{
	"id": "3df6f1a8-4537-4fda-8b80-9d0f6bdf0773",
	"created_at": "2026-04-06T00:17:47.889582Z",
	"updated_at": "2026-04-10T13:11:33.914831Z",
	"deleted_at": null,
	"sha1_hash": "b4f2799ef591ed5920801c1ec0f0503b9a084312",
	"title": "Thieves Reaching for Linux—\"Hand of Thief\" Trojan Targets Linux #INTH3WILD - Speaking of Security - The RSA Blog and Podcast",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 307580,
	"plain_text": "Thieves Reaching for Linux—\"Hand of Thief\" Trojan Targets\r\nLinux #INTH3WILD - Speaking of Security - The RSA Blog and\r\nPodcast\r\nBy https://blogs.rsa.com\r\nPublished: 2013-08-07 · Archived: 2026-04-05 14:56:12 UTC\r\nJust two weeks after reporting about the commercialization of the KINS banking Trojan, RSA reveals yet another\r\nweapon to be used in a cybercriminal’s arsenal.\r\nIt appears that a Russia based cybercrime team has set its sights on offering a new banking Trojan targeting the\r\nLinux operating system. This appears to be a commercial operation, which includes support/sales agents and\r\nsoftware developer(s).\r\nMeet the “Hand of Thief” Trojan\r\nHand of Thief is a Trojan designed to steal information from machines running the Linux OS. This malware is\r\ncurrently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates. \r\nThe current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan\r\nwill have a new suite of web injections and graduate to become full-blown banking malware in the very near\r\nfuture. At that point, the price is expected to rise to $3,000 USD (€2,250 EUR), plus a hefty $550 per major\r\nversion release. These prices coincide with those quoted by developers who released similar malware for the\r\nWindows OS, which would make Hand of Thief relatively priced way above market value considering the\r\nrelatively small user base of Linux.\r\nThe Trojan’s developer claims it has been tested on 15 different Linux desktop distributions, including Ubuntu\r\nFedora and Debian. As for desktop environments, the malware supports 8 different environments, including\r\nGnome and Kde.\r\nAn Insider’s Glimpse\r\nRSA researchers have managed to obtain the malware builder as well as the server side source code, and a\r\npreliminary analysis reveals familiar functionalities of a banking Trojan. Some of the initial features include:\r\nForm grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome,\r\nas well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.\r\nBlock list preventing access to specified hosts (a similar deployment used by the Citadel Trojan to isolate\r\nbots from security updates and anti-virus providers)\r\nBackdoor, backconnect and SOCKS5 proxy\r\nAnti-research tool box, which includes anti VM, anti-sandbox and anti-debugger\r\nhttps://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/\r\nPage 1 of 3\n\nFigure 1: Hand of Thief – Linux Trojan’s Builder\r\nControl Panel Features\r\nThe developer wrote a basic administration panel for the Trojan, allowing the botmaster to control the infected\r\nmachines reporting to it. The panel shows a list of the bots, provides a querying interface, and run of the mill bot\r\nmanagement options.\r\nThe Trojan’s infrastructure collects the stolen credentials and stores the information in a MySQL database.\r\nCaptured data includes information such as timestamp, user agent, website visited and POST data. Hand of Thief\r\nalso exhibits cookie-stealing functionality.\r\nFigure 2: Hand of Thief – Linux Trojan’s Admin Panel View\r\nAlthough Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing\r\nmalware for the Linux OS is uncommon, and for good reason. In comparison to Windows, Linux’s user base is\r\nsmaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly,\r\nhttps://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/\r\nPage 2 of 3\n\nsince Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this\r\nup is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the\r\nmalware’s sales agent, he himself suggested using email and social engineering as the infection vector.\r\nSo What’s Next?\r\nWe are left with a number of questions:\r\nWithout the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and\r\nraises the question – will the Linux Trojan have the same value as its Windows counterparts?\r\nAlso, with recent recommendations to leave the supposedly insecure Windows OS for the safer Linux\r\ndistributions, does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates\r\nto the platform?\r\nOnly time will tell. RSA researchers will continue to closely monitor the development of this Trojan and update\r\naccordingly.\r\nSource: https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3\r\nwild/\r\nhttps://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/"
	],
	"report_names": [
		"thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434667,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4f2799ef591ed5920801c1ec0f0503b9a084312.pdf",
		"text": "https://archive.orkl.eu/b4f2799ef591ed5920801c1ec0f0503b9a084312.txt",
		"img": "https://archive.orkl.eu/b4f2799ef591ed5920801c1ec0f0503b9a084312.jpg"
	}
}