PNScan, a trojan that has recently resurfaced, consists of an ELF binary targeting routers running on ARM, MIPs, PowerPC, and now x86 architectures. PNScan.1 was mainly used for DDoS attacks using ACK, SYN, and UDP packet floods. It included a self-propagating function designed to spread the trojan to other routers that also used Linux-based firmware. PNScan.1 used dictionary-based attacks in attempts to brute-force other devices. PNScan.2, however, uses only three username and password combinations when attempting to brute-force nearby routers. Certain IP addresses are targeted and this malware attempts to make an SSH connection using these credentials: root/root, admin/admin, and ubnt/ubnt. It is difficult to detect infected routers but there are a series of files created by PNScan on infected devices including list2,, daemon.log, login2, and files/.


  • August 2015: Linux.PNScan.1 was discovered by Dr. Web security researchers. (Dr. Web)
  • August 2016: Linus.PNScan.2 is discovered and targets routers in India. (Softpedia)

Technical Details

  • The Malware Must Die! blog provides technical details about PNScan here.
Trojan VariantsNJCCICPNScan