{ "id": "712e0ce2-62e0-4f81-acbb-164c5b7acae9", "created_at": "2026-04-06T01:31:00.725115Z", "updated_at": "2026-04-10T03:34:57.284539Z", "deleted_at": null, "sha1_hash": "b833ffc1d517949268080da304ff84e929a6b248", "title": "FontOnLake: Previously unknown malware family targeting Linux", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 406411, "plain_text": "FontOnLake: Previously unknown malware family targeting Linux\r\nBy Vladislav Hrčka\r\nArchived: 2026-04-06 00:21:30 UTC\r\nESET Research\r\nESET researchers discover a malware family with tools that show signs they’re used in targeted attacks\r\n07 Oct 2021  •  , 8 min. read\r\nESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed\r\nmodules, targeting systems running Linux. Modules used by this malware family, which we dubbed FontOnLake,\r\nare constantly under development and provide remote access to the operators, collect credentials, and serve as a\r\nproxy server. In this blogpost, we summarize the findings published in full in our white paper.\r\nTo collect data (for instance ssh credentials) or conduct other malicious activity, this malware family uses\r\nmodified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence,\r\nFontOnLake’s presence is always accompanied by a rootkit. These binaries such as cat, kill or sshd are commonly\r\nused on Linux systems and can additionally serve as a persistence mechanism.\r\nThe sneaky nature of FontOnLake’s tools in combination with advanced design and low prevalence suggest that\r\nthey are used in targeted attacks.\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 1 of 9\n\nThe first known file of this malware family appeared on VirusTotal last May and other samples were uploaded\r\nthroughout the year. The location of the C\u0026C server and the countries from which the samples were uploaded to\r\nVirusTotal might indicate that its targets include Southeast Asia.\r\nWe believe that FontOnLake’s operators are particularly cautious since almost all samples seen use unique C\u0026C\r\nservers with varying non-standard ports. The authors use mostly C/C++ and various third-party libraries such as\r\nBoost, Poco, or Protobuf. None of the C\u0026C servers used in samples uploaded to VirusTotal were active at the time\r\nof writing – which indicates that they could have been disabled due to the upload.\r\nKnown components of FontOnLake\r\nFontOnLake’s currently known components can be divided into three following groups that interact with each\r\nother:\r\nTrojanized applications – modified legitimate binaries that are adjusted to load further components,\r\ncollect data, or conduct other malicious activities.\r\nBackdoors – user mode components serving as the main point of communication for its operators.\r\nRootkits – kernel mode components that mostly hide and disguise their presence, assist with updates, or\r\nprovide fallback backdoors.\r\nTrojanized applications\r\nWe discovered multiple trojanized applications; they are used mostly to load custom backdoor or rootkit modules.\r\nAside from that, they can also collect sensitive data. Patches of the applications are most likely applied on the\r\nsource code level, which indicates that the applications must have been compiled and replaced the original ones.\r\nAll the trojanized files are standard Linux utilities and each serves as a persistence method because they are\r\ncommonly executed on system start-up. The initial way in which these trojanized applications get to their victims\r\nis not known.\r\nCommunication of a trojanized application with its rootkit runs through a virtual file, which is created and\r\nmanaged by the rootkit. As illustrated in Figure 1, data can be read/written from/to the virtual file and exported\r\nwith its backdoor component upon the operator’s request.\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 2 of 9\n\nFigure 1. Interaction of FontOnLake’s components\r\nBackdoors\r\nThe three different backdoors we discovered are written in C++ and all use, albeit in slightly different ways, the\r\nsame Asio library from Boost for asynchronous network and low-level I/O. Poco, Protobuf, and features from STL\r\nsuch as smart pointers are used as well. What is rare for malware is the fact that these backdoors also feature a\r\nnumber of software design patterns.\r\nThe functionality that they all have in common is that each exfiltrates collected credentials and its bash command\r\nhistory to its C\u0026C.\r\nConsidering some of the overlapping functionality, most likely these different backdoors are not used together on\r\none compromised system.\r\nAll the backdoors additionally use custom heartbeat commands sent and received periodically to keep the\r\nconnection alive.\r\nThe overall functionality of these backdoors consists of the following methods:\r\nExfiltrating the collected data\r\nCreating a bridge between a custom ssh server running locally and its C\u0026C\r\nManipulating files (for instance, upload/download, create/delete, directory listing, modify attributes, and so\r\non)\r\nServing as a proxy\r\nExecuting arbitrary shell commands and python scripts\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 3 of 9\n\nRootkit\r\nWe discovered two marginally different versions of the rootkit, used only one at a time, in each of the three\r\nbackdoors. There are significant differences between those two rootkits; however, certain aspects of them overlap.\r\nEven though the rootkit versions are based on the suterusu open-source project, they contain several of\r\nFontOnLake's exclusive, custom techniques.\r\nCombined functionality of the two versions of the rootkit we discovered include:\r\nProcess hiding\r\nFile hiding\r\nHiding itself\r\nHiding network connections\r\nExposing the collected credentials to its backdoor\r\nPerforming port forwarding\r\nMagic packets reception (magic packets are specially crafted packets that can instruct the rootkit to\r\ndownload and execute another backdoor)\r\nFollowing our discovery while finalizing our white paper on this topic, vendors such as Tencent Security\r\nResponse Center, Avast and Lacework Labs published their research on what appears to be the same malware.\r\nAll known components of FontOnLake are detected by ESET products as Linux/FontOnLake. Companies or\r\nindividuals who want to protect their Linux endpoints or servers from this threat should use a multilayered\r\nsecurity product and an updated version of their Linux distribution; some of the samples we have analyzed were\r\ncreated specifically for CentOS and Debian.\r\nIn the past we described an operation that shared certain behavioral patterns with FontOnLake; however, its scale\r\nand impact were much bigger. We dubbed it Operation Windigo and you can find more information about it in this\r\nwhite paper and this follow-up blogpost.\r\nAdditional technical details on FontOnLake can be found in our comprehensive white paper.\r\nIoCs\r\nSamples\r\nSHA-1 Description Detection name\r\n1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8 Trojanized cat Linux/FontOnLake\r\n771340752985DD8E84CF3843C9843EF7A76A39E7 Trojanized kill #rowspan#\r\n27E868C0505144F0708170DF701D7C1AE8E1FAEA Trojanized sftp #rowspan#\r\n45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378 Trojanized sshd #rowspan#\r\n1829B0E34807765F2B254EA5514D7BB587AECA3F Custom sshd #rowspan#\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 4 of 9\n\nSHA-1 Description Detection name\r\n8D6ACA824D1A717AE908669E356E2D4BB6F857B0 Custom sshd #rowspan#\r\n38B09D690FAFE81E964CBD45EC7CF20DCB296B4D Backdoor 1 variant 1 #rowspan#\r\n56556A53741111C04853A5E84744807EEADFF63A Backdoor 1 variant 2 #rowspan#\r\nFE26CB98AA1416A8B1F6CED4AC1B5400517257B2 Backdoor 1 variant 3 #rowspan#\r\nD4E0E38EC69CBB71475D8A22EDB428C3E955A5EA Backdoor 1 variant 4 #rowspan#\r\n204046B3279B487863738DDB17CBB6718AF2A83A Backdoor 2 variant 1 #rowspan#\r\n9C803D1E39F335F213F367A84D3DF6150E5FE172 Backdoor 2 variant 2 #rowspan#\r\nBFCC4E6628B63C92BC46219937EA7582EA6FBB41 Backdoor 2 variant 3 #rowspan#\r\n515CFB5CB760D3A1DA31E9F906EA7F84F17C5136 Backdoor 3 variant 4 #rowspan#\r\nA9ED0837E3AF698906B229CA28B988010BCD5DC1 Backdoor 3 variant 5 #rowspan#\r\n56CB85675FE7A7896F0AA5365FF391AC376D9953 Rootkit 1 version 1 #rowspan#\r\n72C9C5CE50A38D0A2B9CEF6ADEAB1008BFF12496 Rootkit 1 version 2 #rowspan#\r\nB439A503D68AD7164E0F32B03243A593312040F8 Rootkit 1 version 3 #rowspan#\r\nE7BF0A35C2CD79A658615E312D35BBCFF9782672 Rootkit 1 version 4 #rowspan#\r\n56580E7BA6BF26D878C538985A6DC62CA094CD04 Rootkit 1version 5 #rowspan#\r\n49D4E5FCD3A3018A88F329AE47EF4C87C6A2D27A Rootkit 1 version 5 #rowspan#\r\n74D44C2949DA7D5164ADEC78801733680DA8C110 Rootkit 2 version 1 #rowspan#\r\n74D755E8566340A752B1DB603EF468253ADAB6BD Rootkit 2 version 2 #rowspan#\r\nE20F87497023E3454B5B1A22FE6C5A5501EAE2CB Rootkit 2 version 3 #rowspan#\r\n6F43C598CD9E63F550FF4E6EF51500E47D0211F3 inject.so #rowspan#\r\nC\u0026Cs\r\nFrom samples:\r\n47.107.60[.]212\r\n47.112.197[.]119\r\n156.238.111[.]174\r\n172.96.231[.]69\r\nhm2.yrnykx[.]com\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 5 of 9\n\nywbgrcrupasdiqxknwgceatlnbvmezti[.]com\r\nyhgrffndvzbtoilmundkmvbaxrjtqsew[.]com\r\nwcmbqxzeuopnvyfmhkstaretfciywdrl[.]name\r\nruciplbrxwjscyhtapvlfskoqqgnxevw[.]name\r\npdjwebrfgdyzljmwtxcoyomapxtzchvn[.]com\r\nnfcomizsdseqiomzqrxwvtprxbljkpgd[.]name\r\nhkxpqdtgsucylodaejmzmtnkpfvojabe[.]com\r\netzndtcvqvyxajpcgwkzsoweaubilflh[.]com\r\nesnoptdkkiirzewlpgmccbwuynvxjumf[.]name\r\nekubhtlgnjndrmjbsqitdvvewcgzpacy[.]name\r\nFrom internet-wide scan:\r\n27.102.130[.]63\r\nFilenames\r\n/lib/modules/%VARIABLE%/kernel/drivers/input/misc/ati_remote3.ko\r\n/etc/sysconfig/modules/ati_remote3.modules\r\n/tmp/.tmp_%RANDOM%\r\nVirtual filenames\r\n/proc/.dot3\r\n/proc/.inl\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 9 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1078 Valid Accounts\r\nFontOnLake can collect at least ssh\r\ncredentials.\r\nExecution\r\nT1059.004\r\nCommand and Scripting\r\nInterpreter: Unix Shell\r\nFontOnLake enables execution of Unix Shell\r\ncommands.\r\nT1059.006\r\nCommand and Scripting\r\nInterpreter: Python\r\nFontOnLake enables execution of arbitrary\r\nPython scripts.\r\nT1106 Native API\r\nFontOnLake uses fork() to create additional\r\nprocesses such as sshd.\r\nT1204 User Execution\r\nFontOnLake trojanizes standard tools such as\r\ncat to execute itself.\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 6 of 9\n\nTactic ID Name Description\r\nPersistence\r\nT1547.006\r\nBoot or Logon Autostart\r\nExecution: Kernel Modules\r\nand Extensions\r\nOne of FontOnLake’s rootkits can be executed\r\nwith a start-up script.\r\nT1037\r\nBoot or Logon Initialization\r\nScripts\r\nFontOnLake creates a system start-up script\r\nati_remote3.modules.\r\nT1554\r\nCompromise Client\r\nSoftware Binary\r\nFontOnLake modifies several standard\r\nbinaries to achieve persistence.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nSome backdoors of FontOnLake can decrypt\r\nAES-encrypted and serialized communication\r\nand base64 decode encrypted C\u0026C address.\r\nT1222.002\r\nFile and Directory\r\nPermissions Modification:\r\nLinux and Mac File and\r\nDirectory Permissions\r\nModification\r\nFontOnLake’s backdoor can change the\r\npermissions of the file it wants to execute.\r\nT1564 Hide Artifacts\r\nFontOnLake hides its connections and\r\nprocesses with rootkits.\r\nT1564.001\r\nHide Artifacts: Hidden Files\r\nand Directories\r\nFontOnLake hides its files with rootkits.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nFontOnLake packs its executables with UPX.\r\nT1014 Rootkit\r\nFontOnLake uses rootkits to hide the presence\r\nof its processes, files, network connections and\r\ndrivers.\r\nCredential\r\nAccess\r\nT1556\r\nModify Authentication\r\nProcess\r\nFontOnLake modifies sshd to collect\r\ncredentials.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nOne of FontOnLake’s backdoors can list files\r\nand directories.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nFontOnLake can collect system information\r\nfrom the victim’s machine.\r\nLateral\r\nMovement\r\nT1021.004 Remote Services: SSH\r\nFontOnLake collects ssh credentials and most\r\nprobably intends to use them for lateral\r\nmovement.\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 7 of 9\n\nTactic ID Name Description\r\nCommand\r\nand Control\r\nT1090 Proxy FontOnLake can serve as a proxy.\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nFontOnLake acquires additional C\u0026C servers\r\nover HTTP.\r\nT1071.002\r\nApplication Layer Protocol:\r\nFile Transfer Protocols\r\nFontOnLake can download additional Python\r\nfiles to be executed over FTP.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nFontOnLake uses base64 to encode HTTPS\r\nresponses.\r\nT1568 Dynamic Resolution\r\nFontOnLake can use HTTP to download\r\nresources that contain an IP address and port\r\nnumber pair to connect to and acquire its\r\nC\u0026C. It can use dynamic DNS resolution to\r\nconstruct and resolve to a randomly chosen\r\ndomain.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nFontOnLake uses AES to encrypt\r\ncommunication with its C\u0026C.\r\nT1008 Fallback Channels\r\nFontOnLake can use dynamic DNS resolution\r\nto construct and resolve to a randomly chosen\r\ndomain. One of its rootkits also listens for\r\nspecially crafted packets, which instruct it to\r\ndownload and execute additional files. It also\r\nboth connects to a C\u0026C and accepts\r\nconnections on all interfaces.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nFontOnLake uses TCP for communication\r\nwith its C\u0026C.\r\nT1571 Non-Standard Port\r\nAlmost every sample of FontOnLake uses a\r\nunique non-standard port.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nFontOnLake uses its C\u0026C to exfiltrate\r\ncollected data.\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 8 of 9\n\nSource: https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nhttps://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/" ], "report_names": [ "fontonlake-previously-unknown-malware-family-targeting-linux" ], "threat_actors": [ { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d", "created_at": "2022-10-25T16:07:24.526179Z", "updated_at": "2026-04-10T02:00:05.023222Z", "deleted_at": null, "main_name": "Operation Windigo", "aliases": [ "G0124" ], "source_name": "ETDA:Operation Windigo", "tools": [ "CDorked", "CDorked.A", "Calfbot", "Ebury" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439060, "ts_updated_at": 1775792097, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b833ffc1d517949268080da304ff84e929a6b248.pdf", "text": "https://archive.orkl.eu/b833ffc1d517949268080da304ff84e929a6b248.txt", "img": "https://archive.orkl.eu/b833ffc1d517949268080da304ff84e929a6b248.jpg" } }