{ "id": "c23fd473-b8c1-426b-ac61-54ef5a29f842", "created_at": "2026-04-06T00:09:18.623106Z", "updated_at": "2026-04-10T03:32:09.458312Z", "deleted_at": null, "sha1_hash": "6f75f06c26f671d30e5941ae089af416dc96193a", "title": "ELF_TSCookie - Linux Malware Used by BlackTech - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 838256, "plain_text": "ELF_TSCookie - Linux Malware Used by BlackTech -\r\nJPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2020-03-04 · Archived: 2026-04-05 19:01:15 UTC\r\nBlackTech\r\nIn the past blog articles, we have introduced TSCookie, PLEAD and IconDown, which are used by BlackTech. It\r\nhas been identified that this group also uses several other types of malware. While the malware we have already\r\ndescribed infects Windows OS, we have also confirmed that there are TSCookie and PLEAD variants that infect\r\nLinux OS.\r\nThis article describes TSCookie for Linux, used by BlackTech.\r\nDifference between TSCookie for Windows and Linux\r\nThe function of the two are mostly the same, as many parts of the code are identical. Figure 1 shows the\r\ncomparison of code in TSCookie for Windows and for Linux.\r\nFigure 1: Comparison of code in TSCookie for Windows and Linux\r\n(Left: Windows Right: Linux)\r\nWhile they are mostly the same in terms of the code, the Linux version operates differently with the following\r\ncharacteristics:\r\nLess configuration\r\nSupports custom communication protocol only\r\nSeveral functions available by default\r\nhttps://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\nPage 1 of 7\n\nThe details are explained in the next sections.\r\nLess configuration data\r\nAs it was described in the past blog entry (Appendix A: TSCookie Configuration), TSCookie for Windows has 17\r\nsets of configuration within the 0xB78 data size. On the other hand, it is reduced to 5 in the Linux version, and the\r\nconfiguration on proxy communication and others have been excluded. See Appendix A for details.\r\nIn the Windows version, the configuration is RC4-encrypted and hardcoded in the malware. For the Linux version,\r\nhowever, information such as C\u0026C server is copied as a plain text into a dedicated area in the memory and then\r\nRC4-encrypted.It is uncertain why the Linux version malware does not encrypt the configuration with RC4 from\r\nthe beginning, but it is possible that coding some parts did not work when copying the code from the Windows\r\nversion to the Linux one.\r\nFigure 2: Code for creating configuration\r\nSupports custom communication protocol only\r\nWhile TSCookie for Windows supports several communication protocols (HTTP, HTTPS and custom protocol),\r\nthe Linux version only supports its custom protocol. Figure 3 shows a part of code for communication. It is clear\r\nthat the code only covers the custom protocol.\r\nhttps://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\nPage 2 of 7\n\nFigure 3: Comparison of communication in TSCookie for Windows and Linux\r\n(Left: Windows version Right: Linux version)\r\nThe payload itself is RC4-encrypted in both versions, and the format of the data as well as the commands received\r\nin reply remain mostly the same. (See Appendix B for details.)\r\nSeveral functions available by default\r\nTSCookie for Windows downloads modules and operates accordingly. The Linux version has the following\r\nfunctions by default, so it conducts malicious activities without downloading extra modules. (See Appendix C for\r\ndetails.)\r\nExecute arbitrary shell command\r\nOperate files (list, delete, move)\r\nUpload/Download files\r\nIn closing\r\nIt is assumed that the malware is embedded in a Linux server of a victim organisation by an attacker after\r\nintrusion. If you find any type of malware related to Blacktech in your network, it is recommended that you also\r\ncheck your Linux environment. Please see Appendix D for the list of C\u0026C servers.\r\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nAppendix A: ELF_TSCookie Configuration\r\nTable A: Configuration\r\nOffset Description Remarks\r\n0x000\r\nDestination server and port\r\nnumber\r\nMultiple hosts can be specified by listing with a semicolon\r\n\";\"\r\n0x400 RC4 key Used for encrypting communication\r\n0x40C Campaign ID\r\n0x44C Communication mode Only supports a custom protocol\r\n0x454 Not used\r\nhttps://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\nPage 3 of 7\n\nAppendix B: Data exchanged by ELF_TSCookie\r\nTable B-1: Format of sent data\r\nOffset Length Contents\r\n0x00 4 Number of received data (begins with 0xFFFFFFFF)\r\n0x04 4 Length of data sent\r\n0x08 4 Packet number (Used to divide data when the data length is larger than 65440)\r\n0x0C 4 Command (begins with 0x7263BC02)\r\n0x10 4 Whether the data after 0x20 is RC4-encrypted\r\n0x14 4 Not used\r\n0x18 4 0x3001\r\n0x1C 4 RC4 key (random data)\r\n0x20 - Data to be sent (See B-2 for the first communication)\r\nUp to offset 0x1C, the contents are encrypted with the RC4 key and random data in the configuration.\r\nTable B-2: Format of data sent in the first communication after offset 0x20\r\nOffset Length Contents\r\n0x00 4 0x9A65001F\r\n0x04 4 Process ID\r\n0x08 4 Command (0x7263BC02 at the beginning)\r\n0x0C 4 Not used\r\n0x10 4 Data size after offset 0x14\r\n0x14 - Random data\r\nUp to offset 0x14, the contents are encrypted with RC4 key and random data in the configuration.\r\nTable B-3: Format of received data\r\nOffset Length Contents\r\n0x00 4 Number of received data\r\n0x04 4 Length of received data\r\n0x0C 4 Command\r\nhttps://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\nPage 4 of 7\n\n0x10 4 Whether the data after 0x20 is RC4-encrypted\r\n0x1C 4 RC4 key\r\n0x20 - Data\r\nUp to offset 0x1C, the contents are encrypted with RC4 key in the configuration and another key in the\r\nreceived data.\r\nAppendix C: ELF_TSCookie commands\r\nTable C: Commands\r\nValue Contents\r\n0x7200AC03 Launch remote shell\r\n0x7200AC04 Send a command to remote shell\r\n0x7200AC05 End remote shell\r\n0x7200AC07 -\r\n0x7200AC0B Returns 0x7263BC06\r\n0x7200AC0C List files\r\n0x7200AC0D Download file\r\n0x7200AC0E Upload file\r\n0x7200AC11 -\r\n0x7200AC13 End bot\r\n0x7200AC16 Delete file\r\n0x7200AC1A Move file\r\n0x7200AC10 Execute command\r\nAppendix D: C\u0026C servers\r\napp.dynamicrosoft.com\r\nhome.mwbsys.org\r\nAppendix E: Hash\r\nfc863fbd71e22c99eaa2b1b0eb72d806cedeb536213e600afb03f0fbea9d2bb3\r\nhttps://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\nPage 5 of 7\n\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\nPage 6 of 7\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\nhttps://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html" ], "report_names": [ "elf-tscookie.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434158, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f75f06c26f671d30e5941ae089af416dc96193a.pdf", "text": "https://archive.orkl.eu/6f75f06c26f671d30e5941ae089af416dc96193a.txt", "img": "https://archive.orkl.eu/6f75f06c26f671d30e5941ae089af416dc96193a.jpg" } }