What is Cymulate and what does it do?

Cymulate is a cybersecurity platform that enables organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. It provides continuous threat validation, exposure prioritization, and operational efficiency through automated attack simulations and actionable insights. Learn more.

What is the primary purpose of Cymulate's platform?

The primary purpose of Cymulate's platform is to help organizations proactively validate their cybersecurity defenses, identify vulnerabilities, and optimize their security posture. It empowers security teams to stay ahead of emerging threats and improve overall resilience. Source.

How does Cymulate address the latest threats and new research?

Cymulate addresses the latest threats and new research through its continuously updated threat library, daily intelligence feeds, and research-driven attack simulations. You can read about the latest threats and research on our blog.

What is Cymulate's vision and mission?

Cymulate's vision is to create an environment where everyone collaborates to make a lasting impact on cybersecurity. The mission is to transform cybersecurity practices by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize their security posture. Source.

What types of organizations use Cymulate?

Cymulate serves organizations of all sizes, from small enterprises to large corporations with over 10,000 employees, across industries such as finance, healthcare, retail, media, transportation, and manufacturing. Learn more.

Who are the main users of Cymulate within an organization?

Main users include CISOs and security leaders, Security Operations (SecOps) teams, Red Teams, and Vulnerability Management teams. Each role benefits from tailored features and insights. More for CISOs, SecOps, Red Teams, Vulnerability Management.

How does Cymulate support different security roles?

Cymulate provides quantifiable metrics for CISOs, automates processes for SecOps, offers advanced offensive testing for Red Teams, and enables efficient vulnerability prioritization for Vulnerability Management teams. Learn more.

What is the Cymulate Resource Hub?

The Cymulate Resource Hub is a central location for insights, thought leadership, and product information, including whitepapers, reports, blogs, and webinars. Access it at our Resource Hub.

Where can I find Cymulate's blog and newsroom?

You can find the latest threats, research, and company news on our blog and our newsroom.

Does Cymulate provide educational resources like a glossary?

Yes, Cymulate offers an expanding cybersecurity glossary explaining terms, acronyms, and jargon. Visit our glossary.

What are the key features of Cymulate's platform?

Cymulate's platform features continuous threat validation, unified BAS, CART, and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. Learn more.

Does Cymulate support Breach and Attack Simulation (BAS)?

Yes, Cymulate integrates Breach and Attack Simulation (BAS) as a core component, allowing organizations to simulate real-world attacks and validate their security controls continuously. Platform details.

What is Continuous Automated Red Teaming (CART) in Cymulate?

Continuous Automated Red Teaming (CART) in Cymulate enables organizations to run automated offensive testing with a library of over 100,000 attack actions aligned to MITRE ATT&CK and daily threat intelligence. Red Teaming.

How does Cymulate help with exposure prioritization?

Cymulate validates exploitability and ranks exposures based on prevention and detection capabilities, business context, and threat intelligence, helping organizations focus on the most critical vulnerabilities. Learn more.

What integrations does Cymulate offer?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit our Partnerships and Integrations page.

How does Cymulate automate mitigation?

Cymulate integrates with security controls to push updates for immediate prevention of threats, automating mitigation and reducing manual intervention. Automated Mitigation.

Does Cymulate provide attack path discovery?

Yes, Cymulate offers attack path discovery to identify potential attack paths, privilege escalation, and lateral movement risks within your environment. Attack Path Discovery.

How does Cymulate use AI and machine learning?

Cymulate uses AI and machine learning to deliver actionable insights for prioritizing remediation efforts, optimize security controls, and enhance threat detection and prevention. Platform details.

How often is Cymulate updated with new features?

Cymulate updates its SaaS platform every two weeks with new features, such as AI-powered SIEM rule mapping and advanced exposure prioritization, ensuring customers have access to the latest capabilities. Source.

What problems does Cymulate solve for security teams?

Cymulate solves problems such as overwhelming threat volume, lack of visibility, unclear risk prioritization, resource constraints, fragmented tools, and operational inefficiencies by automating validation, prioritizing exposures, and providing actionable insights. Learn more.

How does Cymulate help organizations improve their security posture?

Cymulate helps organizations improve their security posture by providing continuous threat validation, exposure prioritization, automated mitigation, and actionable insights, resulting in measurable outcomes like a 52% reduction in critical exposures and an 81% reduction in cyber risk within four months for some customers. Hertz Israel case study.

What are some real-world results achieved with Cymulate?

Customers have reported a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. Hertz Israel case study.

Are there case studies showing Cymulate's impact?

Yes, case studies include Hertz Israel reducing cyber risk by 81%, a sustainable energy company scaling pen testing, and Nemours Children's Health improving detection in hybrid environments. See all case studies at our Case Studies page.

How does Cymulate help with cloud security validation?

Cymulate secures hybrid and cloud infrastructures through automated compliance and regulatory testing, integrating with cloud security tools like AWS GuardDuty and Check Point CloudGuard. Cloud Security Validation.

How does Cymulate address lateral movement attacks?

Cymulate provides attack path discovery and lateral movement testing. For more on preventing lateral movement attacks, read the blog post Stopping Attackers in Their Tracks.

How does Cymulate help with vulnerability management?

Cymulate automates in-house validation between pen tests and prioritizes vulnerabilities effectively, improving operational efficiency for vulnerability management teams. Vulnerability Management.

How does Cymulate improve operational efficiency?

Cymulate automates security validation processes, saving up to 60 hours per month in testing new threats and increasing team efficiency by up to 60%. Optimize Threat Resilience.

How does Cymulate help after a security breach?

Cymulate enhances visibility and detection capabilities post-breach, ensuring faster recovery and improved protection by replacing manual processes with automated validation. Nedbank case study.

How easy is it to implement Cymulate?

Cymulate is designed for quick and easy implementation, operating in agentless mode with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately after deployment. Schedule a demo.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and actionable insights. Testimonials highlight its ease of implementation, support, and immediate value. Customer quotes.

What support resources does Cymulate provide for new users?

Cymulate offers email and chat support, a knowledge base with technical articles and videos, webinars, e-books, and an AI chatbot for quick answers and best practices. Webinars, E-books.

How long does it take to start using Cymulate?

Most customers can start running simulations almost immediately after deployment due to Cymulate's agentless mode and minimal setup requirements. Schedule a demo.

What security and compliance certifications does Cymulate have?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Security at Cymulate.

How does Cymulate ensure data security?

Cymulate ensures data security with encryption in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, and a tested disaster recovery plan. Security at Cymulate.

Is Cymulate GDPR compliant?

Yes, Cymulate incorporates data protection by design and has a dedicated privacy and security team, including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO), ensuring GDPR compliance. Security at Cymulate.

What application security measures does Cymulate use?

Cymulate follows a strict Secure Development Lifecycle (SDLC), including secure code training, continuous vulnerability scanning, and annual third-party penetration tests to ensure application security. Security at Cymulate.

What HR security policies does Cymulate have?

Cymulate's employees undergo ongoing security awareness training, phishing tests, and adhere to comprehensive security policies to maintain a strong security culture. Security at Cymulate.

What product security features does Cymulate offer?

Cymulate's platform includes mandatory 2-Factor Authentication (2FA), Role-Based Access Controls (RBAC), IP address restrictions, and TLS encryption for its Help Center. Security at Cymulate.

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, schedule a demo.

How does Cymulate differ from other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and Exposure Analytics, continuous 24/7 threat validation, AI-powered optimization, complete kill chain coverage, ease of use, and measurable customer outcomes. Compare Cymulate.

What advantages does Cymulate offer for different user segments?

CISOs benefit from quantifiable metrics, SecOps from automation and efficiency, Red Teams from advanced offensive testing, and Vulnerability Management teams from automated validation and prioritization. CISOs, SecOps, Red Teams, Vulnerability Management.

Where can I find news, events, and webinars from Cymulate?

Stay up-to-date with Cymulate through our blog, newsroom, and events and webinars page.

Is there a central place for Cymulate's insights and thought leadership?

Yes, all resources including insights, thought leadership, and product information are available in our Resource Hub.

What is MCPwned and where can I watch it?

MCPwned is a live initiative from Cymulate. You can watch the video here: MCPwned is LIVE! video.

XorDDOS Returns: New Variant Targets Linux Systems with Advanced Persistence

By: Yahav Levin

Last Updated: July 21, 2025

The Cymulate research lab honeypot network recently detected a new variant of the XorDDOS malware. Our analysis of the XorDDOS payload, using various sources such as VirusTotal, helped us to identify the Command and Control (C&C) IP address.

More concerning about the variant's potential severity, we found indicators of the malware's activity on a deployed machine. In addition, Intezer identified similar malware and code that contained the distinct string XorDDOS is known for "F"4YA/A".

The Linux Attacker

In recent years, XorDDOS has become a notorious malware family that targets Linux systems. Notable for the use of extensive scripting to implement itself after an initial compromise, this malware has shown great resistance to detection in its various variants.

Originating in China, XorDDOS uses infected x86, x64, and ARM systems s to launch wide-scale Distributed Denial of Service attacks against other victims.

The latest variant of the attack showcases continued innovation on the part of the threat actors, spawning new variants as existing forms come under closer scrutiny. It has successfully infected large numbers of systems, compromising their security and launching further attacks against others using the now “zombie” systems it succeeds in taking over.

XorDDOS Attack Phases

The XorDDOS malware has evolved significantly, utilizing a range of techniques to infect and persist on the targeted system. The attack phases include:

The malware persists itself using System V runlevels: The malware first attempts to persist itself using the System V runlevels, which are a standard initialization system used by UNIX and Linux distributions (though XorDDOS has so far targeted only Linux). This ensures that the malware is automatically started during the boot process.
It tries to persist itself using cron: The malware also tries to persist itself using cron, a time-based job scheduler in Unix-like operating systems including most distributions of Linux. Recent variants have created two shell script files, "/etc/cron.hourly/cqqbnzzu.sh" and "/etc/cron.hourly/obidhyb.sh", which are executed every hour.
It writes shell script files to disk: The malware writes the shell script files to disk, which it uses to execute its various attack phases.
It deletes itself: To avoid detection, the malware deletes its installer scripting and files after completing its attack phases. Keeping in mind that the primary operation of XorDDOS is to act as a DDoS node once it successfully infects a device and therefore no longer needs the installers or install scripting.
It encodes data using XOR: In order to obfuscate its malicious code, the malware encodes its data using XOR.
It encrypts data using RC4 PRGA: The malware encrypts its data using RC4 PRGA, a symmetric key stream cipher, to further prevent detection by security software.
Contain obfuscated stackstrings: The malware contains obfuscated stackstrings, which makes it difficult to analyze.
It enumerates processes within the "proc" file system: The malware enumerates processes within the "proc" file system to gather information about the system.
It reads system information: The malware reads system information from the proc file system to determine the system's kernel version.
It may try to detect virtual machines: Security researchers often use virtual machines in order to allow malware to execute for analysis without endangering other systems. In order to hinder this analysis, the malware may attempt to detect it is running on a VM; where artifact strings found in memory can reveal that the system is virtual.
It uses the "uname" system call to query kernel version information: The malware uses the "uname" system call to query kernel version information, to the purpose of this call is not entirely clear, but it may be an attempt to evade detection.
It queries for a number of processors: As with the call for system information, this may be furthering attempts to avoid detection by limiting its operations to only a portion of the total resources available.
It downloads files from webservers via HTTP: The malware downloads files from webservers via HTTP to continue the installation of malicious files and launch further installation steps to begin its primary goal of using the system as a Denial of Service endpoint.

IOCs

The attack's IOCs include several IP addresses, file hashes, and related malware families. The following are the IOCs:

http://203.205.254[.]157:80/lib.xlsx

http://qq[.]com/lib.xlsx

61.177.172[.]32

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73 (ELF file)

Intezer: https://analyze.intezer.com/analyses/80cb27cb-c901-4850-8d9f-42943fdd990a/sub/1bb60d9f-5e64-4d34-9c44-acbe45a682ea/related-samples

https://analyze.intezer.com/analyses/80cb27cb-c901-4850-8d9f-42943fdd990a/sub/1bb60d9f-5e64-4d34-9c44-acbe45a682ea/code-reuse

Strings reuse pattern

F"4YA/A

Bottom Line

XorDDOS continues to be a major threat to Linux systems. The latest attack showcases the malware's sophisticated techniques to evade detection and persist on the targeted system. It is crucial to secure Linux systems and prevent attacks from compromising sensitive data.

The Threat Research Group uses the Cymulate Honeypot Network within Cymulate to observe and analyze malware encountered in the wild. Using honeypot systems allows Cymulate to continue to create new, safe attack simulations of emergent and evolving threats, allowing our customers to assess with the latest threat intelligence.

Discover how Cymulate can enhance your security posture—book your demo today!

Yahav Levin is a specialist in Information Security Defense. Yahav started his career at the age of 18 as a security specialist in the Israeli army and has since worked at international companies. He specializes in the field of defense, SOC, malware analysis, and more. Today, Yahav works in the Product team & Threat Intelligence lab at Cymulate.

More about Author

Table of Contents

The Linux Attacker XorDDOS Attack Phases IOCs Bottom Line

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Demo

Exposure Validation Demo

Demo of automated offensive simulations validating detection, prevention, and IOC coverage