{ "id": "a5e94a3d-df09-4c1a-a324-298e21a97c55", "created_at": "2026-04-06T00:08:00.356994Z", "updated_at": "2026-04-10T03:30:57.260052Z", "deleted_at": null, "sha1_hash": "923eca990c2e9005bf1836dbee7259e6b670ccf9", "title": "Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 629603, "plain_text": "Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat\r\nBy Joakim Kennedy\r\nPublished: 2022-06-09 · Archived: 2026-04-05 22:04:34 UTC\r\nThis research is a joint effort between Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Threat\r\nResearch \u0026 Intelligence team. It can be found in the BlackBerry blog here as well.\r\nIn biology, a symbiote is an organism that lives in symbiosis with another organism. The symbiosis can be\r\nmutually beneficial to both organisms, but sometimes it can be parasitic when one benefits and the other is\r\nharmed. A few months back, we discovered a new, undetected Linux® malware that acts in this parasitic nature.\r\nWe have aptly named this malware Symbiote.\r\nWhat makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect\r\nother running processes to inflict damage on infected machines. Instead of being a standalone executable file that\r\nis run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using\r\nLD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running\r\nprocesses, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote\r\naccess capability.\r\nThe Birth of a Symbiote\r\nOur earliest detection of Symbiote is from November 2021, and it appears to have been written to target the\r\nfinancial sector in Latin America. Once the malware has infected a machine, it hides itself and any other\r\nmalware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected\r\nmachine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In\r\naddition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the\r\nmachine with a hardcoded password and to execute commands with the highest privileges. \r\nSince it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” In our research, we haven’t\r\nfound enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.\r\nOne interesting technical aspect of Symbiote is its Berkeley Packet Filter (BPF) hooking functionality. Symbiote\r\nis not the first Linux malware to use BPF. For example, advanced backdoors attributed to the Equation Group\r\nhave been using BPF for covert communication. However, Symbiote utilizes BPF to hide malicious network\r\ntraffic on an infected machine. When an administrator starts any packet capture tool on the infected machine, BPF\r\nbytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds\r\nits bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.\r\nEvasion Techniques\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 1 of 12\n\nSymbiote is very stealthy. The malware is designed to be loaded by the linker via the LD_PRELOAD directive.\r\nThis allows it to be loaded before any other shared objects. Since it is loaded first, it can “hijack the imports” from\r\nthe other library files loaded for the application. Symbiote uses this to hide its presence on the machine by\r\nhooking libc and libpcap functions. The image below shows a summary of the malware’s evasions.\r\nFigure 1: Symbiote evasion techniques.\r\nHost Activity\r\nThe Symbiote malware, in addition to hiding its own presence on the machine, also hides other files related to\r\nmalware likely deployed with it. Within the binary, there is a file list that is RC4 encrypted. When hooked\r\nfunctions are called, the malware first dynamically loads libc and calls the original function. This logic is used in\r\nall hooked functions. An example is shown in Figure 2 below.\r\nFigure 2: Logic for resolving readdir from libc.\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 2 of 12\n\nIf the calling application is trying to access a file or folder under /proc, the malware scrubs the output from\r\nprocess names that are on its list. The process names in the list below were extracted from the samples we have\r\ndiscovered.\r\ncertbotx64\r\ncertbotx86\r\njavautils\r\njavaserverx64\r\njavaclientex64\r\njavanodex86\r\nIf the calling application is not trying to access something under /proc, the malware instead scrubs the result from\r\na file list. The files extracted from all the samples we examined are shown in the list below. Some of the file\r\nnames match those used by Symbiote, while others match names of files suspected to be tools used by the threat\r\nactor on the infected machine. The list includes the following files.\r\napache2start\r\napache2stop\r\nprofiles.php\r\n404erro.php\r\njavaserverx64\r\njavaclientex64\r\njavanodex86\r\nliblinux.so\r\njava.h\r\nopen.h\r\nmpt86.h\r\nsqlsearch.php\r\nindexq.php\r\nmt64.so\r\ncertbot.h\r\ncert.h\r\ncertbotx64\r\ncertbotx86\r\njavautils\r\nsearch.so\r\nOne consequence of Symbiote being loaded into processes via LD_PRELOAD is that tools like ldd, a utility that\r\nprints the shared libraries required by each program, will list the malware as a loaded object. To counter this, the\r\nmalware hooks execve and looks for calls to this function with the environment variable\r\nLD_TRACE_LOADED_OBJECTS set to 1. To understand why, it’s worth looking at the manual page for ldd:\r\nIn the usual case, ldd invokes the standard dynamic linker (see ld.so(8)) with the\r\nLD_TRACE_LOADED_OBJECTS environment variable set to 1. This causes the dynamic linker to inspect the\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 3 of 12\n\nprogram’s dynamic dependencies, and find (according to the rules described in ld.so(8)) and load the objects that\r\nsatisfy those dependencies. For each dependency, ldd displays the location of the matching object and the\r\n(hexadecimal) address at which it is loaded. (The linux-vdso and ld-linux shared dependencies are special; see\r\nvdso(7) and ld.so(8).)\r\nWhen the malware detects this, it executes the loader as ldd does, but it scrubs its own entry from the result.\r\nNetwork Activity\r\nSymbiote also has functionality to hide network activity on the infected machine. It uses three different methods to\r\naccomplish this. The first method involves hooking fopen and fopen64. If the calling application tries to open\r\n/proc/net/tcp, the malware creates a temp file and copies the first line to that file. After that, it scans each line for\r\nthe presence of specific ports. If the malware finds a port it’s searching for on a line it’s scanning, it skips to the\r\nnext line. Otherwise, the line is written to the temp file. Once the original file has been completely processed, the\r\nmalware closes the file and returns the file descriptor of the temp file back to the caller. Essentially, this gives the\r\ncalling process a scrubbed result, which excludes all entries of the network connections that the malware wants to\r\nhide.\r\nThe second method Symbiote uses to hide its network activity is by hijacking any injected packet filtering\r\nbytecode. The Linux kernel uses extended Berkeley Packet Filter (eBPF) to allow packet filtering based on rules\r\nprovided from a userland process. The filtering rule is provided as eBPF bytecode that the kernel executes on a\r\nvirtual machine (VM). This minimizes the context switching between kernel and userland, providing a\r\nperformance boost since the kernel performs the filtering directly.\r\nIf an application on the infected machine tries to perform packet filtering with eBPF, Symbiote hijacks the\r\nfiltering process. First, it hooks the libc function setsockopt. If the function is called with the option\r\nSO_ATTACH_FILTER, which is used to perform packet filtering on a socket, it prepends its own bytecode\r\nbefore the eBPF code provided by the calling application. \r\nCode Snippet 1 shows an annotated version of the bytecode injected by one of the Symbiote samples. The\r\nbytecode “drops” if they match the following conditions:\r\nIPv6 (TCP or SCTP) and src port (43253 or 43753 or 63424 or 26424)\r\nIPv6 (TCP or SCTP) and dst port 43253\r\nIPv4 (TCP or SCTP) and src port (43253 or 43753 or 63424 or 26424)\r\nIPv4 (TCP or SCTP) and dst port (43253 or 43753 or 63424 or 26424)\r\nWhile this bytecode only drops packets based on ports, we have also observed filtering of traffic based on IPv4\r\naddresses. In all cases, the filtering operates on both inbound and outbound traffic from the machine, to hide both\r\ndirections of the traffic. If the conditions are not met, it just jumps to the start of the bytecode provided by the\r\ncalling application. \r\nThe bytecode extracted from one of the samples, as shown in Code Snippet 1, consists of 32 instructions. This\r\ncode can’t be injected into the kernel on its own, because it assumes that more bytecode exists after it. There are a\r\nfew jumps in this bytecode that skip to the beginning of the bytecode provided by the calling process. Without the\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 4 of 12\n\ncaller’s bytecode, the injected bytecode would jump out-of-bounds, which is not allowed by the kernel. Bytecode\r\nlike this either has to be handwritten or by patching compiler generated-bytecode. Either option suggests that this\r\nmalware was written by a skilled developer.\r\n; Load Ether frame type from the packet.\r\n0x00: 0x28 0x00 0x00 0x000c ldabsh 0xc\r\n; Jump if it’s not IPv6 (0x86DD)\r\n0x01: 0x15 0x00 0x0b 0x86dd jeq r0, 0x86dd, +0, +0x0b (jump to 0xd)\r\n; Load IPv6 next header into register.\r\n0x02: 0x30 0x00 0x00 0x0014 ldabsb 0x14\r\n; Short jump if SCTP\r\n0x03: 0x15 0x02 0x00 0x0084 jeq r0, 0x84, +0x2 (jump to 0x6) ; SCTP\r\n; Short jump if TCP\r\n0x04: 0x15 0x01 0x00 0x0006 jeq r0, 0x6, +0x1 (jump to 0x6) ; TC\r\n; Jump to original byte code if UDP\r\n0x05: 0x15 0x00 0x1a 0x0011 jeq r0, 0x11, +0x1a (jump to 0x20) ; UDP\r\n; Load TCP src port into register.\r\n0x06: 0x28 0x00 0x00 0x0036 ldabsh 0x36\r\n; Jump to drop the packet if port 43253.\r\n0x07: 0x15 0x17 0x00 0xa8f5 jeq r0, 0xa8f5, +0x17 (jump to 0x1f) ; 43253\r\n; Jump to drop the packet if port 43753.\r\n0x08: 0x15 0x16 0x00 0xaae9 jeq r0, 0xaae9, +0x16 (jump to 0x1f) ; 43753\r\n; Jump to drop the packet if port 63424.\r\n0x09: 0x15 0x15 0x00 0xf7c0 jeq r0, 0xf7c0, +0x15 (jump to 0x1f) ; 63424\r\n; Jump to drop the packet if port 26424.\r\n0x0a: 0x15 0x14 0x00 0x6738 jeq r0, 0x6738, +0x14 (jump to 0x1f) ; 26424\r\n; Load TCP dst port into register.\r\n0x0b: 0x28 0x00 0x00 0x0038 ldabsh 0x38\r\n; Jump to drop packet if port 43253 else jump to 0x1c.\r\n0x0c: 0x15 0x12 0x0f 0xa8f5 jeq r0, 0xa8f5, +0xf12 (jump to 0x1f) (jump to 0x1c) ;\r\n; Ether frame type check for IPv4 (0x0800)\r\n0x0d: 0x15 0x00 0x12 0x0800 jeq r0, 0x800, +0x1200 (jump to 0x20)\r\n; Load IPv4 next header field into register.\r\n0x0e: 0x30 0x00 0x00 0x0017 ldabsb 0x17\r\n; Short jump if SCTP.\r\n0x0f: 0x15 0x02 0x00 0x0084 jeq r0, 0x84, +0x2 (jump to 0x12) ; SCTP\r\n; Short jump if TCP.\r\n0x10: 0x15 0x01 0x00 0x0006 jeq r0, 0x6, +0x1 (jump to 0x12) ; TCP\r\n; Jump to original byte code if UDP.\r\n0x11: 0x15 0x00 0x0e 0x0011 jeq r0, 0x11, +0xe00 (jump to 0x20) ; UDP\r\n; Load IPv4 flag into register.\r\n0x12: 0x28 0x00 0x00 0x0014 ldabsh 0x14\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 5 of 12\n\n; Jump to original byte code if flags are set.\r\n0x13: 0x45 0x0c 0x00 0x1fff jset r0, 0x1fff, +0xc (jump to 0x20)\r\n; Load Internet Header Length into x.\r\n0x14: 0xb1 0x00 0x00 0x000e ldxmsh 0x0e\r\n; Load TCP src port into register.\r\n0x15: 0x48 0x00 0x00 0x000e ldindh r0, 0xe\r\n; Jump to drop the packet if port 43253.\r\n0x16: 0x15 0x08 0x00 0xa8f5 jeq r0, 0xa8f5, +0x8 (jump to 0x1f) ; 43253\r\n; Jump to drop the packet if port 43753.\r\n0x17: 0x15 0x07 0x00 0xaae9 jeq r0, 0xaae9, +0x7 (jump to 0x1f) ; 43753\r\n; Jump to drop the packet if port 63424.\r\n0x18: 0x15 0x06 0x00 0xf7c0 jeq r0, 0xf7c0, +0x6 (jump to 0x1f) ; 63424\r\n; Jump to drop the packet if port 26424.\r\n0x19: 0x15 0x05 0x00 0x6738 jeq r0, 0x6738, +0x5 (jump to 0x1f) ; 26424\r\n; Load TCP dst port into register.\r\n0x1a: 0x48 0x00 0x00 0x0010 ldindh r0, 0x10\r\n; Jump to drop the packet if port 43253.\r\n0x1b: 0x15 0x03 0x00 0xa8f5 jeq r0, 0xa8f5, +0x3 (jump to 0x1f) ; 43253\r\n; Jump to drop the packet if port 43753.\r\n0x1c: 0x15 0x02 0x00 0xaae9 jeq r0, 0xaae9, +0x2 (jump to 0x1f) ; 43753\r\n; Jump to drop the packet if port 63424.\r\n0x1d: 0x15 0x01 0x00 0xf7c0 jeq r0, 0xf7c0, +0x1 (jump to 0x1f) ; 63424\r\n; Jump to drop packet if true otherwise jump to original byte code.\r\n0x1e: 0x15 0x00 0x01 0x6738 jeq r0, 0x6738, +0x100 (jump to 0x20); 26424\r\n; Drop packet by returning 0.\r\n0x1f: 0x06 0x00 0x00 0x0000 ret 0\r\n0x20: // Original byte code.\r\nCode Snippet 1: Annotated bytecode extracted from one of the Symbiote samples.\r\nThe third method Symbiote uses to hide its network traffic is to hook libpcap functions. This method is used by\r\nthe malware to filter out UDP traffic to domain names it has in a list. It hooks the functions pcap_loop and\r\npcap_stats to accomplish this task. For each packet that is received, Symbiote checks the UDP payload for\r\nsubstrings of the domains it wants to filter out. If it finds a match, the malware ignores the packet and increments\r\na counter. The pcap_stats uses this counter to “correct” the number of packets processed by subtracting the\r\ncounter value from the true number of packets processed. If a packet payload does not contain any of the strings it\r\nhas in its list, the original callback function is called. This method is used to filter out UDP packets, while the\r\nbytecode method is used to filter out TCP packets. By using all three of these methods, the malware ensures that\r\nall traffic is hidden.\r\nSymbiote Objectives\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 6 of 12\n\nThe malware’s objective, in addition to hiding malicious activity on the machine, is to harvest credentials and to\r\nprovide remote access for the threat actor. The credential harvesting is performed by hooking the libc read\r\nfunction. If an ssh or scp process is calling the function, it captures the credentials. The credentials are first\r\nencrypted with RC4 using an embedded key, and then written to a file. For example, one of the versions of the\r\nmalware writes the captured credentials to the file /usr/include/certbot.h. \r\nIn addition to storing the credentials locally, the credentials are exfiltrated. The data is hex encoded and chunked\r\nup to be exfiltrated via DNS address (A) record requests to a domain name controlled by the threat actor. The A\r\nrecord request has the following format:\r\n%PACKET_NUMBER%.%MACHINE_ID%.%HEX_ENC_PAYLOAD%.%DOMAIN_NAME%\r\nCode Snippet 2: Structure of DNS request used by Symbiote to exfiltrate data.\r\nThe malware checks if the machine has a nameserver configured in /etc/resolv.conf. If it doesn’t, Google’s DNS\r\n(8.8.8.8) is used. Along with sending the request to the domain name, Symbiote also sends it as a UDP broadcast.\r\nRemote access to the infected machine is achieved by hooking a few Linux Pluggable Authentication Module\r\n(PAM) functions. When a service tries to use PAM to authenticate a user, the malware checks the provided\r\npassword against a hardcoded password. If the password provided is a match, the hooked function returns a\r\nsuccess response. Since the hooks are in PAM, it allows the threat actor to authenticate to the machine with any\r\nservice that uses PAM. This includes remote services such as Secure Shell (SSH).\r\nIf the entered password does not match the hardcoded password, the malware saves and exfiltrates it as part of its\r\nkeylogging functionality. Additionally, the malware sends a DNS TXT record request to its command-and-control\r\n(C2) domain. The TXT record has the format of %MACHINEID%.%C2_DOMAIN%. If it gets a response, the\r\nmalware base64 decodes the content, checks if the content has been signed by a correct ed25519 private key,\r\ndecrypts the content with RC4, and executes the shell script in a spawned bash process. This functionality can\r\noperate as a break-glass method for regaining access to the machine in case the normal process doesn’t work.\r\nOnce the threat actor has authenticated to the infected machine, Symbiote provides functionality to gain root\r\nprivileges. When the shared object is first loaded, it checks for the environment variable HTTP_SETTHIS. If the\r\nvariable is set with content, the malware changes the effective user and group ID to the root user, and then clears\r\nthe variable before executing the content via the system command. \r\nThis process requires that the SO has the setuid permission flag set. Once the system command has exited,\r\nSymbiote also exits the process, to prevent the original process from executing. Figure 3 below shows the code\r\nexecuted. This allows for spawning a root shell by running HTTP_SETTHIS=”/bin/bash -p” /bin/true as any\r\nuser in a shell.\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 7 of 12\n\nFigure 3: Logic used to execute a command with root privileges.\r\nNetwork Infrastructure\r\nThe domain names used by the Symbiote malware are impersonating some major Brazilian banks. This suggests\r\nthat these banks or their customers are the potential targets. Using the domain names utilized by the malware, we\r\nmanaged to uncover a related sample that was uploaded to VirusTotal with the name certbotx64. This file name\r\nmatches one of those listed as a file to hide in one of the Symbiote samples we originally obtained. The file was\r\nidentified as an open-source DNS tunneling tool called dnscat2. \r\nThe sample had a configuration in the binary that used the git[.]bancodobrasil[.]dev domain as its C2 server.\r\nDuring the months of February and March, this domain name resolved to an IP address that is linked to Njalla’s\r\nVirtual Private Server (VPS) service. Passive DNS records showed that the same IP address was resolved to\r\nns1[.]cintepol[.]link and ns2[.]cintepol[.]link a few months earlier. Cintepol is an intelligence portal provided by\r\nthe Federal Police of Brazil. The portal allows police officers to access different databases provided by the federal\r\npolice as part of their investigations. The nameserver used for this impersonating domain name was active from\r\nthe middle of December 2021 to the end of January 2022. \r\nAlso starting in February of 2022, the name servers for the domain caixa[.]wf were pointing to another Njalla\r\nVPS IP. Figure 4 below shows a timeline of these events. In addition to the network infrastructure, the timestamps\r\nof when the files were submitted to VirusTotal are included. These three Symbiote samples were uploaded by the\r\nsame submitter from Brazil. It appears that the files were submitted to VirusTotal before the infrastructure went\r\nonline. \r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 8 of 12\n\nGiven that these files were submitted to VirusTotal prior to the infrastructure going online, and because some of\r\nthe samples included rules to hide local IP addresses, it is possible that the samples were submitted to VirusTotal\r\nto test Antivirus detection before being used. Additionally, a version that appears to be under development was\r\nsubmitted at the end of November from Brazil, further suggesting VirusTotal was being used by the threat actor or\r\ngroup behind Symbiote for detection testing.\r\nFigure 4: Timeline showing when files were submitted to VirusTotal and when network\r\ninfrastructure went active.\r\nSimilarity to Other Malware\r\nSymbiote appears to be designed for both credential stealing and to provide remote access to infected Linux\r\nservers. Symbiote is not the first Linux malware developed for this goal. In 2014, ESET released an in-depth\r\nanalysis of Ebury, an OpenSSH backdoor that also performs credential stealing. There are some similarities in the\r\ntechniques used by both malware families. Both use hooked functions to capture credentials and exfiltrate the\r\ncaptured data as DNS requests. However, the authentication method to the backdoor used by the two malware\r\nfamilies is different. When we first analyzed the samples with Intezer Analyze, only unique code was detected\r\n(Figure 5). As no code is shared between Symbiote and Ebury/Windigo or any other known malware, we can\r\nconfidently conclude that Symbiote is a new, undiscovered Linux malware.\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 9 of 12\n\nFigure 5: Intezer analysis of a Symbiote sample showing only genes classified as Symbiote.\r\nConclusion\r\nSymbiote is a malware that is highly evasive. Its main objective is to capture credentials and to facilitate backdoor\r\naccess to infected machines. Since the malware operates as a userland level rootkit, detecting an infection may be\r\ndifficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus\r\n(AVs) and endpoint detection and response (EDRs) should be statically linked to ensure they are not “infected” by\r\nuserland rootkits.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nHash Notes\r\n121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924\r\n“kerneldev.so.bkp.”\r\nAppears to be an\r\nearly development\r\nbuild.\r\nf55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c\r\n“mt64_.so.”\r\nMissing credential\r\nexfiltration over\r\nDNS.\r\nec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180\r\n“search.so.” First\r\nsample with\r\ncredential\r\nexfiltration of\r\nDNS.\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 10 of 12\n\na0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6 “liblinux.so.” \r\n45eacba032367db7f3b031e5d9df10b30d01664f24da6847322f6af1fd8e7f01\r\n“certbotx64.”\r\ndnscat2 \r\nPorts Hidden\r\n45345\r\n34535\r\n64543\r\n24645\r\n47623\r\n62537\r\n43253\r\n43753\r\n63424\r\n26424\r\nDomains Hidden\r\nassets[.]fans\r\ncaixa[.]cx\r\ndpf[.]fm\r\nbancodobrasil[.]dev\r\ncctdcapllx0520\r\ncctdcapllx0520[.]df[.]caixa\r\nwebfirewall[.]caixa[.]wf\r\ncaixa[.]wf\r\nProcess Names Hidden\r\njavaserverx64\r\njavaclientex64\r\njavanodex86\r\napache2start\r\napache2stop\r\n[watchdog/0]\r\ncertbotx64\r\ncertbotx86\r\njavautils\r\nFile Names Hidden\r\napache2start\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 11 of 12\n\napache2stop\r\nprofiles.php\r\n404erro.php\r\njavaserverx64\r\njavaclientex64\r\njavanodex86\r\nliblinux.so\r\njava.h\r\nopen.h\r\nmpt86.h\r\nsqlsearch.php\r\nindexq.php\r\nmt64.so\r\ncertbot.h\r\ncert.h\r\ncertbotx64\r\ncertbotx86\r\njavautils\r\nsearch.so\r\nCredential Exfil Domains\r\n*.x3206.caixa.cx\r\n*.dev21.bancodobrasil.dev\r\nSource: https://intezer.com/blog/research/new-linux-threat-symbiote/\r\nhttps://intezer.com/blog/research/new-linux-threat-symbiote/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://intezer.com/blog/research/new-linux-threat-symbiote/" ], "report_names": [ "new-linux-threat-symbiote" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434080, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/923eca990c2e9005bf1836dbee7259e6b670ccf9.pdf", "text": "https://archive.orkl.eu/923eca990c2e9005bf1836dbee7259e6b670ccf9.txt", "img": "https://archive.orkl.eu/923eca990c2e9005bf1836dbee7259e6b670ccf9.jpg" } }