{
	"id": "2057f5be-de57-40b1-9769-e27f53c9c58f",
	"created_at": "2026-04-06T00:15:08.004022Z",
	"updated_at": "2026-04-10T13:12:24.39921Z",
	"deleted_at": null,
	"sha1_hash": "90a2de36cad300223bad864b94a0297286dbe086",
	"title": "New SysJoker Backdoor Targets Windows, Linux, and macOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1815872,
	"plain_text": "New SysJoker Backdoor Targets Windows, Linux, and macOS\r\nBy Avigayil Mechtinger\r\nPublished: 2022-01-11 · Archived: 2026-04-05 17:03:53 UTC\r\nMalware targeting multiple operating systems has become no exception in the malware threat landscape.\r\nVermilion Strike, which was documented just last September, is among the latest examples until now.  \r\nIn December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The\r\nLinux and Mac versions are fully undetected in VirusTotal. We named this backdoor SysJoker.\r\nSysJoker was first discovered during an active attack on a Linux-based web server of a leading educational\r\ninstitution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions. Based\r\non Command and Control (C2) domain registration and samples found in VirusTotal, we estimate that the\r\nSysJoker attack was initiated during the second half of 2021.  \r\nSysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file\r\nhosted on Google Drive. During our analysis the C2 changed three times, indicating the attacker is active and\r\nmonitoring for infected machines. Based on victimology and malware’s behavior, we assess that SysJoker is after\r\nspecific targets.\r\nSysJoker was uploaded to VirusTotal with the suffix .ts which is used for TypeScript files. A possible attack vector\r\nfor this malware is via an infected npm package.  \r\nBelow we provide a technical analysis of this malware together with IoCs and detection and response mitigations.\r\nTechnical Analysis of SysJoker\r\nThe malware is written in C++ and each sample is tailored for the specific operating system it targets. Both the\r\nmacOS and Linux samples are fully undetected in VirusTotal.\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 1 of 13\n\ne06e06752509f9cd8bc85aa1aa24dba2 in VirusTotal targeting Mac M1 processor\r\nBehavioral Analysis\r\nSysJoker’s behavior is similar for all three operating systems. We will analyze SysJoker’s behavior on Windows.\r\nUnlike Mac and Linux samples, the Windows version contains a first-stage dropper. The dropper\r\n(d71e1a6ee83221f1ac7ed870bc272f01) is a DLL that was uploaded to VirusTotal as style-loader.ts and has only 6\r\ndetections at the time of this writing.\r\nThe Dropper drops a zipped SysJoker (53f1bb23f670d331c9041748e7e8e396) from C2 https[://]github[.]url-mini[.]com/msg.zip, copies it to C:ProgramDataRecoverySystemrecoveryWindows.zip, unzips it and executes it.\r\nAll of these actions are executed via PowerShell commands.\r\nProcess tree showing PowerShell commands.\r\nOnce SysJoker (d90d0f4d6dad402b5d025987030cc87c) is executed it sleeps for a random duration between 90\r\nto 120 seconds. Then, it will create the C:ProgramDataSystemData directory and copy itself under this directory,\r\nmasquerading as igfxCUIService.exe (igfxCUIService stands for Intel Graphics Common User Interface Service).\r\nNext, it will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses\r\ndifferent temporary text files to log the results of the commands. These text files are deleted immediately, stored in\r\na JSON object, and then encoded and written to a file named microsoft_windows.dll. The figure below shows the\r\nJSON object built in memory by SysJoker.\r\nJSON object built in memory by SysJoker.\r\nIt will gather the MAC address, user name, physical media serial number, and IP address (see IoCs section for the\r\nfull commands list). SysJoker will create persistence by adding an entry to the registry run key\r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Between each of the steps above, the\r\nmalware sleeps for a random duration.\r\nThe following screenshot shows the processes tree and commands.\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 2 of 13\n\nProcesses tree and commands.\r\nNext, SysJoker will begin its C2 communication.\r\nDecoding/Encoding Scheme  \r\nSysJoker holds within the binary a hardcoded XOR key which is used for decoding and encoding strings from\r\nwithin the binary and data sent and received from the C2. The XOR key is an RSA public key that is not used in\r\nthe decoding scheme. The same XOR key exists in all versions of SysJoker:\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkfNl+Se7jm7sGSrSSUpV3HUl3vEwuh+xn4q\r\nBY6aRFL91x0HIgcH2AM2rOlLdoV8v1vtG1oPt9QpC1jSxShnFw8evGrYnqaou7gLsY5J2B06eq5UW7\r\n+OXgb77WNbU90vyUbZAucfzy0eF1HqtBNbkXiQ6SSbquuvFPUepqUEjUSQIDAQAB\r\nResolving C2\r\nTo get an available C2 and start communication, SysJoker first decodes a hardcoded Google Drive link.\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 3 of 13\n\nDecoding with CyberChef.\r\nThe Google Drive link hosts a text file named domain.txt that holds an encoded C2. The text file’s content changes\r\nover time, depending on the current available C2. SysJoker will decode the C2 and send the collected user’s\r\ninformation to the C2’s /api/attach directory as an initial handshake. The C2 replies with a unique token which\r\nwill be used as an identifier from now on when the malware communicates with the C2.\r\nC2 Instructions\r\nSysJoker runs a while(1) loop that sends a request to the C2’s /api/req directory with the unique token and will\r\nprocess the C2’s response which is built as JSON using functions from this library. This is how SysJoker pings the\r\nC2 for instructions (see step 2 in the image below):\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 4 of 13\n\nSteps.\r\nIf the server responds with data, SysJoker will parse the received payload (see step 3 in the image below).\r\nSysJoker can receive the following instruction from the C2: exe, cmd, remove_reg, and exit.\r\nThe following image shows the flow of SysJoker’s communication with the C2.\r\nremove_reg and exit are not implemented in this current version. Based on the instruction names, we can assume\r\nthat they are in charge of self-deletion of the malware. Let’s look into exe and cmd instructions:\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 5 of 13\n\nexe – This command is in charge of dropping and running an executable. SysJoker will receive a URL to a zip file,\r\na directory for the path the file should be dropped to, and a filename that the malware should use on the extracted\r\nexecutable. It will download this file, unzip it and execute it.\r\nIDA code snippet of the parsing function, if exe part.\r\nAfter execution, the malware will reply to the C2’s /api/req/res API with either “success” if the process went\r\nsuccessful or “exception” if not (step 4 in the image above).\r\nIDA code snippet of the parsing function, building response status.\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 6 of 13\n\ncmd – This instruction is in charge of running a command and uploading its response to the C2. SysJoker will\r\ndecode the command, execute it and upload the command’s response to the C2 via /api/req/res API (step 4 in the\r\nimage above).\r\nIDA code snippet of the parsing function, building cmd command response.\r\nDuring our analysis, the C2 hasn’t responded with a next stage instruction.\r\nDetection \u0026 Response\r\nTo detect if a machine in your organization has been compromised, we recommend taking the following steps:\r\n1. Use memory scanners to detect SysJoker payload in memory\r\nFor Linux machines, use Intezer Protect to gain full runtime visibility over the code in your Linux-based systems and get alerted on any malicious or unauthorized code. We have a free community\r\nedition.\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 7 of 13\n\nFor Windows machines, use Intezer’s Endpoint Scanner. The Endpoint Scanner will provide you\r\nwith visibility into the type and origin of all binary code that resides in your machine’s memory. The\r\nfigure below shows an example of an endpoint infected with SysJoker:\r\n2. Use detection content to search in your EDR or SIEM. We provided you with IoCs and a rich list of\r\ndetection content for each operating system below. Use these with your EDR to hunt for infected machines. We\r\nwill publish a dedicated blog soon discussing how to use detection content for detecting SysJoker. \r\nIf you have been compromised, take the following steps:\r\n1. Kill the processes related to SysJoker, delete the relevant persistence mechanism, and all files related to\r\nSysJoker (see detection content section below)\r\n2. Make sure that the infected machine is clean by running a memory scanner\r\n3. Investigate the initial entry point of the malware. If a server was infected with SysJoker, in the course of\r\nthis investigation, check:\r\nConfiguration status and password complexity for publicly facing services  \r\nUsed software versions and possible known exploits\r\nSysJoker’s Linux and Windows versions are now indexed in Intezer Analyze.\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 8 of 13\n\nFinal Points\r\nThere are indications that SysJoker attack is performed by an advanced threat actor:\r\n1. The fact that the code was written from scratch and hasn’t been seen before in other attacks. On top of that,\r\nit is rare to find previously unseen Linux malware in a live attack.\r\n2. The attacker registered at least 4 different domains and wrote from scratch the malware for three different\r\noperating systems.\r\n3. During our analysis, we haven’t witnessed a second stage or command sent from the attacker. This suggests\r\nthat the attack is specific which usually fits for an advanced actor.  \r\nBased on the malware’s capabilities we assess that the goal of the attack is espionage together with lateral\r\nmovement which might also lead to a ransomware attack as one of the next stages.\r\nIoCs\r\nELF\r\nbd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed\r\nd028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3\r\nMac\r\n1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac\r\nfe99db3268e058e1204aff679e0726dc77fd45d06757a5fda9eafc6a28cfb8df\r\nd0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 9 of 13\n\nWindows\r\n61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc\r\n1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c\r\nd476ca89674c987ca399a97f2d635fe30a6ba81c95f93e8320a5f979a0563517\r\n36fed8ab1bf473714d6886b8dcfbcaa200a72997d50ea0225a90c28306b7670e\r\nC2\r\nhttps[://]bookitlab[.]tech\r\nhttps[://]winaudio-tools[.]com\r\nhttps[://]graphic-updater[.]com\r\nhttps[://]github[.]url-mini[.]com\r\nhttps[://]office360-update[.]com\r\nhttps[://]drive[.]google[.]com/uc?export=download\u0026id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn\r\nhttps[://]drive[.]google[.]com/uc?export=download\u0026id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu\r\nDetection Content\r\nWindows\r\nFiles and directories created on the machine:\r\nC:ProgramDataRecoverySystem\r\nC:ProgramDataRecoverySystemrecoveryWindows.zip\r\nC:ProgramDataRecoverySystemmsg.exe\r\nC:ProgramDataSystemData\r\nC:ProgramDataSystemDataigfxCUIService.exe\r\nC:ProgramDataSystemDatatempo1.txt\r\nC:ProgramDataSystemDatatempo2.txt\r\nC:ProgramDataSystemDatatempi1.txt\r\nC:ProgramDataSystemDatatempi2.txt\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 10 of 13\n\nC:ProgramDataSystemDatatemps1.txt\r\nC:ProgramDataSystemDatatemps2.txt\r\nC:ProgramDataSystemDatatempu.txt\r\nC:ProgramDataSystemDatamicrosoft_windows.dll\r\nC:ProgramDataxAE Operating SystemServiceHub.exe\r\nPersistence:\r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun\r\nName: igfxCUIService Type: REG_SZ Data: “C:ProgramDataSystemDataigfxCUIService.exe”\r\nCommands:\r\n“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” getmac | Out-File -Encoding ‘Default’\r\n‘C:ProgramDataSystemDatatemps1.txt’ ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding\r\n‘Default’ ‘C:ProgramDataSystemDatatemps2.txt’\r\n“C:WindowsSystem32WbemWMIC.exe”  path win32_physicalmedia get SerialNumber\r\n“C:Windowssystem32getmac.exe”\r\n“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” $env:username | Out-File -Encoding ‘Default’\r\n‘C:ProgramDataSystemDatatempu.txt’\r\n“C:WindowsSystem32cmd.exe” /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value \u003e\r\n“C:ProgramDataSystemDatatempo1.txt” \u0026\u0026 type “C:ProgramDataSystemDatatempo1.txt” \u003e\r\n“C:ProgramDataSystemDatatempo2.txt”\r\nwmic  OS get Caption, CSDVersion, OSArchitecture, Version / value  \r\n“C:WindowsSystem32cmd.exe” /c wmic nicconfig where ‘IPEnabled = True’ get ipaddress \u003e\r\n“C:ProgramDataSystemDatatempi1.txt” \u0026\u0026 type “C:ProgramDataSystemDatatempi1.txt” \u003e\r\n“C:ProgramDataSystemDatatempi2.txt”\r\nwmic  nicconfig where ‘IPEnabled = True’ get ipaddress  \r\n“C:WindowsSystem32cmd.exe” /c REG ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /V\r\nigfxCUIService /t REG_SZ /D “C:ProgramDataSystemDataigfxCUIService.exe” /F\r\nREG  ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /V igfxCUIService /t REG_SZ /D\r\n“C:ProgramDataSystemDataigfxCUIService.exe” /F\r\nLinux\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 11 of 13\n\nFiles and directories created on the machine:\r\n/.Library/\r\n/.Library/SystemServices/updateSystem\r\n/.Library/SystemNetwork\r\n/.Library/log.txt\r\nPersistence:\r\nCreates the cron job:\r\n@reboot (/.Library/SystemServices/updateSystem) \r\nCommands:\r\ncrontab -l | egrep -v “^(#|$)” | grep -e “@reboot (/.Library/SystemServices/updateSystem)”\r\ncp -rf \u003csample name\u003e /.Library/SystemServices/updateSystem\r\nnohup ‘/.Library/SystemServices/updateSystem’ \u003e/dev/null 2\u003e\u00261 \u0026\r\nifconfig | grep -v 127.0.0.1 | grep -E “inet ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})” | awk ‘{print $2}’\r\nip address | awk ‘/ether/{print $2}’\r\nid -u\r\nuname -mrs\r\nMac\r\nFiles and directories created on the machine:\r\n/Library/MacOsServices\r\n/Library/MacOsServices/updateMacOs\r\n/Library/SystemNetwork\r\n/Library/LaunchAgents/com.apple.update.plist\r\nPersistence:\r\nCreates persistence via LaunchAgent under the path /Library/LaunchAgents/com.apple.update.plist.\r\nContent:\r\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\r\nPage 12 of 13\n\n?xml version=”1.0″ encoding=”UTF-8″?\u003e\n\nLabelcom.apple.updateLimitLoadToSessionTypeAquaProgramArguments/Library/MacOsServices/updateMacOsKeepAliveSuccessfulExitRunAtLoad You can find more information about SysJoker in Intezer Analyze, which now has the Linux and Windows\nversions indexed.\nSource: https://intezer.com/blog/research/new-backdoor-sysjoker/\nhttps://intezer.com/blog/research/new-backdoor-sysjoker/\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intezer.com/blog/research/new-backdoor-sysjoker/"
	],
	"report_names": [
		"new-backdoor-sysjoker"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434508,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90a2de36cad300223bad864b94a0297286dbe086.pdf",
		"text": "https://archive.orkl.eu/90a2de36cad300223bad864b94a0297286dbe086.txt",
		"img": "https://archive.orkl.eu/90a2de36cad300223bad864b94a0297286dbe086.jpg"
	}
}