{
	"id": "cc4abd41-99f6-4e56-967c-d1d1985ee668",
	"created_at": "2026-04-06T00:14:17.188277Z",
	"updated_at": "2026-04-10T03:21:15.875752Z",
	"deleted_at": null,
	"sha1_hash": "45bf8a09f27e5cc04ccce98d5fb76e804c403f42",
	"title": "Linux, Windows Users Targeted With New ACBackdoor Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1819729,
	"plain_text": "Linux, Windows Users Targeted With New ACBackdoor Malware\r\nBy Sergiu Gatlan\r\nPublished: 2019-11-18 · Archived: 2026-04-05 16:52:34 UTC\r\nResearchers have discovered a new multi-platform backdoor that infects Windows and Linux systems allowing the attackers\r\nto run malicious code and binaries on the compromised machines.\r\nThe malware dubbed ACBackdoor is developed by a threat group with experience in developing malicious tools for the\r\nLinux platform based on the higher complexity of the Linux variant as Intezer security researcher Ignacio Sanmillan found.\r\n\"ACBackdoor provides arbitrary execution of shell commands, arbitrary binary execution, persistence, and update\r\ncapabilities,\" the Intezer researcher found.\r\nhttps://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nInfection vectors and ported malware\r\nBoth variants share the same command and control (C2) server but the infection vectors they use to infect their victims are\r\ndifferent: the Windows version is being pushed through malvertising with the help of the Fallout Exploit Kit while the Linux\r\npayload is dropped via a yet unknown delivery system.\r\nThe latest version of this exploit kit, analyzed by researcher nao_sec in September, targets the CVE-2018-15982 (Flash\r\nPlayer) and the CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine) vulnerabilities to infect visitors of attacker-controlled sites with malware.\r\nLuckily, \"the Windows variant of this malware does not represent a complex threat in terms of Windows\r\nmalware,\" Sanmillan says.\r\nACBackdoor's Windows version also seems to have been ported from the Linux one seeing that the researcher discovered\r\nthat they share several Linux-specific strings like paths belonging to a Linux file system or kernel thread process names.\r\nACBackdoor Linux variant detection rate\r\nBesides infecting victims via an unknown vector, the Linux malicious binary is detected by only one of the anti-malware\r\nscanning engines on VirusTotal at the time this article was published, while the Windows one is detected by 37 out of 70\r\nengines.\r\nThe Linux binary is also more complex and has extra malicious capabilities, although it shares a similar control flow and\r\nlogic with the Windows version.\r\n\"The Linux implant has noticeably been written better than the Windows implant, highlighting the implementation of the\r\npersistence mechanism along with the different backdoor commands and additional features not seen in the Windows\r\nversion such as independent process creation and process renaming,\" the report states.\r\nBackdoor malicious capabilities\r\nAfter it infects a victim's computer, the malware will start collecting system information including its architecture and MAC\r\naddress, using platform-specific tools to do it, with Windows API functions on Windows and uname UNIX program\r\ncommonly used to print system info.\r\nOnce it's done with the info harvesting tasks, ACBackdoor will add a registry entry on Windows, and create several\r\nsymbolic links as well as an initrd script on Linux to gain persistence and get automatically launched on system startup.\r\nThe backdoor will also attempt to camouflage itself as MsMpEng.exe process, the of Microsoft's Windows Defender\r\nantimalware and antispyware utility, while on Linux it will disguise as the Ubuntu UpdateNotifier utility and will rename its\r\nprocess to [kworker/u8:7-ev], a Linux kernel thread.\r\nhttps://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/\r\nPage 3 of 5\n\nWindows and Linux variants control flows (Intezer)\r\nTo communicate with its C2 server, both malware variants use Hypertext Transfer Protocol Secure (HTTPS) as a\r\ncommunication channel, with all the collected information being sent as a BASE64 encoded payload.\r\nACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell\r\ncommands, to execute a binary, and to update the malware on the infected system.\r\n\"Because there is no attributable information documented on this backdoor, there is a possibility that some known Linux-based threat group is updating its toolset,\" Sanmillan concludes.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/\r\nhttps://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/"
	],
	"report_names": [
		"linux-windows-users-targeted-with-new-acbackdoor-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434457,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45bf8a09f27e5cc04ccce98d5fb76e804c403f42.pdf",
		"text": "https://archive.orkl.eu/45bf8a09f27e5cc04ccce98d5fb76e804c403f42.txt",
		"img": "https://archive.orkl.eu/45bf8a09f27e5cc04ccce98d5fb76e804c403f42.jpg"
	}
}