{
	"id": "ce0d4177-57ee-4369-a38f-9cc7f781a18a",
	"created_at": "2026-04-06T00:14:00.905932Z",
	"updated_at": "2026-04-10T03:20:05.837502Z",
	"deleted_at": null,
	"sha1_hash": "b107d26a305add45f76bba078f306fc72f3fdad7",
	"title": "From Linux to Windows - New Family of Cross-Platform Desktop Backdoors Discovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 380642,
	"plain_text": "From Linux to Windows - New Family of Cross-Platform Desktop\r\nBackdoors Discovered\r\nBy Stefan Ortloff\r\nPublished: 2016-01-29 · Archived: 2026-04-05 15:00:07 UTC\r\nBackground\r\nRecently we came across a new family of cross-platform backdoors for desktop environments. First we got the\r\nLinux variant, and with information extracted from its binary, we were able to find the variant for Windows\r\ndesktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing\r\nsignature. Let´s have a look at both of them.\r\nDropboxCache aka Backdoor.Linux.Mokes.a\r\nThis backdoor for Linux-based operating systems comes packed via UPX and is full of features to monitor the\r\nvictim’s activities, including code to capture audio and take screenshots.\r\nAfter its first execution, the binary checks its own file path and, if necessary, copies itself to one of the following\r\nlocations:\r\n$HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled\r\n$HOME/$QT-GenericDataLocation/.dropbox/DropboxCache\r\nOne example would be this location: $HOME/.local/share/.dropbox/DropboxCache. To achieve persistence, it\r\nuses this not very stealthy method: it just creates a .desktop-file in $HOME/.config/autostart/$filename.desktop.\r\nHere’s the template for this:\r\nNext, it connects to its hardcoded C\u0026C Server. From this point, it performs an http request every minute:\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 1 of 11\n\nThis “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to\r\nTCP port 433 using a custom protocol and AES encryption. The binary comes with the following hardcoded\r\npublic keys:\r\nThe malware then collects gathered information from the keylogger, audio captures and screenshots in /tmp/. Later\r\nit will upload collected data to the C\u0026C.\r\n/tmp/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots, JPEG, every 30 sec.)\r\n/tmp/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures, WAV)\r\n/tmp/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)\r\n/tmp/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)\r\nDDMMyy = date: 280116 = 2016-01-28\r\nHHmmss = time: 154411 = 15:44:11\r\nnnn = milliseconds.\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 2 of 11\n\nThis part of the code is able to capture audio from the victim’s box.\r\nHowever, audio capturing is not activated in the event timer of this binary, just like the keylogging feature. Since\r\nthe authors have statically linked libqt, xkbcommon (the library to handle keyboard descriptions) and OpenSSL\r\n(1.0.2c) to the binary, the size of the binary is over 13MB. The criminals also didn’t make any effort to obfuscate\r\nthe binary in any way. In fact, the binary contains almost all symbols, which is very useful during analysis.\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 3 of 11\n\nThere are also references to the author’s source files:\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 4 of 11\n\nApparently, it’s written in C++ and Qt, a cross-platform application framework. According to the binary’s\r\nmetadata it was compiled using “GCC 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)” on Ubuntu 14.04 LTS “Trusty\r\nTahr”. According to the qt_instdate  timestamp, the last time the Qt sources were configured was on 2015-09-26\r\n(qt/qtbase.git: deprecated), which implies the compilation time of the malware to be not earlier than end of\r\nSeptember 2015.\r\nWe detect this type of malware as Backdoor.Linux.Mokes.a.\r\nOLMyJuxM.exe aka Backdoor.Win32.Mokes.imv\r\nJust a few days ago, we came across a rather familiar looking sample, although it was compiled for machines\r\nrunning Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a.\r\nAfter execution, the malware randomly chooses one of nine different locations in %AppData% to persistently\r\ninstall itself on the machine. The binary also creates a “version”-file in the same folder. As its name implies, it\r\nstores just version information, together with the full installation path of the malware itself:\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 5 of 11\n\nThen the corresponding registry keys are created in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to\r\nensure persistence in the system.\r\nAfter the malware has executed its own copy in the new location, the SetWindowsHook API is utilized to establish\r\nkeylogger functionality and to monitor mouse inputs and internal messages posted to the message queue.\r\nThe next stage in its operation is to contact the hardcoded C\u0026C server. Besides the different IP addresses and\r\nencryption key, we see almost identical behavior.\r\nHowever, this particular variant uses a slightly different implementation and tries to obtain the default Windows\r\nuser-agent string.\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 6 of 11\n\nIf this is not successful, the sample uses its hardcoded version:\r\nLike the Linux variant, it connects to its C\u0026C server in the same way:  once per minute it sends a heartbeat signal\r\nvia HTTP (GET /v1). To retrieve commands or to upload or download additional resources, it uses TCP Port 433.\r\nIt uses almost the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other\r\narbitrary data. Unlike the Linux variant, in this sample the keylogger is active. Below you can see the content of a\r\nkeystroke logfile, located in %TEMP% and created by this sample:\r\nAnd again, we spotted some unexpected code. The following screenshot shows references to code which is able to\r\ncapture images from a connected camera, such as a built-in webcam.\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 7 of 11\n\nSimilar to the Linux version, the author left quite a number of suspicious strings in the binary. The following\r\nstring is surprisingly honest.\r\nFrom the criminal’s point of view, it’s important that the software looks legitimate and that Windows doesn’t asks\r\nthe user for confirmation prior to execution of unknown software. On Windows machines this can be achieved by\r\nusing Trusted Code Signing Certificates. In this particular case, the criminal managed to sign the binary with a\r\ntrusted certificate from “COMODO RSA Code Signing CA”.\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 8 of 11\n\nWe detect this type of malware as Backdoor.Win32.Mokes.imv.\r\nWhat’s next\r\nSince this software was intentionally designed to be platform independent, we might see also corresponding Mac\r\nOS X samples in the future. Update: We found it. See Update section below.\r\nUpdate\r\n(2016-02-01 10:45 UTC): We just got Backdoor.Win32.Mokes.imw. This is the first time we see a variant of\r\nMokes, which comes with the audio capture module activated. The malware creates a new audio file every 5\r\nminutes.\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 9 of 11\n\n(2016-09-07 13:19 UTC): We just come across the OS X variant of this malware and posted an analysis on this\r\nblog.\r\nIOCs\r\nBackdoor.Linux.Mokes.a\r\nc9e0e5e2aeaecb232120e8573e97a6b8\r\n$HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled\r\n$HOME/$QT-GenericDataLocation/.dropbox/DropboxCache\r\n$HOME/.config/autostart/profiled.desktop\r\n$HOME/.config/autostart/DropboxCache.desktop\r\n/tmp/ss0-$date-$time-$ms.sst\r\nBackdoor.Win32.Mokes.imv \u0026 .imw\r\nf2407fd12ec0d4f3e82484c027c7d149 (imw)\r\n91099aa413722d22aa50f85794ee386e (imv)\r\n%AppData%\\Skype\\SkypeHelper.exe\r\n%AppData%\\Skype\\version\r\n%AppData%\\Dropbox\\bin\\DropboxHelper.exe\r\n%AppData%\\Dropbox\\bin\\version\r\n%AppData%\\Google\\Chrome\\nacl32.exe\r\n%AppData%\\Google\\Chrome\\version\r\n%AppData%\\Google\\Chrome\\nacl64.exe\r\n%AppData%\\Google\\Chrome\\version\r\n%AppData%\\Mozilla\\Firefox\\mozillacache.exe\r\n%AppData%\\Mozilla\\Firefox\\version\r\n%AppData%\\Hewlett-Packard\\hpqcore.exe\r\n%AppData%\\Hewlett-Packard\\version\r\n%AppData%\\Hewlett-Packard\\hpprint.exe\r\n%AppData%\\Hewlett-Packard\\version\r\n%AppData%\\Hewlett-Packard\\hpscan.exe\r\n%AppData%\\Hewlett-Packard\\version\r\n%AppData%\\Adobe\\Acrobat\\AcroBroker.exe\r\n%AppData%\\Adobe\\Acrobat\\version\r\n%TEMP%\\aa$n-$date-$time-$ms.aat (imw)\r\nwhere $n is a decimal hash-value calculated from the soundcard’s name\r\n%TEMP%\\ss0-$date-$time-$ms.sst\r\n%TEMP%\\dd0-$date-$time-$ms.ddt\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 10 of 11\n\n%TEMP%\\kk$date.kkt\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run “%PERSISTENT-FILENAME%”,\r\n“%PERSISTENT-FILEPATH%”\r\nwhere %PERSISTENT-FILENAME% is one of the filenames above\r\nand %PERSISTENT-FILEPATH% is the corresponding path\r\nSource: https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nhttps://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/\r\nPage 11 of 11\n\nOS X samples Update in the future. Update: We found it. See Update section below.   \n(2016-02-01 10:45 UTC): We just got Backdoor.Win32.Mokes.imw.  This is the first time we see a variant of\nMokes, which comes with the audio capture module activated. The malware creates a new audio file every 5\nminutes.       \n   Page 9 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/"
	],
	"report_names": [
		"73503"
	],
	"threat_actors": [],
	"ts_created_at": 1775434440,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b107d26a305add45f76bba078f306fc72f3fdad7.pdf",
		"text": "https://archive.orkl.eu/b107d26a305add45f76bba078f306fc72f3fdad7.txt",
		"img": "https://archive.orkl.eu/b107d26a305add45f76bba078f306fc72f3fdad7.jpg"
	}
}