{ "id": "22cec3ca-247a-4cfa-acba-256e4190fef9", "created_at": "2026-04-06T00:13:00.160768Z", "updated_at": "2026-04-10T13:11:18.100659Z", "deleted_at": null, "sha1_hash": "982e97c6f3b7d74eb0d2553fdfd73397f80f702a", "title": "New Zero-Detection Variant of Melofee Backdoor from Winnti Strikes RHEL 7.9", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 361612, "plain_text": "New Zero-Detection Variant of Melofee Backdoor from Winnti\r\nStrikes RHEL 7.9\r\nBy Alex.Turing\r\nPublished: 2024-11-12 · Archived: 2026-04-05 12:48:00 UTC\r\nBackground\r\nOn July 27, 2024, XLab's Cyber Threat Insight and Analysis System(CTIA) detected an ELF file named pskt\r\nfrom IP address 45.92.156.166. Currently undetected on VirusTotal, the file triggered two alerts: an Overlay\r\nsection and a communication domain mimicking Microsoft. Our analysis identified it as a Melofee backdoor\r\nvariant, specifically targeting Red Hat Enterprise Linux (RHEL) 7.9.\r\nMelofee, a C++ backdoor, enables data collection, process management, file handling, and shell access. Originally\r\nexposed by ExaTrack in March 2023 and attributed to the APT group Winnti, this latest variant has notable\r\nupgrades. Structurally, it embeds an RC4-encrypted kernel driver to mask traces of files, processes, and network\r\nconnections. Functionally, it adds improvements in persistence, single-instance control, and function ID design.\r\nBy examining the sample's Run-Time Type Information (RTTI), we observed source-level modifications. For\r\ninstance, the network connection class name has changed from TLSSocket in earlier samples to TlsConn in this\r\nvariant, suggesting ongoing reconstruction and use of Melofee beyond the security community's radar.\r\nNotably, during our investigation, we encountered an intriguing misattribution. The new variant utilizes the C2\r\naddress filemanage.micrsofts-file.com . According to Passive DNS (PDNS) records, this C2's second-level\r\ndomain, micrsofts-file.com and its associated domain, www.micrsofts-file.com resolved to IP address\r\n91.195.240.123 between November 2023 and June 2024. This IP also appeared in BlackBerry's July 2024 report\r\non the APT group SideWinder and has been flagged as malicious by several security vendors on VirusTotal.\r\nDoes this imply that Melofee has circulated among multiple organizations, becoming a cross-group tool rather\r\nthan being exclusive to a single group?\r\nWe believe this is unlikely. The IP address 91.195.240.123 is a parking IP provided by domain registrar\r\nNameSilo. Labeling it as malicious likely constitutes a false positive. NameSilo automatically resolves new\r\nregistered second-level domains and \"www\" subdomains to this IP, leading to potential misattributions, as\r\nlegitimate domains, unrelated malicious domains, and APT activities may all share this IP.\r\nDue to limited visibility, we currently lack details on the attacker’s entry methods and goals. We invite others to\r\nshare insights to enrich the technical landscape. Given the low detection rate of this sample and Melofee’s stealth,\r\nwe’re sharing these findings with the community for broader cybersecurity awareness.\r\nThis report covers:\r\nOverlay structure and decryption method\r\nhttps://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nPage 1 of 8\n\nDriver module’s functionalities\r\nMelofee’s capabilities\r\nTechnical Details\r\nWe have captured a single sample with the following details:\r\nMD5: 603e38a59efcf6790f2b4593edb9faf5\r\nMagic: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=48bcb3f7c78bc746e25\r\nThis variant operates in two modes based on launch parameters: Infection Mode and Management Mode.\r\nInfection Mode (No Parameters)\r\nWhen launched without parameters, Melofee enters Infection Mode, performing the following:\r\nEnforces single instance via /tmp/lock_tmp1\r\nAchieves persistence via crontab , disguising the process name as [md] or wwwwww\r\nDecrypts and installs a driver module for stealth across files, processes, network connections, and\r\ndirectories\r\nDecrypts and connects to its C2 server, awaiting commands\r\nManagement Mode (With Parameters)\r\nWhen launched with parameters, Melofee enters Management Mode, controlling driver hiding\r\nfunctionality:\r\nhide: Activates hiding features\r\nshow: Deactivates hiding\r\nkill: Terminates the process\r\nThis design enables flexible operation across infection and management needs. The next sections will cover\r\nMelofee’s decryption, driver module, and backdoor functions in detail.\r\nPart 1: Decryption\r\nMelofee stores its RC4-encrypted driver module as an overlay appended to the file’s end, using a structure called\r\ndrv_overlay :\r\nstruct drv_overlay {\r\n int encrypted_payload[payload_size];\r\n int payload_size;\r\n char flag[12];\r\n}\r\nIn this sample, the flag is set to \"EV#?YLFAkoip\" and payload_size is 0x6a08 . The encrypted_payload\r\nspans 0x6a08 bytes backward from payload_size .\r\nhttps://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nPage 2 of 8\n\nUsing the key 87JoENDi , the encrypted_payload is decrypted to reveal the driver module kworkerx , designed\r\nfor RHEL 7.9 with kernel version 3.10.0.\r\nThe C2 configuration is also RC4-encrypted, using the same key 87JoENDi .\r\nEncrypted C2 Data:\r\n00000000 a2 a4 96 0e 27 ee 40 54 a5 3a 52 8e 65 cf b1 e1 |¢¤..'î@T¥:R.eϱá|\r\n00000010 29 69 32 86 ae 56 4d 28 a2 b8 da 6e e1 05 5d 65 |)i2.®VM(¢¸Úná.]e|\r\n00000020 fc 86 88 50 43 17 |ü..PC.|\r\nDecrypted C2 Configuration:\r\n0:filemanage.micrsofts-file.com:443:60\r\nThis configuration includes the following elements:\r\nConnection Type\r\nC2 Domain\r\nC2 Port\r\nInterval\r\nPart 2: Driver Module Analysis\r\nThe decrypted driver module, kworkerx , has the following basic information:\r\nMD5: 839f60efee25f07df7b23ba9d6bef892\r\nMagic: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=c440028449ebce5c899a51ef0eb4d7fc43493\r\nThrough analysis, we confirmed that kworkerx is a modified version of the open-source project Reptile. The\r\noriginal Reptile project supports 12 functions, categorized into two main types: hiding and backdoor capabilities.\r\nkworkerx primarily utilizes the hiding functions.\r\nhttps://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nPage 3 of 8\n\nHiding Mechanisms in kworkerx\r\nNetwork Communication Hiding: kworkerx hooks the tcp4_seq_show function within its initialization\r\nroutine, effectively hiding all network traffic on port 443.\r\nFile, Process, and Directory Hiding: To conceal files, processes, and directories, kworkerx hooks\r\nseveral functions, including fillonedir , filldir , filldir64 , and vfs_read .\r\nCommunication with User Space\r\nkworkerx also hooks the inet_ioctl function to facilitate communication with user-space applications and\r\nreceive control commands.\r\nhttps://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nPage 4 of 8\n\nWhen a user-space application calls the ioctl function with the second parameter set to 0xE0E0E0E , it triggers\r\nthe handler function khook_inet_ioctl in kworkerx . Within this function, kworkerx interprets the third\r\nparameter to either enable or disable specific hiding functions, providing fine-grained control over its concealment\r\ncapabilities.\r\nArg.cmd Capability\r\n0 show all\r\n1 hide all\r\n2 hide proc\r\n3 show proc\r\n5 file tampering\r\n7 hide file,dir\r\n8 unhide_chdir\r\n9 hide_chdir\r\nPart 3: Melofee Analysis\r\nhttps://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nPage 5 of 8\n\nAfter installing the kworkerx kernel driver module via the init_module function, Melofee enables TCP\r\nconnection hiding by default. Additional hiding features, such as process, directory, and persistence concealment,\r\nare activated through control commands sent via IOCTL.\r\nWhen executed without parameters in a virtual machine, Melofee successfully concealed its process, the sample\r\nfile, the persistence script, and network connections. Running the sample again with the show parameter revealed\r\nthe process, sample file, and persistence script, while the network connection remained hidden. Finally, using the\r\nrmmod command to unload the kworkerx module restored visibility to the previously hidden network\r\nconnection.\r\nAfter installing the driver module, Melofee decrypts the C2 configuration and establishes communication, waiting\r\nto receive and execute commands. The functionality of this sample aligns with the description provided in the\r\nExaTrack analysis report, though there are differences in function IDs.\r\nhttps://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nPage 6 of 8\n\nCMD ID Capability\r\n0x11 uninstall\r\n0x22 collect device info\r\n0x33 launch new command thread\r\n0x34 write file\r\n0x35 read file\r\n0x36 create new socket\r\n0x37 list directory\r\n0x38 create directory\r\n0x3a delete directory\r\n0x3b create process to exec cmd\r\n0x3c exec command with output (including set new c2 ip)\r\n0x3d collect process info\r\n0x3e kill process\r\n0x3f launch shell\r\n0x7b ping back\r\nSummary\r\nMelofee offers straightforward functionality with highly effective stealth capabilities. Samples of this malware\r\nfamily are rare, suggesting that attackers may limit its use to high-value targets. Network administrators can check\r\nfor infection by looking for artifacts like the /tmp/lock_tmp1 file and the kworkerx module. If signs of\r\ninfection are detected, follow the previous steps to remove associated drivers, processes, files, and persistence\r\nmechanisms.\r\nWe welcome readers to share additional insights and intelligence. If you’re interested in our research, feel free to\r\nreach out to us via Platform X.\r\nIOC\r\nMD5\r\n603e38a59efcf6790f2b4593edb9faf5 *pskt\r\nhttps://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nPage 7 of 8\n\n839f60efee25f07df7b23ba9d6bef892 *kworkerx\r\nC2\r\nfilemanage.micrsofts-file[.]com:443\r\nDownloader\r\nhttp://45.92.156[.]166/klove/pskt\r\nSource: https://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nhttps://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/" ], "report_names": [ "analysis_of_new_melofee_variant_en" ], "threat_actors": [ { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434380, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/982e97c6f3b7d74eb0d2553fdfd73397f80f702a.pdf", "text": "https://archive.orkl.eu/982e97c6f3b7d74eb0d2553fdfd73397f80f702a.txt", "img": "https://archive.orkl.eu/982e97c6f3b7d74eb0d2553fdfd73397f80f702a.jpg" } }