{ "id": "3ca11662-ffbb-46bb-8d15-7bf9e58a639b", "created_at": "2026-04-06T01:31:55.733323Z", "updated_at": "2026-04-10T03:37:49.985853Z", "deleted_at": null, "sha1_hash": "646b5410b4e908908d2b5b4830870d58a283eb4e", "title": "A Look Into Fysbis: Sofacy’s Linux Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 653225, "plain_text": "A Look Into Fysbis: Sofacy’s Linux Backdoor\r\nBy Bryan Lee, Rob Downs\r\nPublished: 2016-02-12 · Archived: 2026-04-06 00:15:06 UTC\r\nIntroduction\r\nThe Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to\r\nhave ties to Russia. Their targets have spanned all across the world, with a focus on government, defense\r\norganizations and various Eastern European governments. There have been numerous reports on their activities, to\r\nthe extent that a Wikipedia entry has even been created for them.\r\nFrom these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day\r\nexploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks,\r\ncompromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems\r\n– Windows, OSX, Linux, even mobile iOS.\r\nThe Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux\r\nsecurity in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that\r\nthis tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on\r\nthis Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux\r\nmalware.\r\nMalware Assessment\r\nFysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes.\r\nFor reference, some vendors categorize this malware under the Sednit attacker group naming designation. This\r\nmalware includes both 32-bit and 64-bit versions of Executable and Linking Format (ELF) binaries. Additionally,\r\nFysbis can install itself to a victim system with or without root privileges. This increases the options available to\r\nan adversary when it comes to selecting accounts for installation.\r\nSummary information for the three binaries we analyzed follows:\r\nMD5 364ff454dcf00420cff13a57bcb78467\r\nSHA-256\r\n8bca0031f3b691421cb15f9c6e71ce19335\r\n5d2d8cf2b190438b6962761d0c6bb\r\nssdeep\r\n3072:n+1R4tREtGN4qyGCXdHPYK9l0H786\r\nO26BmMAwyWMn/qwwiHNl:n+1R43QcIL\r\nXdF0w6IBmMAwwCwwi\r\nSize 141.2 KB (144560 bytes)\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 1 of 10\n\nType ELF 64-bit (stripped)\r\nInstall as root /bin/rsyncd\r\nRoot install desc synchronize and backup service\r\nInstall as non-root ~/.config/dbus-notifier/dbus-inotifier\r\nNon-root install desc system service d-bus notifier\r\nC2 azureon-line[.]com (TCP/80)\r\nUsage Timeframe Late 2014\r\nTable 1: Sample 1 - Late 2014 Sofacy 64-bit Fysbis\r\nMD5 075b6695ab63f36af65f7ffd45cccd39\r\nSHA-256\r\n02c7cf55fd5c5809ce2dce56085ba43795f2\r\n480423a4256537bfdfda0df85592\r\nssdeep\r\n3072:9ZAxHANuat3WWFY9nqjwbuZf454U\r\nNqRpROIDLHaSeWb3LGmPTrIW33HxIajF:\r\n9ZAxHANJAvbuZf454UN+rv eQLZPTrV3Z\r\nSize 175.9 KB (180148 bytes)\r\nType ELF 32-bit (stripped)\r\nInstall as root /bin/ksysdefd\r\nRoot install desc system kernel service defender\r\nInstall as non-root ~/.config/ksysdef/ksysdefd\r\nNon-root install desc system kernel service defender\r\nC2 198.105.125[.]74 (TCP/80)\r\nUsage Timeframe Early 2015\r\nTable 2: Sample 2 - Early 2015 Sofacy 32-bit Fysbis\r\nMD5 e107c5c84ded6cd9391aede7f04d64c8\r\nSHA-256\r\nfd8b2ea9a2e8a67e4cb3904b49c789d57ed\r\n9b1ce5bebfe54fe3d98214d6a0f61\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 2 of 10\n\nssdeep\r\n6144:W/D5tpLWtr91gmaVy+mdckn6BCUd\r\nc4mLc2B9:4D5Lqgkcj+\r\nSize 314.4 KB (321902 bytes)\r\nType ELF 64-bit (not stripped)\r\nInstall as root /bin/ksysdefd\r\nRoot install desc system kernel service defender\r\nInstall as non-root ~/.config/ksysdef/ksysdefd\r\nNon-root install desc system kernel service defender\r\nC2 mozilla-plugins[.]com (TCP/80)\r\nUsage Timeframe Late 2015\r\nTable 3: Sample 3 - Late 2015 Sofacy 64-bit Fysbis\r\nOverall, these binaries are assessed as low sophistication, but effective. They epitomize the grudging reality that\r\nAdvanced Persistent Threat (APT) actors often don’t require advanced means to affect their objectives. Rather,\r\nthese actors more often than not hold their advanced malware and zero day exploits in reserve and employ just\r\nenough resources to meet their goals. It is only fair that defenders use any shortcuts or tricks at their disposal to\r\nshorten the amount of time it takes to assess threats. In other words, defenders should always look for ways to\r\nwork smarter before they have to work harder.\r\nGetting the Most Out of Strings\r\nBinary strings alone revealed a good amount about these files, increasing the efficacy of activities such as static\r\nanalysis categorization (e.g., Yara). One example of this is Fysbis installation and platform targeting information\r\nfor the samples in Table 1 and Table 2.\r\nFigure 1: Sofacy Fysbis installation and platform targeting found in strings\r\nIn this case, we can see the binary installation path and local reconnaissance to determine which flavor of Linux\r\nthe malware is running. This is followed by a number of Linux shell command style commands related to the\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 3 of 10\n\nmalware establishing persistence.\r\nAnother example of easily obtained information from these samples is capability based.\r\nFigure 2: Sofacy Fysbis capability related leakage through strings\r\nFigure 2 shows interactive status / feedback strings that can give a defender an initial profile of capabilities. In\r\naddition to contributing to static analysis detections, this can be useful as a starting point for further incident\r\nresponse prioritization and qualification of the threat.\r\nSymbolic Information Can Shorten Analysis Time\r\nInterestingly, the most recent ELF 64-bit binary we analyzed (Table 3) was not stripped prior to delivery, which\r\noffered additional context in the form of symbolic information. Defenders more familiar with Windows Portable\r\nExecutable (PE) binaries can equate this with compilation of a Debug version versus a Release version. For\r\ncomparison, if we were to inspect Fysbis “RemoteShell” associated strings in one of the stripped variants, we\r\nwould only see the following:\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 4 of 10\n\nFigure 3: Sofacy Fysbis stripped binary string references to RemoteShell capability\r\nCompare this with what is available from the non-stripped variant:\r\nFigure 4: Sofacy Fysbis non-stripped binary strings referenes to RemoteShell capability\r\nLittle static analysis gifts like these can help to speed defender enumeration of capabilities and – more importantly\r\n– further contribute to correlation and detection across related samples.\r\nAdditionally, this latest sample demonstrated minor evolution of the threat, most notably in terms of obfuscation.\r\nSpecifically, both samples in Table 1 and Table 2 leaked installation information in the clear within binary strings.\r\nThis was not the case with the sample in Table 3. Taking a closer look at this non-stripped binary using a\r\ndisassembler, the following corresponds to decoding malware installation information for a root-privilege account.\r\nFigure 5: Assembly code view of Sample 3 installation decoding\r\nIn this case, the symbolic information hints at the method used for decoding, with references to mask, path, name,\r\nand info byte arrays.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 5 of 10\n\nFigure 6: Assembly view of Sample 3 root installation related byte arrays\r\nAs it turns out, the referenced byte mask is applied to the other byte arrays using a rolling double-XOR algorithm\r\nto construct malware installation paths, filenames, and descriptions for a Linux root account. Corresponding\r\nINSTALLUSER byte arrays exist, which facilitate the non-root installation for the trojan. The same masking\r\nmethod is also used by the binary to decode malware configuration C2 information, further showcasing how a\r\nlittle symbolic information can go a long way towards completeness and higher confidence in assessment of a\r\nmalware sample.\r\nIf you would like to learn more about how Fysbis works, the samples analyzed remain fairly consistent with the\r\nsample analysis found here.\r\nInfrastructure Analysis\r\nAs Unit 42 has discussed in depth in other blog articles, we have observed that adversaries in general are\r\nseemingly hesitant in changing their infrastructure. This may be due to not wanting to commit additional\r\nresources, or simply a matter of retaining familiarity for the sake of timeliness. In either case, we see the same\r\ntype of behavior here with the Fysbis samples in use by Sofacy.\r\nThe oldest sample (Table 1), was found to beacon to the domain azureon-line[.]com, which had already been\r\nwidely publicized as a known command and control domain for the Sofacy group. Using passive DNS, we can see\r\nthat two of the original IPs this domain resolved to, 193.169.244[.]190 and 111.90.148[.]148 also mapped to a\r\nnumber of other domains that had been in use by the Sofacy group during that time period.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 6 of 10\n\nFigure 7: Sample 1 C2 resolutions\r\nThe first of the newer samples (Table 2), continues the trend and beacons to an IP also widely associated with the\r\nSofacy group, 198.105.125[.]74. This IP has been mostly associated with the tool specifically known as\r\nCHOPSTICK, which can be read about here.\r\nFigure 8: Sample 2 C2 resolutions\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 7 of 10\n\nThe newest sample (Table 3), introduces a previously unknown command and control beacon to mozilla-plugins[.]com. This activity aligns with the previously observed Sofacy group tactic of integrating legitimate\r\ncompany references into their infrastructure naming convention. Neither this new domain nor the IP it resolves to\r\nhave been observed in the past, indicating that the sample in Table 3 may be associated with a newer campaign.\r\nComparing this sample’s binary with the other two however, shows there are significant similarities on the code\r\nlevel as well as in terms of shared behavior.\r\nFigure 9: Sample 3 C2 resolutions\r\nConclusion\r\nLinux is used across business and home environments and appears in a variety of form factors. It is a preferred\r\nplatform within data centers and the cloud for businesses, as well as an ongoing favorite when it comes to a\r\nmajority of Internet-facing web and application servers. Linux is also at the foundation of Android devices and a\r\nnumber of other embedded systems. The value proposition of Linux – especially when it comes to its use in the\r\nenterprise – can be broken out into three perceived benefits: lower total cost of ownership (TCO), security, and\r\nfeature set. While numbers and comparison alone can contribute to measurement of TCO and feature set, security\r\nrequires further qualification. Expertise in the Linux platform is highly sought after across all industries for\r\nmultiple disciplines, from system administration to big data analytics to incident response.\r\nThe majority of businesses still maintain Windows-heavy user environments where certain core infrastructure\r\ncomponents also operate under Windows servers (e.g., Active Directory, SharePoint, etc.). This means, from a\r\npractical perspective, most of a business’s focus remains on supporting and protecting Windows assets. Linux\r\nremains a mystery to a number of enterprise IT specialists –most critically for network defenders. Identifying and\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 8 of 10\n\nqualifying potential incidents requires a familiarity with what constitutes normal operation in order to isolate\r\nanomalies. The same is true for any other asset in an environment, normal operation is entirely dependent on a\r\ngiven asset’s role / function in the enterprise.\r\nLack of expertise and visibility into non-Windows platforms combine in some environments to present significant\r\nrisks against an organization’s security posture. As a recent caution, the Linux vulnerability described under CVE-2016-0728 further demonstrates the potential breadth of real-world risks to associated platforms. A natural\r\nextension of this exposure is increased targeting by both dedicated and opportunistic attackers across various\r\nmalicious actor motivations. Despite the lingering belief (and false sense of security) that Linux inherently yields\r\nhigher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by\r\nadvanced adversaries. To mitigate associated risks requires tailored integration of the people, processes, and\r\ntechnology in support of prevention, monitoring, and detection within an environment.\r\nLinux malware detection and prevention is not prevalent at this time, but Palo Alto Networks customers are\r\nprotected through our next-generation security platform:\r\nIPS signature 14917 deployed to identify and prevent command and control activity\r\nThe C2 domains and files mentioned in this report are blocked in our Threat Prevention product.\r\nIndicators\r\nType Value\r\nMD5 364ff454dcf00420cff13a57bcb78467\r\nSHA256\r\n8bca0031f3b691421cb15f9c6e71ce193\r\n355d2d8cf2b190438b6962761d0c6bb\r\nssdeep\r\n3072:n+1R4tREtGN4qyGCXdHPYK9l\r\n0H786O26BmMAwyWMn/qwwiHNl:n\r\n+1R43QcILXdF0w6IBmMAwwCwwi\r\nMD5 075b6695ab63f36af65f7ffd45cccd39\r\nSHA-256\r\n02c7cf55fd5c5809ce2dce56085ba437\r\n95f2480423a4256537bfdfda0df85592\r\nssdeep\r\n3072:9ZAxHANuat3WWFY9nqjwbuZf\r\n454UNqRpROIDLHaSeWb3LGmPTrI\r\nW33HxIajF:9ZAxHANJAvbuZf454UN\r\n+rv eQLZPTrV3Z\r\nMD5 e107c5c84ded6cd9391aede7f04d64c8\r\nSHA-256\r\nfd8b2ea9a2e8a67e4cb3904b49c789d\r\n57ed9b1ce5bebfe54fe3d98214d6a0f61\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 9 of 10\n\nssdeep\r\n6144:W/D5tpLWtr91gmaVy+mdckn6\r\nBCUdc4mLc2B9:4D5Lqgkcj+\r\nPath /bin/rsyncd\r\nPath Desc synchronize and backup service\r\nPath ~/.config/dbus-notifier/dbus-inotifier\r\nPath Desc system service d-bus notifier\r\nPath /bin/ksysdefd\r\nPath ~/.config/ksysdef/ksysdefd\r\nPath Desc system kernel service defender\r\nC2 azureon-line[.]com\r\nC2 198.105.125[.]74\r\nC2 mozilla-plugins[.]com\r\nC2 Mozillaplagins[.]com\r\nSource: https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" ], "report_names": [ "a-look-into-fysbis-sofacys-linux-backdoor" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439115, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/646b5410b4e908908d2b5b4830870d58a283eb4e.pdf", "text": "https://archive.orkl.eu/646b5410b4e908908d2b5b4830870d58a283eb4e.txt", "img": "https://archive.orkl.eu/646b5410b4e908908d2b5b4830870d58a283eb4e.jpg" } }