{ "id": "c76b852b-c31e-45f7-9cfa-22a70ecda0c2", "created_at": "2026-04-06T00:08:36.639987Z", "updated_at": "2026-04-10T13:11:46.755287Z", "deleted_at": null, "sha1_hash": "4a4022e2785dab24cd1a8c1930741bfea9cad774", "title": "Analysis of Pupy RAT Used in Attacks Against Linux Systems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1309187, "plain_text": "Analysis of Pupy RAT Used in Attacks Against Linux Systems\r\nBy ATCP\r\nPublished: 2024-04-10 · Archived: 2026-04-06 00:04:00 UTC\r\nPupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published\r\non GitHub, it is continuously being used by various threat actors including APT groups. For example, it is known\r\nto have been used by APT35 (said to have ties to Iran) [1] and was also used in Operation Earth Berberoka [2]\r\nwhich targeted online gambling websites. Recently, a malware strain named Decoy Dog was discovered, which is\r\nan updated version of Pupy RAT. Decoy Dog was used in attacks against corporate networks in Russia and\r\nEastern Europe. [3]\r\nThis post will provide a basic overview of Pupy RAT and cover attack cases identified during the analysis process.\r\nMajor examples include attacks against Linux systems in South Korea and the Pupy RAT malware versions that\r\nhave been distributed for several years to Asian countries.\r\n1. PupyRAT\r\nPublished on GitHub, Pupy RAT was written based on C and Python. It supports Windows and Linux operating\r\nsystems and can also support Mac OSX and Android, albeit to a limited degree.\r\nhttps://asec.ahnlab.com/en/64258/\r\nPage 1 of 6\n\nBecause it is a RAT malware type, it supports features such as command execution, handling files and processes,\r\nand uploading and downloading files. It also provides information theft features such as capturing screenshots and\r\nkeylogging. Unlike ordinary RATs, Pupy RAT supports post-exploitation modules, which make follow-up attacks\r\nsuch as privilege escalation, account credential theft, and lateral movement possible.\r\nMalware strains that target Linux systems generally have their process names changed to resemble normal\r\nprocesses to conceal themselves. One of the characteristics of Pupy RAT is that it changes the process name to\r\n“/usr/sbin/atd” at runtime by default. Of course, some threat actors may use different path names. The different\r\nnames can be used as one of the factors for distinguishing threat actors alongside the first 8 digits of the Revision\r\nnumber that is saved when building Pupy RAT.\r\nhttps://asec.ahnlab.com/en/64258/\r\nPage 2 of 6\n\n2. Cases of Attacks Against Asian Countries\r\nThe following are cases where the malware is believed to be created and distributed by the same threat actor.\r\nBased on the information on VirusTotal, the malware strains are distributed with the names being variants of\r\n“nptd” or “kworker”. They were mainly collected in Asian regions including not only Taiwan, Hong Kong, and\r\nSingapore, but also Japan and Thailand.\r\nThe attacks have been continuing from 2021 to recent times, and the malware strain is still available for download\r\neven as of right now. The threat actor used several addresses over many years to upload the malware and use them\r\nas C\u0026C servers.\r\nNote that Cobalt Strike is one of the malware strains that share the same download and C\u0026C server URL. Thus,\r\nthe threat actor probably targeted Linux systems as well as Windows systems using Cobalt Strike. Seeing from the\r\nmalware icons and file names such as “ChromeSetup.exe” and “刘中盛—运维工程师-大型企业内网运维-个人\r\n简历.docx.exe”, they are believed to have been distributed via web pages disguised as download pages for\r\nlegitimate software or through spear phishing attacks.\r\nhttps://asec.ahnlab.com/en/64258/\r\nPage 3 of 6\n\n3. Analysis of Attacks Against South Korea\r\nPupy RAT is continuously being collected in South Korea as well. Based on the provided IoCs, there is a case\r\nwhere Pupy RAT was distributed alongside PlugX around 2019. PlugX is one of the major backdoors used by\r\nAPT threat groups that are based in China. It is known to have been distributed from around 2008. Mustang\r\nPanda, Winnti, APT3, and APT41 are the main APT threat groups that have used PlugX in their attacks, most of\r\nthem being known to be based in China.\r\nThere was also a case where Pupy RAT was uploaded on a currently closed Korean Windows utility-sharing\r\nwebsite around 2023, although the specific infection route has not been ascertained.\r\nhttps://asec.ahnlab.com/en/64258/\r\nPage 4 of 6\n\n4. Conclusion\r\nPupy RAT is a malware strain that can receive commands from the C\u0026C server and control the infected system. It\r\nnot only supports basic commands but also provides information extortion and proxy features among various\r\nothers. Aside from these features provided by ordinary RAT malware, it also has various other features for follow-up attacks such as privilege escalation, account credential theft, and lateral movement.\r\nBecause the malware is an open-source program and supports various platforms, it is used by various threat actors\r\nincluding APT groups. While most of the known attacks target Windows systems, it is constantly used in attacks\r\ntargeting Linux servers as well. Most of the recently identified malware variants that target Linux systems were\r\ncollected in Asian countries, with cases also reported from Korea.\r\nTo prevent such security threats, users must check their vulnerable environment configuration or credentials and\r\nalways update relevant systems to the latest versions to defend systems from threats. Also, V3 should be updated\r\nto the latest version so that malware infection can be prevented.\r\nFile Detection\r\n– Malware/Win32.Generic.C3121812 (2019.03.24.09)\r\n– Backdoor/Win.CobaltStrike.C5611386 (2024.04.11.03)\r\n– Downloader/Win.CobaltStrike.C5611385 (2024.04.11.03)\r\n– Backdoor/Linux.PupyRAT.3414160 (2024.04.08.02)\r\n– Backdoor/Linux.PupyRAT.3700880 (2024.04.08.02)\r\n– Backdoor/Linux.PupyRAT.3713536 (2021.07.09.02)\r\n– Linux/Agent.2652544 (2019.08.04.00)\r\nMD5\r\n1358d7f17b0882a38a3cfa88df256fc1\r\n16b088b75442e247a8c53161a8a130b0\r\nhttps://asec.ahnlab.com/en/64258/\r\nPage 5 of 6\n\n1738429d3737b22d52b442c4faef50a1\r\n2c802c1fac3b0035b2a79cbd56510caa\r\n2f378559b835cbe9ec9874baec73a578\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//45[.]32[.]16[.]248/adobe[.]dll\r\nhttp[:]//45[.]32[.]16[.]248/lvmetad\r\nhttp[:]//api[.]api-alipay[.]com/kworker0ytj\r\nhttp[:]//api[.]api-alipay[.]com/kworker37yu\r\nhttp[:]//api[.]api-alipay[.]com/kworker54c8\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/64258/\r\nhttps://asec.ahnlab.com/en/64258/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/64258/" ], "report_names": [ "64258" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434116, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a4022e2785dab24cd1a8c1930741bfea9cad774.pdf", "text": "https://archive.orkl.eu/4a4022e2785dab24cd1a8c1930741bfea9cad774.txt", "img": "https://archive.orkl.eu/4a4022e2785dab24cd1a8c1930741bfea9cad774.jpg" } }