{
	"id": "3941f9b5-cb7b-4a59-a980-38b392e80ea0",
	"created_at": "2026-04-06T00:13:55.221528Z",
	"updated_at": "2026-04-10T03:21:31.489482Z",
	"deleted_at": null,
	"sha1_hash": "a3fdaef74284de8a667b9d9aa5041d86ee9ab8a1",
	"title": "Linux/Moose: Still breathing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1021017,
	"plain_text": "Linux/Moose: Still breathing\r\nBy Editor\r\nArchived: 2026-04-05 22:05:31 UTC\r\nESET Research\r\nFor the past year, ESET and the security firm GoSecure combined their skills in order to research Linux/Moose\r\nfurther. Here's some of what was uncovered.\r\n02 Nov 2016  •  , 5 min. read\r\nWhat is a Moose - Introduction\r\nLinux/Moose is a malware family that primarily targets Linux-based consumer routers but that can also infect\r\nother Linux-based embedded systems in its path. The compromised devices are used to steal unencrypted network\r\ntraffic and offer proxying services to the botnet operator. In practice, these capabilities are used to steal HTTP\r\nCookies on popular social network sites and perform fraudulent actions such as non-legitimate \"follows\", \"views\"\r\nand \"likes\".\r\nIn May 2015 ESET released a whitepaper on the malware family we named Linux/Moose. After publication,\r\nLinux/Moose’s command and control servers went down and we lost track of the animal. A few months later, in\r\nSeptember 2015, we got a new sample of Linux/Moose —with, as expected, some evolution after our publication.\r\nFor the past year, ESET and the security firm GoSecure combined their skills in order to research Linux/Moose\r\nfurther. GoSecure investigated the social media fraud aspect and shed some light on an unknown market they\r\ncalled “The Ego Market”. This market is highlighted in a new whitepaper published by GoSecure. This blog will\r\ncover the technical changes between the Moose variants we described in our whitepaper and the new variants that\r\nappeared in September 2015.\r\nMoose in the bushes - Hiding the address of C\u0026C\r\nThe first thing we noticed when we got the new sample was that there was no more command and control (C\u0026C)\r\nIP address inside the binary. It seems that the operators read our report carefully and decided to make things a little\r\nbit harder for us. In this new version the C\u0026C IP address is given as an encrypted command line argument, as\r\nshown in the following output:\r\nhttp://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/\r\nPage 1 of 6\n\nThis new feature implies that we can no longer run the sample by ourselves; our test machines need to be\r\ncompromised by an embedded device spreading the threat in-the-wild in order to retrieve the C\u0026C IP address. The\r\nattentive reader will notice that the IP address shown is in 32-bit integer format.\r\nThe purpose of encrypting the IP address here is, if the binary is found alone, useless without the value passed as\r\nargument. Also, the value alone makes no sense without the binary having the correct value to decrypt the\r\nargument. The value is XORed with a static value as shown in the following code:\r\nDecompiler output\r\nTo the best of our knowledge, this value has stayed the same over the last few months. Here is a Python snippet to\r\ndecrypt the C\u0026C 32-bit Integer value:\r\nDecrypt C\u0026C IP address\r\nMoose molted - Network communication\r\nThe network protocol changed but it kept the basis of its protocol and added new layers. Here is a quick look of a\r\npacket capture from both samples. By the look of things the main change here is from binary protocol to ASCII\r\nprintable protocol. In Figure 1, on the left side there is the old network protocol and on the right side there is the\r\nnew one.\r\nhttp://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/\r\nPage 2 of 6\n\nFigure 1: Network Protocol Differences\r\nIn the old sample the configuration was sent by the C\u0026C server to the malware, and contains various fields like\r\nbits field to determine what feature to enable, IP address fields, whitelist list field and password list field. These\r\nfields are still present in the new version, but separated in three keys (see Table 1). The operator uses the Cookie:\r\nand Set-Cookie: HTTP headers to send these config fields. This config is encrypted by a simple XOR loop like in\r\nthe first version but it’s also encoded in order to be printable in the HTTP headers thanks to the following\r\nfunction:\r\nDecompiler output\r\nTable 1 (key-value table) summarizes the main configuration of Moose v.2:\r\nhttp://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/\r\nPage 3 of 6\n\nkey value\r\nPHPSESSID main config (local/external scan, sniffer, kill process)\r\nLP password list\r\nWL whitelist list\r\nThe PHPSESSID key contains the encrypted value of bit fields that allow to enable or disable some features on\r\nMoose (local/external scan, sniffer, kill process). The LP key contains the password list. Linux/Moose still tries to\r\nspread itself by bruteforcing Telnet credentials. There was a big change in this list, from around 300 logins and\r\npasswords in 2015 versus around 10 in 2016. See below:\r\nThe WL key contains the whitelist list. Again the list was shorted from 50 to 10 IP addresses. These IP addresses\r\nare in the IoC section. Linux/Moose still has the ability to run a proxy service by listening on TCP port 20012. The\r\nprevious variant used to listen on port 10073. The proxy feature allows IP addresses from the whitelist to interact\r\nwith the malware.\r\nConclusion\r\nLinux/Moose’s authors have clearly done a lot of work to stay under the radar with the new version by hiding its\r\nC\u0026C server location more effectively and changing the network protocol. By doing this, Moose avoids the\r\nIndicators of Compromise (IoCs) released with ESET’s 2015 whitepaper. Shortening the whitelist and password\r\nlist shows a more delicate approach with Moose. Still, some misleading traces are inside the binary like the fake\r\ndomain www.challpok.cn found in cleartext in the list of strings or even filenames that can correspond to\r\nbitcoinminer or DDoS malware. Linux/Moose stays exclusively a memory-resident threat; rebooting the\r\nembedded device will end its execution.\r\nIndicators of Compromise\r\nHashes\r\nversion 0x1F (31)\r\nhttp://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/\r\nPage 4 of 6\n\nc6edfa2bf916d374e60f1b5444be6dbbee099692\r\nc9ca4820bb7be18f36b7bad8e3044b2d768a5db8\r\n5b444f1ac312b4c24b6bde304f00a5772a6a19a4\r\nf7574b3eb708bd018932511a8a3600d26f5e3be9\r\nversion 0x20 (32)\r\n34802456d10efdf211a7d486f7108319e052cd17\r\n0685cb1d72107de63fa1da52930322df04a72dbc\r\n2876cad26d6dabdc0a9679bb8575f88d40ebd960\r\nf94b6cc5aea170cee55a238eaa9339279fba962f\r\n274ef5884cb256fd4edd7000392b0e326ddd2398\r\nc3f0044ffa9d0bc950e9fd0f442c955b71a706b6\r\nf3daea1d06b1313ec061d93c9af12d0fe746839a\r\nversion 0x21 (33)\r\n7767c8317fb0bbf91924bddffe6a5e45069b0182\r\n1caac933ae6ca326372f7e5dd9fff82652e22e34\r\n5dea6c0c4300e432896038661db2f046c523ce35\r\ne8dc272954d5889044e92793f0f637fe4d53bb91\r\n0843239b3d0f62ae6c5784ba4589ef85329350fa\r\n1d1d46c312045e17f8f4386adc740c1e7423a24a\r\nd8b45a1114c5e0dbfa13be176723b2288ab12907\r\nversion 0x22 (34)\r\nc35d6812913ef31c20404d9bbe96db813a764886\r\nIP addresses\r\nPrimary C\u0026C servers\r\n192.3.8.218\r\n192.3.8.219\r\nWhitelist\r\n155.133.18.64\r\n178.19.111.181\r\n151.80.8.2\r\n151.80.8.19\r\n151.80.8.30\r\n62.210.6.34\r\nMoose’s IoCs are also available and updated on ESET’s malware-ioc Github repository.\r\nhttp://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/\r\nPage 5 of 6\n\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/\r\nhttp://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/"
	],
	"report_names": [
		"linuxmoose-still-breathing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434435,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3fdaef74284de8a667b9d9aa5041d86ee9ab8a1.pdf",
		"text": "https://archive.orkl.eu/a3fdaef74284de8a667b9d9aa5041d86ee9ab8a1.txt",
		"img": "https://archive.orkl.eu/a3fdaef74284de8a667b9d9aa5041d86ee9ab8a1.jpg"
	}
}