{
	"id": "1f3961a3-f55a-444e-8718-4c3a12c47f65",
	"created_at": "2026-04-06T15:53:24.991014Z",
	"updated_at": "2026-04-10T03:20:22.325558Z",
	"deleted_at": null,
	"sha1_hash": "3c23bff172b3aaf37f3efe943deec87328b29ff8",
	"title": "New Linux RAT Krasue in Thailand | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 143174,
	"plain_text": "Sharmine Low\r\nMalware Analyst, APAC\r\nCurse of the Krasue: New Linux\r\nRemote Access Trojan targets\r\nThailand\r\nThis piece of malware has an insatiable appetite. Group-IB's Threat Intelligence unit offers their\r\ninsights on the new RAT used in attacks against Thai companies.\r\nDecember 7, 2023 · min to read · Malware Analysis\r\n← Blog\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 1 of 14\n\nKrasue Thailand Trojan\r\nThe appetite of cybercriminals is insatiable. With increasing regularity, we are seeing the proliferation\r\nof new schemes, groups, and malware all designed to wreak havoc and destruction. Earlier this year,\r\nthe Group-IB Threat Intelligence unit uncovered a Linux Remote Access Trojan (RAT) that has\r\nmanaged to fly under the radar for a long time. Group-IB researchers discovered that this malware,\r\nwhich was first registered on Virustotal in 2021, has almost exclusively been used against\r\norganizations in Thailand. At the time of writing, Group-IB researchers can confirm that Krasue was\r\nused against telecommunications companies, although it has likely been leveraged in attacks\r\nagainst organizations in other verticals as well.\r\nOwing to the fact that Thai companies were exclusively targeted, Group-IB has decided to call this\r\nRAT Krasue, a nod to the Thai name of a nocturnal native spirit known throughout Southeast\r\nAsian folklore. Krasue, who is said to hover in the air above the ground and is driven by extreme\r\nhunger, poses a severe risk to critical systems and sensitive data given that it is able to grant\r\nattackers remote access to the targeted network. The malware also features rootkits embedded in\r\nthe binary.\r\nIn this article, we explore Krasue’s key characteristics, shedding light on its functionalities,\r\npotential impact, and the measures that organizations should take to defend against the evolving\r\nthreat. Krasue’s core functionality lies in its ability to maintain access to the host, hence we\r\npresume that it is either deployed as part of a botnet or sold by initial access brokers to other\r\ncybercriminals who are looking to acquire access to a particular target. The information contained in\r\nthis blog post is useful for organizations fighting cybercrime and technical specialists – intelligence\r\nanalysts, incident responders and malware analysts.\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 2 of 14\n\nKey takeaways\r\nKrasue feeds at night\r\nTo date, the malware named Krasue by Group-IB experts has not been publicly described. Group-IB\r\nresearchers have not yet determined Krasue’s initial infection vector and the scale of its usage.\r\nSeveral potential pathways by which Krasue could enter a system include vulnerability\r\nexploitation, credential brute force attacks, and, more uncommonly, being unwittingly\r\ndownloaded as part of a deceptive package or binary (i.e. a file masquerading as a product\r\nupdate) from an untrustworthy third-party source.\r\nGroup-IB can confirm that telecommunications companies in Thailand were targeted with Krasue,\r\nand that it is likely that this RAT is used later in the attack chain, once a cybercriminal has already\r\nintruded into the target network.\r\nKrasue is a Linux Remote Access Trojan that has been active since 2021 and predominantly\r\ntargets organizations in Thailand.\r\nGroup-IB can confirm that telecommunications companies were targeted by Krasue.\r\nThe malware contains several embedded rootkits to support different Linux kernel versions.\r\nKrasue’s rootkit is drawn from public sources (3 open-source Linux Kernel Module rootkits), as is\r\nthe case with many Linux rootkits.\r\nThe rootkit can hook the `kill()` syscall, network-related functions, and file listing operations in\r\norder to hide its activities and evade detection.\r\nNotably, Krasue uses RTSP (Real-Time Streaming Protocol) messages to serve as a disguised\r\n“alive ping,” a tactic rarely seen in the wild.\r\nThis Linux malware, Group-IB researchers presume, is deployed during the later stages of an\r\nattack chain in order to maintain access to a victim host.\r\nKrasue is likely to either be deployed as part of a botnet or sold by initial access brokers to other\r\ncybercriminals.\r\nGroup-IB researchers believe that Krasue was created by the same author as the XorDdos Linux\r\nTrojan, documented by Microsoft in a March 2022 blog post, or someone that had access to the\r\nlatter’s source code.\r\nDuring the initialization phase, the rootkit conceals its own presence. It then proceeds to hook\r\nthe `kill()` syscall, network-related functions and file listing operations, thereby obscuring its\r\nactivities and evading detection.\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 3 of 14\n\nFigure 1. Krasue profile made by Group-IB Threat Intelligence.\r\nGroup-IB Threat Intelligence researchers wished to make their derived unique insights into this\r\nmalware known to the public at this stage, so that organizations in Thailand can take steps to\r\nprotect themselves, and that the global cybersecurity community can better understand the\r\nevolving functionalities of Linux RATs and hunt for them. As a result, we have included a full list of\r\nYARA rules at the end of this blog, and Group-IB will share any updates regarding this threat on\r\nour public platforms. Additionally, in line with the company’s zero-tolerance policy to cybercrime,\r\nGroup-IB’s Computer Emergency Response Team (GIB-CERT) shared our findings into Krasue\r\nwith the Thailand Computer Emergency Response Team (ThaiCERT) and the Thailand\r\nTelecommunications Sector Computer Emergency Response Team (TTC-CERT).\r\nSo why has Krasue flown under the radar? Firstly, older Linux servers often have poor Endpoint\r\nDetection \u0026 Response (EDR) coverage. Secondly, packed malware samples typically are more\r\ndifficult to detect by security solutions. Specifically, this malware uses UPX packing, and it also\r\nenhances its evasion capabilities by daemonizing itself, running as a background process, and\r\ndisregarding SIGINT signals. By ignoring SIGINT signals, the process remains unaffected by\r\ninterrupt signals sent when the user terminates the process by pressing Ctrl-C. If the program has\r\nroot privileges, it proceeds to install a rootkit (more details in the next section).\r\nKrasue creates a child process and establishes a UDP socket server on port 52699. The purpose\r\nof this server is to wait for commands from a command and control (C2) server. For C2\r\ncommunication, the traffic undergoes AES-CBC encryption using a static key: `22 32 A4 98 A1 4F\r\n2E 44 CF 55 93 B7 91 59 BE A6`. The author used the tiny-AES library. The Trojan handles C2\r\ncommands as shown below:\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 4 of 14\n\nC2 command Description\r\nping Reply with `pong`\r\nmaster Set the master upstream C2\r\ninfo\r\nGet information about the malware: main pid, child pid, and its status such as\r\nroot: gained root permissions\r\ngod: process is unable to be killed\r\nhidden: process is hidden\r\nmodule: rootkit is loaded\r\nrestart Restart child process\r\nrespawn Restart main process\r\ngod die Kill itself\r\nshell Run shell commands with `/bin/sh`\r\nKrasue is able to designate a communicating IP as its master C2. It constantly sends `DESCRIBE\r\nrtsp://server/media[.]mp4 RTSP/1.0\\r\\nCSeq: 2\\r\\n\\r\\n` in the form of an alive ping to its master\r\nC2, in which it returns a blank space character `\\x20`. `DESCRIBE` is a method used in Real Time\r\nStreaming Protocol (RTSP), a network protocol designed for controlling the delivery of real-time\r\nmedia streams over IP networks. It is often used in applications such as video streaming and video\r\nsurveillance systems.\r\nWe found a total of 9 hardcoded IP addresses for its master C2. Krasue will always attempt to\r\nconnect to the internal addresses initially. Only after multiple non-replies and trying to connect to\r\nserver after server, it will attempt to connect 128[.]199[.]226[.]11 at port 554, which is a port\r\ncommonly used for RTSP. We suspect that the program is attempting to masquerade and\r\ncamouflage its network communication, and this is notable because while malware developers\r\ntypically make a concerted effort to disguise network traffic, using RTSP for this purpose is highly\r\nuncommon.\r\nThere are two possible reasons why Krasue has multiple (8) internal IP addresses contained within it.\r\nThe first is that the internal IP addresses are deliberately fabricated to mislead sandbox analyses\r\nand only connect to the external IPs after running for a certain period of time.\r\nThe second possibility is that the cybercriminals had access to the Remote Access Trojan from\r\nwithin the victim’s infrastructure since the malware does not have reverse proxy capabilities. The\r\nhackers may have gained access to the victim’s infrastructure and created tunnels within the\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 5 of 14\n\nnetwork. This would also suggest that Krasue is typically deployed during the later stages of an\r\nattack chain in order to maintain remote access to an infected network.\r\nThe only external master C2 IP address of the analyzed sample is 128.199.226[.]11.\r\nAnalysis of Krasue.Rootkit\r\nThe Krasue rootkit is a Linux Kernel Module (LKM) and targets Linux Kernel versions 2.6x/3.10.x.\r\nAn LKM is an object file that can be dynamically loaded into the Linux kernel at runtime. It extends\r\nthe functionality of the kernel without having to recompile or modify the entire kernel source code.\r\nThe rootkit masquerades as a VMware driver and does not contain a valid digital signature.\r\nIn order to support different Linux kernel versions, the malware embeds 7 compiled versions of\r\nthe rootkit. After the RAT determines the kernel version by reading `/proc/version`, it tries to install\r\nthe rootkit using the `init_module` function, which loads the ELF image into kernel space. Such\r\nmodules do not persist when the system is rebooted, which is why we believe that the\r\ncybercriminals who eventually leverage Krasue gain persistence in the targeted network earlier in\r\nthe attack chain.\r\nThe code seems to be based on 3 different open-source LKM rootkits:\r\n172[.]19[.]37[.]145: 52699\r\n172[.]19[.]37[.]159: 52699\r\n172[.]19[.]37[.]169: 52699\r\n172[.]19[.]37[.]170: 52699\r\n172[.]19[.]37[.]171: 52699\r\n172[.]19[.]37[.]172: 52699\r\n172[.]19[.]37[.]173: 52699\r\n172[.]19[.]37[.]175: 52699\r\n128[.]199[.]226[.]11: 554\r\nDiamorphine\r\nSuterusu\r\nRooty\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 6 of 14\n\nThe embedded 7 rootkits are compiled from the same source and have the same functionalities. The\r\nhashes of the extracted rootkits can be found in the IOC section below. All the rootkits have the\r\nsame fake metadata, namely the description of “VMware User Mode Helper”.\r\nFigure 2. Rootkit modinfo section\r\nStealth mechanisms\r\nThe rootkit uses system call hooking (by overwriting function pointers in the system call table) and\r\nfunction call hooking (by modifying the prologue of the target function).\r\nDuring the initialization phase, the rootkit conceals its own presence. It then proceeds to hook the\r\n`kill()` syscall, network-related functions and file listing operations, thereby obscuring its activities\r\nand evading detection. Files and directories beginning with the names “auwd” and\r\n“vmware_helper” are hidden from directory listings. Furthermore, the rootkit enhances its stealth\r\ncapabilities by hiding ports 52695 to 52699.\r\nCommunication with the rootkit\r\nThe rootkit portion overlaps in a unique way with the rootkit of XorDdos, another Linux malware.\r\nThe Krasue kernel rootkit has the following functions:\r\nThere are multiple similarities between the rootkits of Krasue and XorDdos, another Linux malware.\r\nHowever, unlike XorDdos, Krasue uses signals instead of `ioctl()` to communicate with the rootkit.\r\nHide files and directories related to the malware\r\nHide the rootkit\r\nProvide root access\r\nHide ports and processes\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 7 of 14\n\nAlso, by intercepting the `kill()` syscall, kill signals issued to the malware process are conveniently\r\nignored.\r\nCommands can be issued to the rootkit using `kill(arg1,signal)` or `kill -signal arg1` on the\r\nterminal. Other signals that are not targeted by the rootkit will be passed to the regular `kill()`\r\nsystem call. The author used certain magic numbers like 52698, 758.\r\narg1 signal Description\r\nx 31 Make process x invisible\r\nx 61 Unhide port x\r\nx 62 Hide port x\r\n52698 63 Hide/show kernel module\r\n52698 64 Provide root privilege\r\n758 64 Check if rootkit is loaded. Return 0xBD if loaded\r\nx 64\r\nSet the god pid (main pid) to x. To set the god pid, it is necessary to issue the kill\r\ncommand for x = 5,2,6,9,8 consecutively before finally specifying the pid.\r\nKey similarities and differences between\r\nrootkits\r\nThe functionalities of Krasue and XorDdos are vastly different, but the components of their rootkits\r\nshowed some overlaps. Linux rootkits usually do show some similarities as they take reference from\r\npublic sources, but these two samples exhibit certain code portions that are pretty distinctive. Our\r\ncomparison of Krasue and XorDdos rootkits was based on information taken from Microsoft’s blog\r\npost detailing XorDdos and the sample (SHA256:\r\nC8F761D3EF7CD16EBE41042A0DAF901C2FDFFCE96C8E9E1FA0D422C6E31332EA) included in\r\nthe IOC section of the aforementioned blog.\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 8 of 14\n\nXorDdos.Rootkit Krasue.Rootkit\r\nMagic number: 62598 Magic number: 52698\r\n`unhide_allz()` unhides all hidden TCP and UDP ports\r\n`unhide_allz()` unhides only hidden UDP\r\nports\r\nPorts hidden during initialization: TCP/UDP 62595-\r\n62599 and UDP 21,22,10050\r\nPorts hidden during initialization:\r\nTCP/UDP 52695-52699\r\nAble to change firewall entries* –\r\nMaintain a hidden processes list* –\r\nSimilarities:\r\n* Functionalities mentioned in Microsoft’s blog post and found in other XorDdos.Rootkit samples\r\nbut not found in this particular sample.\r\nConclusion\r\nWhile the primary components of the Krasue Remote Access Trojan differ from XorDdos, there are\r\nsubstantial and unique overlaps in the rootkit segment. As a result, Group-IB researchers can assert\r\nwith a moderate degree of confidence that Krasue was likely created by the same author as\r\nXorDdos, or by someone with access to the latter’s source code.\r\nGiven that various threat actors have used code snippets from the three different open-source\r\nprojects (Diamorphine, Suterusu, Rooty) to create Krasue’s rootkit, it is difficult to accurately\r\nattribute the source code to a specific threat group.\r\nThe information available is not enough to put forward a conclusive attribution as to the creator of\r\nKrasue, or the groups that are leveraging it in the wild, but the fact that these malicious programs\r\nare able to remain under the radar for extended periods makes it clear that continuous vigilance\r\nHigh code similarity\r\nUnique symbol names: unhide_allz, _kkill\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 9 of 14\n\nand better security measures are necessary. We will continue to monitor for future Krasue activity,\r\nespecially if the RAT expands to other geographies.\r\nRecommendations for security professionals\r\nJoin the Group-IB Cybercrime Fighters\r\nClub!\r\nThe global fight against cybercrime is a collaborative effort, and that’s why we’re\r\nlooking to partner with industry peers to research emerging threats and publish joint\r\nfindings on our blog. If you’ve discovered a breakthrough into a particular threat\r\nactor or a vulnerability in a piece of software, let us know, and we can mobilize all our\r\nnecessary resources to dive deeper into the issue.\r\nAll contributions will be given appropriate credit along with the full backing of our\r\nsocial media team on Group-IB’s Threat Intelligence Twitter page, where we regularly\r\nUse Group-IB’s Threat Intelligence to obtain up-to-date information about the spread of Krasue\r\nand any updates to the Trojan.\r\nBe on the look out for anomalous RTSP traffic.\r\nTrustworthy sources: Download software and packages only from trusted and official sources.\r\nStick to reputable repositories provided by your Linux distribution or verified third-party sources\r\nwith a strong reputation for security.\r\nEnable kernel module signature verification: Configure your kernel to only load signed modules.\r\nThis ensures that only modules with a valid digital signature from a trusted source can be\r\nloaded.\r\nMonitor system and network logs: Regularly review system and network logs for any suspicious\r\nactivities.\r\nConduct periodic security audits: Perform regular security audits of your server environment.\r\nThis includes reviewing system configurations, conducting vulnerability assessments, and\r\nperforming penetration testing to identify any potential weaknesses and appropriate remedial\r\nactions.\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 10 of 14\n\nshare our latest findings into threat actors’ TTPs and infrastructure, along with our\r\nother social media accounts.\r\n#LetsStopCybercrime #CybercrimeFightersClub\r\nYARA Rules\r\nrule linux_trojan_unpacked_krasue {\r\n meta:\r\nauthor = \"Sharmine Low\"\r\ncompany = \"Group-IB\"\r\ndescription = \"Detects unpacked linux trojan krasue\"\r\nsample = \"902013bc59be545fb70407e8883717453fb423a7a7209e119f112ff6771e44cc\"\r\n strings:\r\n$s1 = \"DESCRIBE rtsp://server/media.mp4 RTSP/1.0\"\r\n$s2 = \"%s: main/child pid: %d/%d root/god/hidden/module\"\r\n$s3 = \"god die\"\r\n$s4 = \"set master done\"\r\n condition:\r\n2 of ($s*)\r\n}\r\nrule linux_rootkit_krasue {\r\n meta:\r\nauthor = \"Sharmine Low\"\r\ncompany = \"Group-IB\"\r\nJoin us now\r\nMITRE ATT\u0026CK® arrow_drop_down\r\nIOCs arrow_drop_down\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 11 of 14\n\ndescription = \"Detects krasue kernel rootkit, overlaps with xorddos rootkit\"\r\nsample = \"3e37c7b65c1e46b2eb132f98f65c711b4169c6caeeaecc799abbda122c0c4a59\"\r\n strings:\r\n$s1 = \"unhide_allz\"\r\n$s2 = \"kkill\"\r\n$s3 = \"is_invisible\"\r\n$s4 = \"give_root\"\r\n$s5 = \"hide_tcp4_port\"\r\n condition:\r\n4 of them\r\n}\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 12 of 14\n\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nSubscription plans Services Resource Center\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 13 of 14\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/krasue-rat/\r\nPage 14 of 14\n\nsample strings: = \"902013bc59be545fb70407e8883717453fb423a7a7209e119f112ff6771e44cc\"  \n$s1 = \"DESCRIBE rtsp://server/media.mp4 RTSP/1.0\"\n$s2 = \"%s: main/child pid: %d/%d root/god/hidden/module\"\n$s3 = \"god die\"  \n$s4 = \"set master done\" \ncondition:   \n2 of ($s*)  \n}   \nrule linux_rootkit_krasue  { \nmeta:   \nauthor = \"Sharmine Low\" \ncompany = \"Group-IB\"  \n   Page 11 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.group-ib.com/blog/krasue-rat/"
	],
	"report_names": [
		"krasue-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775490804,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c23bff172b3aaf37f3efe943deec87328b29ff8.pdf",
		"text": "https://archive.orkl.eu/3c23bff172b3aaf37f3efe943deec87328b29ff8.txt",
		"img": "https://archive.orkl.eu/3c23bff172b3aaf37f3efe943deec87328b29ff8.jpg"
	}
}