{
	"id": "d15fee80-ef65-457b-a954-fcb9b9fcea0c",
	"created_at": "2026-04-06T00:08:56.027044Z",
	"updated_at": "2026-04-10T03:24:17.98633Z",
	"deleted_at": null,
	"sha1_hash": "a72d1247673413c229b1f74ffcab10f87ab0625e",
	"title": "New SysJoker backdoor targets Windows, macOS, and Linux",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1832412,
	"plain_text": "New SysJoker backdoor targets Windows, macOS, and Linux\r\nBy Bill Toulas\r\nPublished: 2022-01-11 · Archived: 2026-04-05 23:04:29 UTC\r\nA new multi-platform backdoor malware named 'SysJoker' has emerged in the wild, targeting Windows, Linux, and macOS\r\nwith the ability to evade detection on all three operating systems.\r\nThe discovery of the new malware comes from researchers at Intezer who first saw signs of its activity in December 2021\r\nafter investigating an attack on a Linux-based web server.\r\nThe first uploads of the malware sample on VirusTotal occurred in H2 2021, which also aligns with the C2 domain\r\nregistration times.\r\nThe security analysts have now published a detailed technical report on SysJoker, which they shared with Bleeping\r\nComputer before publication.\r\nhttps://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nA Joker that doesn't like to draw attention\r\nThe malware is written in C++, and while each variant is tailored for the targeted operating system, they are all undetected\r\non VirusTotal, an online malware scanning site that uses 57 different antivirus detection engines.\r\nOn Windows, SysJoker employs a first-stage dropper in the form of a DLL, which uses PowerShell commands to do the\r\nfollowing:\r\nfetch the SysJoker ZIP from a GitHub repository, \r\nunzip it on \"C:\\ProgramData\\RecoverySystem\\”,\r\nexecute the payload.\r\nThe malware then sleeps for up to two minutes before creating a new directory and copies itself as an Intel Graphics\r\nCommon User Interface Service (\"igfxCUIService.exe”).\r\nFull execution process for SysJoker on Windows\r\nSource: Intezer\r\n\"Next, SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses\r\ndifferent temporary text files to log the results of the commands,” explains Intezer’s report.\r\n\"These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named\r\n\"microsoft_Windows.dll”.”\r\nAfter gathering system and network data, the malware will create persistence by adding a new registry key\r\n(HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run). Random sleep times are interposed\r\nbetween all functions leading to this point.\r\nThe next step for the malware is to reach out to the actor-controlled C2 server, and for this, it uses a hardcoded Google Drive\r\nlink.\r\nhttps://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/\r\nPage 3 of 6\n\nResolving the hardcoded Google Drive link\r\nSource: Intezer\r\nThe link hosts a \"domain.txt” file that the actors regularly update to provide available servers to live beacons. This list\r\nconstantly changes to avoid detection and blocking.\r\nThe system information collected in the first stages of the infection is sent as the first handshake to the C2. The C2 replies\r\nwith a unique token that serves as the identifier of the infected endpoint.\r\nFrom there, the C2 may instruct the backdoor to install additional malware, run commands on the infected device, or\r\ncommand the backdoor to remove itself from the device. Those last two instructions haven't been implemented yet, though.\r\nhttps://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/\r\nPage 4 of 6\n\nSysJoker C2 communications diagram\r\nSource: Intezer\r\nWhile the Linux and macOS variants do not have a first-stage dropper in the form of a DLL, they ultimately perform the\r\nsame malicious behavior on the infected device.\r\nDetection and prevention\r\nIntezer has provided full indicators of compromise (IOCs) in their report that admins can use to detect the presence of\r\nSysJoker on an infected device. \r\nBelow, we have outlined some of the IOCs for each operating system.\r\nOn Windows, the malware files are located under the \"C:\\ProgramData\\RecoverySystem\" folder,\r\nat C:\\ProgramData\\SystemData\\igfxCUIService.exe, and C:\\ProgramData\\SystemData\\microsoft_Windows.dll.  For\r\npersistence, the malware creates an Autorun \"Run\" value of \"igfxCUIService\" that launches the igfxCUIService.exe\r\nmalware executable.\r\nOn Linux, the files and directories are created under \"/.Library/” while persistence is established by creating the following\r\ncron job: @reboot (/.Library/SystemServices/updateSystem).\r\nOn macOS, the files are created on \"/Library/” and persistence is achieved via LaunchAgent under the path:\r\n/Library/LaunchAgents/com.apple.update.plist.\r\nThe C2 domains shared in the Intezer report are the following:\r\nhttps[://]bookitlab[.]tech\r\nhttps[://]winaudio-tools[.]com\r\nhttps[://]graphic-updater[.]com\r\nhttps[://]github[.]url-mini[.]com\r\nhttps[://]office360-update[.]com\r\nhttps[://]drive[.]google[.]com/uc?export=download\u0026id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn\r\nhttps[://]drive[.]google[.]com/uc?export=download\u0026id=1W64PQQxrwY3XjBnv_QaeBQu-ePr537eu\r\nIf you found that you have been compromised by SysJoker, follow these three steps:\r\n1. Kill all processes related to the malware and manually delete the files and the relevant persistence mechanism.\r\n2. Run a memory scanner to ensure that all malicious files have been uprooted from the infected system.\r\n3. Investigate the potential entry points, check firewall configurations, and update all software tools to the latest\r\navailable version.\r\nhttps://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/\r\nhttps://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/"
	],
	"report_names": [
		"new-sysjoker-backdoor-targets-windows-macos-and-linux"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434136,
	"ts_updated_at": 1775791457,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a72d1247673413c229b1f74ffcab10f87ab0625e.pdf",
		"text": "https://archive.orkl.eu/a72d1247673413c229b1f74ffcab10f87ab0625e.txt",
		"img": "https://archive.orkl.eu/a72d1247673413c229b1f74ffcab10f87ab0625e.jpg"
	}
}