{
	"id": "ee7fdcec-41ee-4ae3-8bc7-54cdddb20a37",
	"created_at": "2026-04-06T00:21:08.410057Z",
	"updated_at": "2026-04-10T03:21:59.927052Z",
	"deleted_at": null,
	"sha1_hash": "a60a65480bce7caee7765e446c7e17359bbaed14",
	"title": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3392661,
	"plain_text": "Pulling Linux Rabbit/Rabbot Malware Out of a Hat\r\nBy Anomali Threat Research\r\nPublished: 2025-12-31 · Archived: 2026-04-05 16:42:22 UTC\r\nCyber threat researchers from Anomali Labs have discovered a new malware, called “Linux Rabbit and Rabbot,”\r\nthat targeted Linux servers and IoT devices.\r\nOverview\r\nhttps://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\r\nPage 1 of 6\n\nOverview\r\nCyber threat researchers from Anomali Labs have discovered a new malware, called “Linux Rabbit,” that targeted\r\nLinux servers and Internet-of-Things (IoT) devices in a campaign that began in August 2018 and continued until\r\nOctober 2018. The campaign targeted devices in Russia, South Korea, the UK, and the US. The campaign utilizes\r\ntwo strains of malware that share the same code base called Linux Rabbit and “Rabbot”. The goal of this\r\ncampaign is to install cryptocurrency miners onto the targeted servers and devices. The type of Monero\r\ncryptominer installed is dependent upon what the machine’s architecture is. The threat bulletins associated with\r\nthis blog post will thoroughly examine the general campaign and the individual malware processes for both Linux\r\nRabbit and Rabbot.\r\nhttps://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\r\nPage 2 of 6\n\nThis campaign was conducted by unknown threat actors and it is currently unclear what the initial infection vector\r\nis. The first campaign began in August 2018 and was utilizing the Linux Rabbit malware to infect Linux systems.\r\nThe Linux Rabbit malware only targeted Linux servers that were located in specific countries: Russia, South\r\nKorea, the UK, and the US. This malware has four main functionalities which are:\r\nEstablish a connection to the Command and Control (C2) server using Tor gateways\r\nSetup persistence\r\nSSH brute force\r\nInstall the cryptocurrency miner\r\nAdditional information discussing the campaign such as infrastructure data and downloaded files can be viewed\r\nby ThreatStream users here.\r\nFor Linux Rabbit to establish a connection with the C2 server, it utilizes Tor hidden services to act as contact\r\npoints to access a Tor gateway. The malware will randomly select one of the hidden services and then a Tor\r\ngateway to follow in order to establish an active C2 URL. The payload for the malware is then sent from the C2\r\nserver as an encoded URL parameter.\r\nThe malware’s second functionality is to gain persistence on an infected machine. This is completed through\r\n“rc.local” files and “.bashrc” files. After obtaining persistence, the next functionality of Linux Rabbit is to brute\r\nforce SSH passwords which ultimately allows the malware to install the cryptocurrency miner onto the server. The\r\nSSH brute forcing begins by the malware first generating a random IPv4 string and checking its geolocation to see\r\nwhere it is located. If the IP is located within a country that is “blacklisted,” it will stop and move on until it finds\r\nan IP that is located in an allowed geolocation, which for this malware are Russia, South Korea, the UK, and the\r\nUS. Once an allowed IP location is discovered, Linux Rabbit will check to see if an SSH server is listening on Port\r\n22. The malware will open a socket to see if it receives a response, and if it does, it will attempt to obtain the\r\nmachine’s hostname. Interestingly, this malware will also check the Top-Level Domain (TLD) of a host, and will\r\nskip any TLD that is blacklisted. Many of the blacklisted TLDs are government-related sites in a variety of\r\ncountries. If the TLD is not blacklisted, the malware will run through a process of authentication utilizing a list of\r\nhard-coded credentials it has. The first two authentication certifications are to ensure that the malware is not in a\r\n“honey pot”. This is likely to avoid static analysis of the malware.\r\nAfter all this, if the malware successfully discovers a viable target and is able to gain access through SSH\r\ncredential brute forcing, the malware will be able to begin installation of the cryptocurrency miner. Linux Rabbit\r\nattempts to install both “CNRig” and “CoinHive” Monero miners onto the machine, but only one will actually\r\nsuccessfully install depending on what type of architecture the machine is. If the machine is a x86-bit, it will\r\ninstall CNRig Monero miner and if the machine is an ARM/MISP, it will install CoinHive. If the infected machine\r\nis a web server, the malware will inject CoinHive script tags into every HTML file, so that even visitors of the\r\nsite/server are also infected with the cryptocurrency miner. Linux Rabbit is able to connect to GitHub and receive\r\nupdates from the threat actors. It also has a killswitch built-in. It is able to detect other miners already on a target\r\nmachine and delete them from the machine during the installation of its own miner.\r\nA technical breakdown of Linux Rabbit can be viewed by ThreatStream users here.\r\nhttps://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\r\nPage 3 of 6\n\nFollowing the Linux Rabbit campaign that occurred in August 2018, a new campaign followed it from September\r\n2018 until October 2018 that utilized a different malware strain to infect machines. This new campaign used a\r\nself-propagating worm called “Rabbot” that shared the same code base with Linux Rabbit. However, Rabbot is not\r\nlimited to infecting just Linux servers like Linux Rabbit because it can also target and infect Internet-of-Things\r\n(IoT) devices via known vulnerabilities. Most crucially, it is not restricted to only attacking devices in specific\r\ngeolocations. The known vulnerabilities that Rabbot is capable of exploiting include the following:\r\nCVE-2018-1149\r\nCVE-2018-9866\r\nCVE-2017-6884\r\nCVE-2016-0792\r\nCVE-2015-2051\r\nhttps://www.exploit-db.com/exploits/31683/\r\nhttps://www.exploit-db.com/exploits/27528/\r\nhttps://www.exploit-db.com/exploits/39596/\r\nhttps://www.exploit-db.com/exploits/42114/\r\nhttps://www.exploit-db.com/exploits/40500/\r\nhttps://www.exploit-db.com/exploits/41499/\r\nhttps://www.exploit-db.com/exploits/40212/\r\nhttps://www.exploit-db.com/exploits/43055/\r\nhttps://www.exploit-db.com/exploits/44760/\r\nhttps://www.exploit-db.com/exploits/41471/\r\nhttps://blogs.securiteam.com/index.php/archives/3445\r\nA technical breakdown of Rabbot can be viewed by ThreatStream users here.\r\nBoth malware strains share the same code base which means they function almost exactly the same, except Rabbot\r\nwill send all its payloads through an open port 80 to the Linux (web)servers, not checking to ensure that the\r\nprocess is successful. Since the malware will install different payloads depending on the architecture of the\r\nmachine, it, in theory, does not need to check what was successfully installed or not, since one of the two\r\ncryptominers is guaranteed to run. Rabbot will also install CoinHive miners into various web pages via the\r\ninfected web server by searching for “.HTML” files and inserting JavaScript files into the browser.\r\nIOCs\r\n96bcdf95abb6838f4e3e250357e1fcb9\r\n9dfb99f6357c36b992f589f7a1cedde8\r\n9ec44ec63c48b7f9ddafc0ed7e197e2d\r\n05aa20355187ffcd2b6712362c0f7213\r\nb62b646bc24070afc4a7e0a5325916b8\r\n8207caf23de638a5d25eb2e6ade657c1\r\n03e4c44f6812268d95f811cf327d0665\r\n0e9eedbc6ab395b0b23f43adebe54e58\r\nc6488b538f45c7acd43b98d50e241c15\r\nhttps://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\r\nPage 4 of 6\n\nea692602f556b91f4fa82c77ed746a3d\r\n58ea13f8cc9af6bd193dd0962818446f\r\n19238225434d6298524447a8cf976fce\r\n642636dd8f76384e1e09e3a12829a8e8\r\nb666100d3d3555dc8ed845d6fe12b3a5\r\ne236822a8659e6e357e09980594661fb\r\n20d73873bc862e57c212de88a0316138\r\nfec12470177b4b34337adb8f86fca126\r\n6b0169e4cc070f575195901d99a4792e\r\nf9532eb1b0cd3b2033bb3b626e26fdb6\r\n3987fee76bc7752b63fd50480d7cbb5f\r\ne064fa34b2f135f099f4cf39dba3a53d\r\ne4c15aa25df48b8094b60b219669d749\r\n310fda74f6726aec0636c9d079461d74\r\n1d70b9f8661bf3135a38d652dd9aa624\r\n1ed94aaaf65e51545f90061c76d898a4\r\nfb6485999580f1ee743ed0bb489dee66\r\n642630a7857358378fa2ac014a836080\r\n7b7e3d4984ba280a8dce86ac5344f610\r\n23292aa6afab8a4dac33ab126d133844\r\n8ebde43f35d2eb0b0f5f83d7a3f6ed4c\r\nf565d38c2e0b5bf70dac1b68e055db60\r\nd4858f464e44c0d694cf9a051fc946a1\r\nab19ac58bbc689c65048b0f20e9a3c20\r\na695226a7be0c1de4b18fd650ea5c796\r\nce2e3b285abae4bdf7f5781e700e013c\r\nhttps://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\r\nPage 5 of 6\n\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\r\nhttps://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
	],
	"report_names": [
		"pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434868,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a60a65480bce7caee7765e446c7e17359bbaed14.pdf",
		"text": "https://archive.orkl.eu/a60a65480bce7caee7765e446c7e17359bbaed14.txt",
		"img": "https://archive.orkl.eu/a60a65480bce7caee7765e446c7e17359bbaed14.jpg"
	}
}