{ "id": "f2e6d436-4bd5-4916-af4b-763aac24be8c", "created_at": "2026-04-06T00:11:51.047573Z", "updated_at": "2026-04-10T03:24:18.122502Z", "deleted_at": null, "sha1_hash": "bdbf5cdbdeda1e29c4ea9beaa2797aaa71a8f0f4", "title": "Linux warning: TrickBot malware is now infecting your systems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2591029, "plain_text": "Linux warning: TrickBot malware is now infecting your systems\r\nBy Lawrence Abrams\r\nPublished: 2020-07-31 · Archived: 2026-04-05 22:43:04 UTC\r\n7/31/20: Update added below with information from Intezer Labs and a link to the malware sample. This article was\r\noriginally published on July 30th, 2020.\r\nTrickBot's Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels.\r\nTrickBot is a multi-purpose Windows malware platform that uses different modules to perform various malicious activities,\r\nincluding information stealing, password stealing, Windows domain infiltration, and malware delivery.\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-covertly-infects-windows-devices/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-covertly-infects-windows-devices/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nTrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy\r\nransomware such as Ryuk and Conti to encrypt the network's devices as a final attack.\r\nAt the end of 2019, both SentinelOne and NTT reported a new TrickBot framework called Anchor that utilizes DNS to\r\ncommunicate with its command and control servers.\r\nTrickBot's Anchor framework\r\nSource: SentinelOne\r\nNamed Anchor_DNS, the malware is used on high-value, high-impact targets with valuable financial information.\r\nIn addition to the ransomware deployments via Anchor infections, the TrickBot Anchor actors also use it as a backdoor in\r\nAPT-like campaigns that target point-of-sale and financial systems.\r\nTrickBot's Anchor backdoor malware is ported to Linux\r\nHistorically, Anchor has been a Windows malware. Recently a new sample has been discovered by Stage 2 Security\r\nresearcher Waylon Grange that shows that Anchor_DNS has been ported to a new Linux backdoor version called\r\n'Anchor_Linux.'\r\nAnchor_Linux string found in x64 Linux executable\r\nSource: Waylon Grange\r\nAdvanced Intel's Vitali Kremez analyzed a sample of the new Anchor_Linux malware found by Intezer Labs.\r\nKremez told BleepingComputer that, when installed, Anchor_Linux will configure itself to run every minute using the\r\nfollowing crontab entry:\r\n*/1 * * * * root [filename]\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-covertly-infects-windows-devices/\r\nPage 3 of 5\n\nSetting up persistence via CRON\r\nSource: Vitali Kremez\r\nIn addition to acting as a backdoor that can drop malware on the Linux device and execute it, the malware also contains an\r\nembedded Windows TrickBot executable.\r\nEmbedded Windows executable\r\nSource: Vitali Kremez\r\nAccording to Intezer, this embedded binary is a new light-weight TrickBot malware \"with code connections to older\r\nTrickBot tools\" and is used to infect Windows machines on the same network.\r\nTo infect Windows devices, Anchor_Linux will copying the embedded TrickBot malware to Windows hosts on the same\r\nnetwork using SMB and $IPC.\r\nWhen successfully copied to a Windows device, Anchor_Linux will configure it as a Windows service using the Service\r\nControl Manager Remote protocol and the SMB SVCCTL named pipe.\r\nCopying a file via SMB\r\nSource: Waylon Grange\r\nWhen the service is configured, the malware is started on the Windows host, connecting back to the command and control\r\nserver for commands to execute.\r\nThis Linux version allows threat actors to target non-Windows environments with a backdoor that lets the attackers covertly\r\npivot to Windows devices on the same network.\r\n\"The malware acts as covert backdoor persistence tool in UNIX environment used as a pivot for Windows exploitation as\r\nwell as used as an unorthodox initial attack vector outside of email phishing. It allows the group to target and infect servers\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-covertly-infects-windows-devices/\r\nPage 4 of 5\n\nin UNIX environment (such as routers) and use it to pivot to corporate networks,\" Kremez told BleepingComputer in a\r\nconversation about the malware.\r\nEven worse, many IoT devices such as routers, VPN devices, and NAS devices run on Linux operating systems, which\r\ncould potentially be a target for Anchor_Linux.\r\nWith this evolution of the TrickBot malware, it is increasingly important for Linux systems and IoT devices to have\r\nadequate protection and monitoring to detect threats like Anchor_Linux\r\nFor Linux users concerned, they may be infected, Anchor_Linux will create a log file at /tmp/anchor.log . If this file\r\nexists, you should perform a complete audit of the system for the presence of the Anchor_Linux malware.\r\nKremez told BleepingComputer that he believes that Anchor_Linux is still in development due to testing functionality in the\r\nLinux executable.\r\nIt is expected that TrickBot will continue its development to make it a full-featured addition to its Anchor framework.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-covertly-infects-windows-devices/\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-covertly-infects-windows-devices/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-covertly-infects-windows-devices/" ], "report_names": [ "trickbots-new-linux-malware-covertly-infects-windows-devices" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434311, "ts_updated_at": 1775791458, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bdbf5cdbdeda1e29c4ea9beaa2797aaa71a8f0f4.pdf", "text": "https://archive.orkl.eu/bdbf5cdbdeda1e29c4ea9beaa2797aaa71a8f0f4.txt", "img": "https://archive.orkl.eu/bdbf5cdbdeda1e29c4ea9beaa2797aaa71a8f0f4.jpg" } }