeting the education, government, and healthcare sectors.

The new variant 

FritzFrog, detected in August 2020, targets exposed SSH servers and uses the Tor proxy chain in the new version.
  • The new variant seems to possess additional capabilities to target WordPress servers. Further, it uses an extensive dictionary for brute-force attacks to uncover SSH credentials.
  • The botnet continues to update its list of targets and breached machines. Its node distribution system makes sure to place an equal number of targets to each node for balancing the botnet.
  • Researchers have spotted 24,000 attacks so far. However, the botnet has claimed only 1,500 victims. Most infected hosts are in China, along with a European TV network, a Russian healthcare firm, and multiple universities in East Asia.

New updates and abilities

FritzFrog has been undergoing a series of development, where bugs are being fixed daily or multiple times a day. Its developers have added several new capabilities as follows.
  • The botnet now uses a completely proprietary P2P protocol for its communications, which makes it stealthier than the previous variants.
  • The attackers have used a filtering list to skip low-powered devices (e.g. Raspberry Pi boards).
  • Besides the usual cryptomining, the operators are now using additional monetization methods, such as spreading ransomware or data leaks; however, these are inactive right now.
  • Moreover, the copying system that was used to infect new systems is now based on Security Copy Protocol (SCP), replacing the cat command that existed in the earlier version.

A Chinese connection?

  • The botnet uses unique code components, some of which can be linked with unique GitHub repositories set up by users from Shanghai.
  • The wallet addresses used in mining operations were similar to the ones used by the Mozi botnet, which originated from China.
  • Moreover, around 37% of all of FritzFrog's active nodes are based in China, suggesting that the attackers may be located there.


The FritzFrog botnet is aggressively expanding its attack surface with new features. In order to stay protected, experts recommend configuring an explicit list of SSH logins to be allowed, enabling system login auditing with alerting, disabling root SSH access, and enabling cloud-based DNS protection.

Cyware Publisher