{
	"id": "b28e4fc3-436e-4727-89d4-fc4057e90ce9",
	"created_at": "2026-04-06T00:13:14.62028Z",
	"updated_at": "2026-04-10T03:21:33.835264Z",
	"deleted_at": null,
	"sha1_hash": "0e5e18fdc03889cbd6fbf63bd170f3123f7d71af",
	"title": "Kaiji: New Chinese Linux malware turning to Golang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 582482,
	"plain_text": "Kaiji: New Chinese Linux malware turning to Golang\r\nBy Paul Litvak\r\nPublished: 2020-05-04 · Archived: 2026-04-05 22:47:38 UTC\r\nIt is not often that you see a botnet’s tooling written from scratch. The Internet of things (IoT) botnet ecosystem is\r\nrelatively well-documented by security specialists. New threat actors are generally discovered quickly due to the\r\ninherent noise caused by DDoS operations, both in terms of infecting new machines and conducting operations.\r\nSimply, it is difficult to hide such overt activities. Most DDoS actors do not invest resources in creating custom\r\ntooling, unless they require specific capabilities, and resort to using well-known botnet implants (e.g. Mirai,\r\nBillGates).\r\nIn late April we identified a new botnet campaign with definitive Chinese origins, targeting servers and IoT\r\ndevices via SSH brute forcing. While most attackers derive their implants from popular and well-tested sources\r\nsuch as open source (e.g., Mirai) or blackmarket toolsets (e.g., BillGates), this botnet utilizes its own custom\r\nimplant, which MalwareMustDie named Kaiji based on one of the function names. The botnet was built from\r\nscratch using the Golang programming language, which is rare in the IoT botnet landscape.\r\nTechnical Analysis\r\nKaiji spreads exclusively via SSH brute forcing by targeting the root user only. Accessing root is important to its\r\noperation since some DDoS attacks are only available via crafting custom network packets. In Linux, custom\r\nnetwork packets are only given to a privileged user such as root.\r\nOnce a SSH connection is established, a bash script is executed which sets up the environment for the malware:\r\nA /usr/bin/lib directory is created and then Kaiji is installed under the filename ‘netstat’, ‘ps’, ‘ls’, or some other\r\nsystem tool name.\r\nKaiji has simple features. It consists of an arsenal of multiple DDoS attacks such as ipspoof and synack attacks, an\r\nssh bruteforcer module to continue the spread, and another ssh spreader which relies on hijacking local SSH keys\r\nto infect known hosts which the server has connected to in the past.\r\nDespite the Kaiji file being stripped, we were able to restore function names using IDAGolangHelper. This\r\ntechnique works by retrieving function definitions embedded within the Golang binary which are not removed by\r\nthe strip command.\r\nOnce the malware is executed, it copies itself to /tmp/seeintlog and launches a second instance which commences\r\nits malicious operations. Each operation is implemented within its own goroutine:\r\nhttps://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\r\nPage 1 of 6\n\nThere exist 13 central goroutines which are important for the implant’s operation. Many of these functions are\r\nnamed in an English representation of Chinese words. We have highlighted the most interesting functions and\r\nadded a translation from Chinese to relevant functions:\r\ndoLink routine:\r\nDecrypt C2 addresses, register the newly infected server to one of the command servers and launch the doTask\r\nand RotKit goroutines.\r\nIncidentally, some of the C2 addresses are decrypted through a chain of three encryption schemes, while another\r\nC2 address is simply encoded in base64:\r\nOn the left, C2 base64 decoding. On the right, C2 decryption.\r\nThe binary contained four command server hostnames, two of which were resolved to localhost since they were\r\nregistered. The only hostname which worked was operational for two weeks before failing to respond.\r\nmain_doTask:\r\nFetches commands from the C2. These include:\r\n• DDoS instructions\r\n• SSH bruteforce instructions, including host range and a password to attempt login\r\n• Run shell command\r\n• Replace C2 servers\r\n• Delete itself and remove all persistence\r\nFor DDoS operations, a target and an attack technique are retrieved.\r\nAttacks include:\r\n• Two TCPFlood implementations (one with raw sockets)\r\nhttps://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\r\nPage 2 of 6\n\n• Two UDPFlood implementations (one with raw sockets)\r\n• IPSpoof attack\r\n• SYNACK attack\r\n• SYN attack\r\n• ACK attack\r\nddos_Rotkit:\r\nTries to connect to known hosts through existing SSH RSA keys or IPs found in bash history:\r\nmain_runkshell:\r\nInstall persistence through rc.d and Systemd services:\r\nSystemd (/etc/systemd/system/linux.service):\r\nrc.d (/etc/rc.d/init.d/linux_kill):\r\nhttps://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\r\nPage 3 of 6\n\nmain_runghost: Install persistence through /etc/profile.d (/etc/profile.d/linux.sh)\r\nmain_rundingshi (漢字: run timing): Install persistence through crontab\r\nmain_runganran (漢字: run infection): Another persistence technique, backdoor the SSH init script /etc/init.d/ssh\r\nto call the rootkit on startup\r\nmain_runshouhu (漢字: run surgery): Copy the rootkit to /etc/32679 and run it every 30 seconds\r\nmain_runkaiji (漢字: run boot): Install more persistence init.d files, e.g.: /etc/init.d/boot.local\r\nddos_rdemokill: Check the CPU usage machine periodically and kill if CPU usage exceeds 85%. This can\r\ninadvertently kill unrelated processes. Interestingly, this function refers to the rootkit as a demo\r\nIn our own sandbox we observed that the rootkit tends to invoke itself too many times, leaving the machine\r\ngasping for memory:\r\nhttps://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\r\nPage 4 of 6\n\nThis, together with the fact that the C2 was operational only temporarily, and the presence of a ‘demo’ string, led\r\nus to believe that this is an early version still in testing.\r\nConclusion\r\nIt is rare to see a botnet written from scratch, considering the tools readily available to attackers in blackmarket\r\nforums and open source projects. In this post we have uncovered a new DDoS operation in its early stages that\r\nwas written from scratch. This is another confirmation of an interesting trajectory noted by vendors such as Palo\r\nAlto that malware developers are turning to modern languages such as Golang for their operations.\r\nThe Kaiji samples are now indexed in Intezer Analyze. Powered by our new Golang cross platform code\r\nconnections, users will be able to easily spot if this threat actor switches to Windows.\r\nhttps://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\r\nPage 5 of 6\n\nProtect your Linux and cloud servers\r\nThreats targeting Linux are on the rise. Learn more about our runtime solution that protects your Linux cloud\r\nservers against cyber attacks.\r\nIOCs\r\n4e8d4338cd3b20cb027a8daf108c654c10843e549c3f3da6646ac2bb8ffbe24d\r\n9198853b8713560503a4b76d9b854722183a94f6e9b2a46c06cd2865ced329f7\r\n98aee62701d3a8a75aa19028437bc2d1156eb9bfc08661c25db5c2e26e364dca\r\n0ed0a9b9ce741934f8c7368cdf3499b2b60d866f7cc7669f65d0783f3d7e98f7\r\nf4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a\r\n9f090a241eec74a69e06a5ffed876c7a37a2ff31e171924673b6bb5f1552814c\r\n370efd28a8c7ca50275957b47774d753aabb6d7c504f0b81a90c7f96c591ae97\r\n357acbacdb9069b8484f4fdead1aa946e2eb4a505583058f91f40903569fe3f3\r\ncu.versiondat[.]xyz\r\n1.versionday[.]xyz\r\nwww.aresboot[.]xyz\r\nwww.6×66[.]com\r\nwww.2s11[.]com\r\nSource: https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\r\nhttps://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"
	],
	"report_names": [
		"kaiji-new-chinese-linux-malware-turning-to-golang"
	],
	"threat_actors": [],
	"ts_created_at": 1775434394,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e5e18fdc03889cbd6fbf63bd170f3123f7d71af.pdf",
		"text": "https://archive.orkl.eu/0e5e18fdc03889cbd6fbf63bd170f3123f7d71af.txt",
		"img": "https://archive.orkl.eu/0e5e18fdc03889cbd6fbf63bd170f3123f7d71af.jpg"
	}
}