SDBot is a long-running IRC-controlled botnet family with origins in the early 2000s that established many techniques used by later botnets, including modular plugins, network-share propagation, and DDoS capability. The leaked SDBot source code spawned countless derivatives. While the original SDBot is now largely historical, the avclass label continues to capture many derivative IRC-bot families.
This family has been observed using the following ATT&CK techniques: T1547.001 T1071.001
SDBot is a long-running IRC-controlled botnet family with origins in the early 2000s that established many techniques used by later botnets, including modular plugins, network-share propagation, and DDoS capability. The leaked SDBot source code spawned countless derivatives. While the original SDBot is now largely historical, the avclass label continues to capture many derivative IRC-bot families.
SdBot (RBot) is an older IRC-controlled backdoor family spread through network share exploitation, weak passwords, and bundled with cracked software.
Outbound IRC traffic on non-standard ports, unfamiliar admin accounts created on the system, and AV detections for SdBot, RBot, or Spybot indicate compromise.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/sdbot.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.