{
	"id": "e0f94a83-f158-4210-92af-3a936ff4630b",
	"created_at": "2026-04-10T03:20:31.123295Z",
	"updated_at": "2026-04-10T13:11:42.428317Z",
	"deleted_at": null,
	"sha1_hash": "abbc5f734da546dc11ba430aac88119e74b92082",
	"title": "BlackTech Updates Elf-Plead Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 778397,
	"plain_text": "BlackTech Updates Elf-Plead Backdoor\r\nPublished: 2021-02-11 · Archived: 2026-04-10 03:05:10 UTC\r\nOverview\r\nOn November 10, 2020, JPCert[1] published a blog post in Japanese (the English version followed about a week\r\nlater), providing an overview of BlackTech’s PLEAD backdoor, referred to as “ELF_PLEAD”, specifically\r\ntargeting *nix systems. In late March 2021, Intezer[2] tweeted a hash of what was described as a fully\r\nundetectable (FUD) version of ELF_PLEAD.\r\nThis post will cover a few updates to the PLEAD backdoor, some that have been publicized, and some that I found\r\nwhile analyzing the file.\r\nTargeting the Penguin\r\nBlackTech has an extensive malware repo and is best known for utilizing network and software exploits for initial\r\naccess. Continued development and refinement of tooling specifically for Linux systems is just another notch in\r\nthe belt of BlackTech. In March of 2020, JPCert[3] again identified a Linux Variant of BlackTech’s TSCookie\r\nloader.\r\nThe following month in April, TeamT5[4] released a blog post detailing an intrusion at a Taiwan academic\r\ninstitution attributed to BlackTech utilizing the Ghostcat vulnerability, (CVE-2020-1938) for initial access. The\r\nfile later found on the compromised institution’s network was identified as a Unix variant of Bifrose, or Bifrost, a\r\nbackdoor associated with BlackTech.\r\nUpdated PLEAD characteristics:\r\n64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, for GNU/Linux 2.6.18.\r\nShared libraries:\r\nglibc 2.2.5, glibc 2.3, glibc2.4 \u003e GNU C Libraries\r\nlibcrypto.so.10\r\nlibssl.so.10\r\nThe libcrypto* and libssl* libraries are older versions of OpenSSL libraries for RedHat Linux distributions.\r\nPrevious versions of ELF_PLEAD were statically linked, meaning all dependencies are stored within the binary,\r\nhowever, this also means a larger file size.\r\nOne thing that hasn’t changed between the PLEAD versions is the stripping of symbol information in the binary.\r\nMalware developers commonly strip the symbol information to hamper analysis efforts. Figure 1 depicts the\r\nbinary with a stripped Symbol Table, however, we can still glean plenty of information from the file.\r\nhttps://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/\r\nPage 1 of 5\n\nFigure 1\r\n*Note: The script myelf_parser.py is a personal project of mine to learn about working with ELF binaries in\r\nPython.\r\nNot visible in this file include the Symbol Table (.symtab), the Dynamic Symbol Table (.dynsym) which contains\r\nlibc functions that can give us a glimpse into the capabilities of the backdoor.\r\nThe functions visible in Figure 1 hint that the binary makes a connection to some infrastructure using SSL, and\r\nhas the ability to execute some commonly known Unix OS commands.\r\nFigure 2 Hardcoded C2 IPv4 address\r\nThe backdoor connects to an IP (168.95[.]1.1) address we will later see in Figure 3 is located in Taiwan, a known\r\ntarget for BlackTech. It is likely the location of the command and control infrastructure is to blend in with the\r\ntargeted network, as to not raise alarms.\r\nThe backdoor described in the November 2020 post utilized the domain mx[.]msdtc.tw for command and control.\r\nOf note, this domain has Yu Liang Lin wufi2011@gmail.com, listed as the registrant. The name and email address\r\ncould very well be a throwaway account, or stolen credentials used to register the domain. At the time of writing,\r\nthere were no other domains associated with the Gmail address.\r\nhttps://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/\r\nPage 2 of 5\n\nFigure 3\r\nELF_PLEAD conducts a number of checks to ensure it has landed on the correct target. This is important not only\r\nfor fingerprinting the victim system but also due to the fact that the ELF binary is dynamically linked. In other\r\nwords, if this were a more recent version of the operating system installed, many of the capabilities in PLEAD\r\nwould be rendered useless.\r\nFigure 4\r\nELF_Plead Commands\r\nSimilar to the ELF_PLEAD sample JPCert identified this updated version is outfitted with seven separate\r\ncommand groups. The command and command numbers that differ from the prior sample are listed below:\r\n11C SockClient \u003e\u003e Client/Server proxy mode\r\n11C TravClient\r\nMany of the same commands including file operations, remote shell, and proxy modes are found in this version of\r\nPLEAD. Figure 5 provides some of the aforementioned commands used to navigate through the compromised\r\nhttps://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/\r\nPage 3 of 5\n\nsystem.\r\nFigure 5\r\nThe backdoor contains the ability to create a new thread and provide the operator with a pseudo-terminal (tty)\r\nshell. Shell commands are executed using “echo -e”, additional functions called are described below.\r\n“[!] monitor %d %d”\r\n“[!] openpty %d”\r\n“[!] ttyname %d”\r\n“[!] ioctl %d”\r\n“[!] fork %d %d”\r\n**Featured Image: Photo by Claudio Schwarz on Unsplash\r\nConclusion\r\nHope you enjoyed this quick analysis!\r\nIndicators of Compromise (IOC)\r\nSHA256: 3fefceeab9f845f9ddbe9c3a0712d45aad4c87fdbb178d13955944dbe6b338a3\r\nIP: 168.95.1[.]1\r\nReferences\r\n[1] https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html\r\n[2] https://twitter.com/IntezerLabs/status/1373977739347300353\r\n[3] https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html\r\n[4] https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/\r\nhttps://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/\r\nPage 4 of 5\n\nSource: https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/\r\nhttps://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/"
	],
	"report_names": [
		"blacktech-updates-elf-plead-backdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775791231,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/abbc5f734da546dc11ba430aac88119e74b92082.pdf",
		"text": "https://archive.orkl.eu/abbc5f734da546dc11ba430aac88119e74b92082.txt",
		"img": "https://archive.orkl.eu/abbc5f734da546dc11ba430aac88119e74b92082.jpg"
	}
}