{ "id": "0f76044c-17c2-48f0-abdd-04649c2f4ea8", "created_at": "2026-04-06T00:12:19.497342Z", "updated_at": "2026-04-10T03:35:59.973664Z", "deleted_at": null, "sha1_hash": "c113d860308817fd565d73657bc12da6d142c7bd", "title": "Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial Analyst | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1880911, "plain_text": "Analyzing ELF/Sshdinjector.A!tr with a Human and Artificial\r\nAnalyst | FortiGuard Labs\r\nBy Axelle Apvrille\r\nPublished: 2025-02-04 · Archived: 2026-04-05 20:01:47 UTC\r\nAffected Platform: Linux\r\nImpacted Users: Linux-based network appliances or IoT\r\nImpact: Data exfiltration\r\nSeverity Level: Medium\r\nELF/Sshdinjector.A!tr is a collection of malware that can be injected into the SSH daemon. Samples of this\r\nmalware collection surfaced around mid-November 2024. While we have a good amount of threat intelligence on\r\nthem (e.g., they are attributed to the DaggerFly espionage group), nobody seems to have looked into what they\r\nactually do. In this blog post, we will focus on the reverse engineering of the attack’s binaries and how this reverse\r\nengineering was achieved.\r\nReverse Engineering of ELF/Sshdinjector.A!tr\r\nThe attack uses several binaries:\r\nA dropper checks if the host is infected. If not, it drops all malicious binaries (see Figure 1) at the right\r\nplaces.\r\nA malicious SSH library named libsshd.so communicates with a remote bot master and will typically\r\nexfiltrate information.\r\nSeveral other infected binaries (mainpasteheader, selfrecoverheader,…) ensure the host remains infected\r\n(malware persistence).\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nPage 1 of 8\n\nFigure 1: Overview of ELF/Sshdinjector\r\nMore precisely, the dropper checks if it is being run under root privileges and, if not, exits. It then checks whether\r\nthe host is infected by searching for a file named /bin/lsxxxssswwdd11vv containing the word WATERDROP. If the\r\nhost is not yet infected, it attempts to overwrite the legitimate binaries ls, netstat, and crond with infected binaries\r\n(/bin/lsxxxssswwdd11vv, selfrecoverheader, mainpasteheade,r…). Finally, it searches the SSH daemon and, if\r\nnecessary, infects it with libsshd.so.\r\nThe malicious payload is contained in libsshd.so. The main element is found in a function named “ haha.” It also\r\ncreates two other threads from the functions “heihei” and “xixi”. Those three names refer to laughing in Chinese.\r\nFunction “xixi” checks whether it has access to /root/intensify-mm-inject/xxx, in which case it will kill and restart\r\nboth the SSH and Cron daemons. Function “heihei” connects to the remote C2 (hard-coded IP address\r\n45.125.64[.]200, port 33200 or 33223) and listens for incoming commands.\r\n \r\nhttps://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nPage 2 of 8\n\nCommand Id Description\r\n1 SERVER_REQ_BASE_INFO. Exfiltrates uname, MAC address etc to C2\r\n2 List running services, by listing files in /etc/init.d\r\n3 Reads users from /etc/shadow\r\n4 Lists running process\r\n5 Tests access to /var/log/dmesg\r\n6 Tests access to /tmp/fcontr.xml\r\n7 Lists a given directory\r\n8 File transfer\r\n9 Opens a shell terminal\r\n10 Executes a command in the terminal\r\n11 Unloads and exits the malicious process\r\n12 Removes a file\r\n13 Renames a file\r\n1000 SERVER_RET_ONLINE_ACK\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nPage 3 of 8\n\n0x80000001 Client status change notification. It sends base info, service list, read /etc/shadow.\r\nCommunication with the C2 uses its own protocol. All packets include a hard-coded UUID (a273079c-3e0f-4847-\r\na075-b4e1f9549e88), an identifier (afa8dcd81a854144), and the response to the command.\r\nAI-Assisted Malware Analysis\r\nReverse engineering was performed using Radare2, assisted by Generative AI through the Radare2 extension\r\n“r2ai.”\r\nThis study shows that AI provides excellent insights into the malware, delivering high-quality source code that\r\ncomplements the output obtained from a standard decompiler.\r\nFor example, I used r2ai in “auto” mode. In this mode, the user asks the AI a question, and the AI automatically\r\nperforms the necessary steps with the radare2 disassembler to answer. This is particularly helpful for users who\r\ndon’t know Radare2 well.\r\nFigure 2: r2ai runs in auto mode and automatically issues r2 command “iz” to start working on the question.\r\nIn this screenshot, we see the AI automatically searches for strings in the binary, via r2’s command “iz”.\r\nThe overview of the dropper is excellent. AI excels in reading large quantities of information and\r\nsummarizing them.\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nPage 4 of 8\n\nFigure 3: The AI summarizes quite well the behavior of the malware.\r\nWe can then ask the AI to decompile the main. While the AI-generated source code is easy to understand, its\r\ndetails are not always correct. By comparison, source code produced by decompilers is often difficult to read but\r\nis accurate. Because of this, it is important to remember that these approaches complement each other and are\r\nideally viewed side by side.\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nPage 5 of 8\n\nFigure 4: This source code was generated by the AI, via r2ai. It is globally correct, readable and useful. Only\r\ncomments marked “AXELLE REMARK” are my own, and highlight a few errors of the AI.\r\nWhile AI performs very well, there are many cases in which it does not produce a satisfactory answer, at least not\r\nat first.\r\nThe most common issue is hallucination, wherein the AI invents something that isn’t true. Worse, it’s not always\r\neasy for a human analyst to spot hallucinations because the AI can sound very convincing. For example, in the AI-generated code below, the AI completely created an upload and a download command that is pure invention.\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nPage 6 of 8\n\nFigure 5: An example of AI hallucination: the botnet does not have any FILE_DOWNLOAD nor FILE_UPLOAD\r\ncommand. This is an invention, misunderstanding an existing “file copy” feature.\r\nAnother frequent issue is extrapolation, where the AI does not totally invent something but extrapolates it. For\r\nexample, the AI says the malware “manipulates” the MAC address. This is far-fetched. While it creates a string\r\ncontaining the host's MAC address and exfiltrates it, there is no modification of the MAC address. In a related\r\nexample, the AI claims the malware hides its network communications. It does not. It hides on the OS by infecting\r\ncommon binaries such as netstat, but it does not attempt to hide the communication itself.\r\nFigure 6: AI extrapolation. The sentences outlined in red have been largely exaggerated by the AI.\r\nYet another issue is omissions. Omissions are the downside of AI’s power to summarize situations. Its summaries\r\noften lack the details a human would find important. For example, at some point, the malware tests access to a file\r\nnamed /tmp/fcontr.xml. Despite this being absolutely clear in the assembly, the first version of AI-generated\r\ncode completely eluded this part. The solution to this issue is to ask again by modifying the question/prompt\r\nfor the AI. In this case, I simply added to the end of the prompt: “Please pay attention to what is around\r\nfcontr.xml” and it solved the problem. Of course, this requires knowing that something had been omitted in the\r\nfirst place.\r\nIn fact, interactions with AI are seldom perfect in a single shot. Rather, they could be compared to a discussion\r\nwith a capable colleague with impressive knowledge and intelligence but less intuition and experience. For this\r\nresearch, I kept my disassembler open. I used it several times to check for hallucinations, assist the AI (!) when it\r\nfailed to find correct addresses or cross-references, or guide it to look into interesting parts.\r\nConclusion\r\nWhile disassemblers and decompilers have improved over the last decade, this cannot be compared to the level of\r\ninnovation we are seeing with AI. This is outstanding!\r\nAI is particularly good at providing overviews of samples and generating easy-to-understand source code.\r\nFortunately—or not?—AI cannot work alone and must be piloted and complemented by competent human\r\nanalysis to spot hallucinations (the most dangerous issues), refine questions, identify omissions, or guide the\r\nAI in the most interesting direction.\r\nI haven’t discussed language models yet. Obviously, r2ai’s results depend on the language model used. Language\r\nmodels are configurable, and we can conveniently switch from one to another, whether a local model or a remote\r\none, free access or paid. The results from this article were mainly obtained using Claude 3.5 Sonnet 2024-10-22.\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nPage 7 of 8\n\nLast but not least, this blog post was  written without AI assistance ;-)\r\nFortinet Protections\r\nFortinet customers are already protected from this malware variant through our AntiVirus as follows: FortiGuard\r\nLabs detects the sample with the following AV signatures:\r\nELF/Sshdinjector.A !tr and Linux/Agent.ACQ!tr\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP\r\ncustomers running current AntiVirus updates are also protected.\r\nIOCs\r\n94e8540ea39893b6be910cfee0331766e4a199684b0360e367741facca74191f\r\n0e2ed47c0a1ba3e1f07711fb90ac8d79cb3af43e82aa4151e5c7d210c96baebb\r\n6d08ba82bb61b0910a06a71a61b38e720d88f556c527b8463a11c1b68287ce84\r\nSource: https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nhttps://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst\r\nPage 8 of 8\n\nFunction “xixi” both the SSH checks whether and Cron daemons. it has access to Function “heihei” /root/intensify-mm-inject/xxx, connects to the remote in which case C2 (hard-coded it will kill IP address and restart\n45.125.64[.]200, port 33200 or 33223) and listens for incoming commands.\n Page 2 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst" ], "report_names": [ "analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434339, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c113d860308817fd565d73657bc12da6d142c7bd.pdf", "text": "https://archive.orkl.eu/c113d860308817fd565d73657bc12da6d142c7bd.txt", "img": "https://archive.orkl.eu/c113d860308817fd565d73657bc12da6d142c7bd.jpg" } }