{
	"id": "4b3bf6fb-1bd1-494f-bd75-714a24674b3d",
	"created_at": "2026-04-06T00:09:30.18975Z",
	"updated_at": "2026-04-10T03:21:57.45403Z",
	"deleted_at": null,
	"sha1_hash": "ca1b2ed54fa5135a144917ca60f1203fd82ee4d9",
	"title": "HabitsRAT Used to Target Linux and Windows Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 517300,
	"plain_text": "HabitsRAT Used to Target Linux and Windows Servers\r\nBy Joakim Kennedy\r\nPublished: 2021-04-20 · Archived: 2026-04-05 19:05:51 UTC\r\nWe have discovered a new malware written in Go, which we are calling HabitsRAT, targeting both Windows and\r\nLinux machines. The Windows version of the malware was first reported on by Brian Krebs and The\r\nShadowserver Foundation in attacks against Microsoft Exchange servers. In addition to this version, we have\r\nidentified a newer Windows variant and a variant targeting Linux environments. As of this writing, the Linux\r\nversion is undetected by all Antivirus engines on VirusTotal. We assess that the Linux version is used to target\r\nLinux servers in an adjacent campaign to the one reported by The Shadowserver Foundation. The malware allows\r\nthe attacker to control the compromised machine remotely. To protect themself from being taken over by others,\r\nthe attacker’s commands are signed by a private key that only the attacker has access to. The malware does not\r\nexecute commands that are not signed by the correct key, suggesting that the malware has been developed by a\r\nsophisticated programmer.\r\nIntro\r\nOn March 28th, Brian Krebs published a blog post about attacks against Microsoft Exchange servers. In one of\r\nthose attacks, a webshell called “Babydraco” was deployed. The webshell was used to deploy a new malware.\r\nThe binary had the filename “krebsonsecurity.exe” and used a Command and Control (C2) server located at\r\n“brian[.]krebsonsecurity[.]top”. This malware turns out to be a remote access trojan (RAT) that has been written\r\nto target both Windows and Linux machines. Based on strings found in the malware, we have named it\r\nHabitsRAT.\r\nWhile the Windows version of the RAT has been documented being installed on compromised Microsoft\r\nExchange servers, it is not known what type of servers the Linux version is used against. Still, in the last couple of\r\nmonths, numerous remote code execution (RCE) vulnerabilities have been disclosed in hardware and services\r\nrunning on top of Linux. About a month ago, CISA released an advisory urging users of F5 BIG-IP to apply\r\npatches to address RCE vulnerabilities.\r\nTechnical Analysis\r\nThe HabitsRAT is a simple backdoor that allows the malware operator to execute arbitrary code on the infected\r\nmachine. While the backdoor is simple in design, the malware has functionality making the attack more complex\r\nthan what is normally seen. The malware is written in Go and targets at least both Windows and Linux\r\nmachines. The structure for the Windows version of the malware, generated by redress, is shown in the code\r\nsnippet below. Most of the code is shared between the Windows version and the Linux version. The operating\r\nsystem-specific code has been placed in the files “commandplatform_windows.go”,\r\n“keyplatform_windows.go” and “persistencehandler_windows.go”. The rest of the files are shared with the\r\nLinux version.\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 1 of 13\n\nPackage main: C:/Users/user/habits/habits-client\r\nFile: commandhandler.go    \r\n    RunSignedCommand Lines: 17 to 35 (18)    \r\nFile: commandplatform_windows.go    \r\n    RunCommand Lines: 8 to 13 (5)    \r\nFile: keyhandler.go    \r\n    GetOrGenerateKey Lines: 13 to 23 (10)    \r\n    GenerateKey Lines: 23 to 42 (19)    \r\n    GetKeyStore Lines: 42 to 50 (8)    \r\n    SetKey Lines: 50 to 68 (18)    \r\n    GetKey Lines: 68 to 77 (9)    \r\nFile: keyplatform_windows.go    \r\n    GetRootKeyStore Lines: 11 to 19 (8)    \r\n    GetUserKeyStore Lines: 19 to 27 (8)    \r\n    IsRoot Lines: 27 to 49 (22)    \r\nFile: main.go    \r\n    main Lines: 17 to 34 (17)    \r\nFile: persistencehandler.go    \r\n    InstallPersistence Lines: 9 to 17 (8)    \r\n    CopyBinary Lines: 17 to 22 (5)    \r\nFile: persistencehandler_windows.go    \r\n    CheckPersistence Lines: 11 to 21 (10)    \r\n    GetBinStoreRoot Lines: 21 to 29 (8)    \r\n    GetBinStoreUser Lines: 29 to 37 (8)    \r\n    InstallPersistRoot Lines: 37 to 98 (61)\r\nThe Linux source code structure is shown in the code snippet below. The Linux specific code has been placed in\r\nthe files “commandplatform_linux.go”, “keyplatform_linux.go” and “persistencehandler_systemd_linux.go”.\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 2 of 13\n\nPackage main: C:/Users/user/habits/habits-client\r\nFile: commandhandler.go    \r\n    RunSignedCommand Lines: 17 to 35 (18)    \r\nFile: commandplatform_linux.go    \r\n    RunCommand Lines: 8 to 13 (5)    \r\nFile: keyhandler.go    \r\n    GetOrGenerateKey Lines: 13 to 23 (10)    \r\n    GenerateKey Lines: 23 to 46 (23)    \r\n    GetKeyStore Lines: 46 to 54 (8)    \r\n    SetKey Lines: 54 to 72 (18)    \r\n    GetKey Lines: 72 to 84 (12)    \r\n    IsRootAsString Lines: 84 to 86 (2)    \r\nFile: keyplatform_linux.go    \r\n    GetRootKeyStore Lines: 9 to 16 (7)    \r\n    GetUserKeyStore Lines: 16 to 17 (1)    \r\nFile: main.go    \r\n    main Lines: 17 to 34 (17)    \r\nFile: persistencehandler.go    \r\n    InstallPersistence Lines: 9 to 17 (8)    \r\n    CopyBinary Lines: 17 to 20 (3)    \r\nFile: persistencehandler_systemd_linux.go    \r\n    Systemd_CheckPersistence Lines: 11 to 25 (14)    \r\n    Systemd_GetBinStoreUser Lines: 25 to 33 (8)    \r\n    Systemd_InstallPersistRoot Lines: 33 to 64 (31)\r\nInstallation\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 3 of 13\n\nWhen the binary is run, it installs itself into a folder. The Windows version’s location is\r\n“%SystemDrive%WindowsDefenderMsMpEng.exe” while the Linux version is\r\n“$HOME/.config/polkitd/polkitd”. This will result in the malware being installed under “/root” if it’s being run\r\nwith root privileges.\r\nAfter the malware has installed itself, it checks if the persistence method has been set up. If it hasn’t, it goes ahead\r\nand sets it up. On Linux, it uses a “systemd” unit file. The malware checks if it’s already configured by executing\r\nthe command “systemctl status polkitd”, as shown in Figure 1.\r\nFigure 1: Linux version of the malware checks if persistence has been configured already.\r\nThe systemd unit file is created at “/etc/systemd/system/polkitd.service” and its content is shown in the code\r\nsnippet below.\r\n[Unit]\r\nDescription=Authorization Manager\r\nAfter=network.target\r\n[Service]\r\nGuessMainPID=no\r\nExecStart=”/path/to/binary”\r\nRestart=always\r\n[Install]\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 4 of 13\n\nWantedBy=multi-user.target\r\nThe Windows version of HabitsRAT uses scheduled tasks for persistence. First, it writes the scheduled task “xml”\r\nto a file located at “%TEMP%krebsonsecurity.xml”. The content of the file is shown in the snippet below. The\r\ntask is added by executing the shell command: “sCHtAsks.exe /create /xml %TEMP%krebsonsecurity.xml /tn\r\nWindowsDefenderScan”\r\n\u003c?xml version=”1.0″ encoding=”UTF-16″?\u003e\r\n\u003cTask version=”1.2″\r\nxmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”\u003e\r\n  \u003cRegistrationInfo\u003e\r\n        \u003cDate\u003e2020-12-18T09:56:46.3915265\u003c/Date\u003e\r\n        \u003cAuthor\u003eMicrosoft Corporation\u003c/Author\u003e\r\n        \u003cURI\u003e\\Microsoft\\MicrosoftUpdater\u003c/URI\u003e\r\n  \u003c/RegistrationInfo\u003e\r\n  \u003cTriggers\u003e\r\n        \u003cBootTrigger\u003e\r\n        \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n        \u003cDelay\u003ePT1M\u003c/Delay\u003e\r\n        \u003c/BootTrigger\u003e\r\n  \u003c/Triggers\u003e\r\n  \u003cPrincipals\u003e\r\n        \u003cPrincipal id=”Author”\u003e\r\n        \u003cUserId\u003eS-1-5-18\u003c/UserId\u003e\r\n        \u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n        \u003c/Principal\u003e\r\n  \u003c/Principals\u003e\r\n  \u003cSettings\u003e\r\n        \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 5 of 13\n\n\u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n        \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n        \u003cAllowHardTerminate\u003efalse\u003c/AllowHardTerminate\u003e\r\n        \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n        \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n        \u003cIdleSettings\u003e\r\n        \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n        \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n        \u003c/IdleSettings\u003e\r\n        \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n        \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n        \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n        \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n        \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n        \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n        \u003cPriority\u003e7\u003c/Priority\u003e\r\n  \u003c/Settings\u003e\r\n  \u003cActions Context=”Author”\u003e\r\n        \u003cExec\u003e\r\n        \u003cCommand\u003e\r\n                pathtobinary\r\n        \u003c/Command\u003e\r\n        \u003c/Exec\u003e\r\n  \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nCommand and Control Communication\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 6 of 13\n\nThe RAT uses public-key cryptography to both encrypt and authenticate the commands from the C2 server. The\r\nmalware generates a public-private key pair using an open-source library provided by Proton Mail. Figure 2 shows\r\nthe call to the GenerateKey function and its arguments. The malware uses the machine’s hostname as the name\r\nand an email address of “a@a.a”. No password is provided and it’s requesting a 2048-bit RSA key to be used.\r\nThe key is stored and written to disk. The Linux version of HabitsRAT writes to “$HOME/.config/.accounts-daemon/accounts-daemon.login.conf” if it is running as a normal user or to “/usr/share/accounts-daemon/accounts-daemon.so”. The Windows version uses\r\n“%SystemDrive%WindowsDefenderMsMpEng.dll” or “%APPDATA%Windows\r\nNTDefenderMsMpEng.dll” instead.\r\nFigure 2: Generation of public-private key pair using the open-source library from Proton Mail.\r\nHabitsRAT sends a “check-in” POST request to the C2 server to see if it should execute a command. As part of the\r\nrequest, it sends some data about the infected machine. The form data of the request is shown below. The data\r\nincludes the “no_replay” field that holds the sha256 hash of some random data. This acts like a nonce to prevent\r\nexecuting the same request multiple times. The request also includes the public key for the malware instance. This\r\nis to allow the C2 server to encrypt the commands to it. It also has a version value that is hardcoded to 11.\r\nno_replay: [sha256 hash of random data]\r\npublic_key: public key in ascii armour\r\nhostname: [machine hostname]\r\ngoos: [linux or window]\r\ngoarch: amd64\r\nshell: [$SHELL expanded]\r\nroot: [true or false]\r\nversion: 11\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 7 of 13\n\nThe data is sent to “https://brian.krebsonsecurity[.]top/checkin”. If no command is returned, the malware\r\nsleeps for 10 seconds and sends the request again. If the C2 responds with data, the malware checks that the threat\r\nactor’s key has signed it. A hardcoded public key is included in the binary. Extracted information from the key\r\nshows that it was generated in December 2020 and includes a name and a Gmail address.\r\npub   rsa3072 2020-12-03 [SC] [expires: 2022-12-03]\r\nuid       [REDACTED] \u003c[REDACTED]@gmail.com\u003e\r\nsub   rsa3072 2020-12-03 [E] [expires: 2022-12-03]\r\nIf the correct key has signed the response, HabitsRAT uses its private key to decrypt the payload. The data has\r\nbeen serialized to JSON and the malware unmarshals it to the data structure shown below.\r\ntype main.CommandList struct {\r\n    No_replay string\r\n    Commands []string\r\n}\r\nThe Commands field is passed as arguments to either “bash -c” for the Linux version or “cmd /c” for the\r\nWindows version.\r\nHabitsRAT Version 12\r\nA newer Windows version of HabitsRAT has also been found. Much of the functionality is the same as version 11.\r\nThe main difference is that it’s using a different C2 public key and supports multiple C2 addresses. As can be seen\r\nfrom the snippet below, this key was generated on the 2nd of April.\r\npub   rsa3072 2021-04-02 [SC] [expires: 2023-04-02]\r\nuid       Brian Krebs \u003ckrebsonsecurity@gmail.com\u003e\r\nsub   rsa3072 2021-04-02 [E] [expires: 2023-04-02]\r\nThe malware uses four different C2 addresses and picks one out of random. The addresses are as follows, which\r\nincludes a domain of Brian Krebs’s leaked social security number:\r\nhttps://brian-krebs-erectile-dysfunction[.]com\r\nhttps://krebsonfellatio[.]net\r\nhttp://XXX-XX-XXXX.com (Redacted)\r\nhxxp://185.193.126.198\r\nThe addresses are stored at:\r\n%SystemDrive%WindowsDefenderDefender.dll\r\n%APPDATA%Windows NTDefenderDefender.dll\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 8 of 13\n\nConclusion\r\nThe HabitsRAT is a multi-operating system malware targeting both Windows and Linux environments. There is a\r\nlot of code reuse between the two variants. It provides the attacker with the capability to execute arbitrary code on\r\nthe infected machine. To protect its C2 communication, the data is encrypted and signed using PGP. Ensure\r\ninternet facing servers are patched to prevent being infected by HabitsRAT. Indicators of Compromise (IoCs)\r\nbelow can be used to detect if a server has been compromised. Go malware has been hard to detect by Antivirus\r\nproducts so it’s likely this trend will continue. We have seen threat actors pivot and target different operating\r\nsystems with the same codebase for the malware, resulting in low or undetected malware samples, especially for\r\nLinux—which has a large presence in the cloud. Since the malware is derived from the same codebase, detection\r\nbased on code reuse has proven to be very effective.\r\nRuntime protection with Intezer Protect gives you immediate visibility over all code running in your systems and\r\nalerts you whenever unauthorized or malicious code is executed. Intezer Protect users can detect and mitigate\r\nthreats like HabitsRAT on their Linux systems. Protect 10 hosts for free with our community edition.\r\nFigure 3: HabitsRAT detection in Intezer Protect.\r\nIoCs\r\nHashes\r\nWindows version of HabitsRAT\r\n29ebf9771e52cde90776eeccd89aaf4c19577ef136258daef1a17c767ce88c9d\r\n37a16e79e5be132d7e6c2e1ee482d80d93ad942af7110a4bc3a05f0b575236b0\r\n5f7d898ade3162bfb0c8d3006c42e934ff81fab3b4ad3b51c13441fd63e438cb\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 9 of 13\n\n9e840be4b4ab358bc3405e2c688f3ab1a9d286bd4fb9edb4468dc688962b4893\r\nf556c9b4e5bb463be84dead45a9aedcf8bec41c1c2b503ea52719357943750e7\r\nLinux version of HabitsRAT\r\n338e41f1a8be56339b039835b06d815a3666c8b0d5725b63be7bf54c8745704a\r\nFile paths\r\n%SystemDrive%WindowsDefenderMsMpEng.exe\r\n$HOME/.config/polkitd/polkitd\r\n/etc/systemd/system/polkitd.service\r\n%TEMP%krebsonsecurity.xml\r\n$HOME/.config/.accounts-daemon/accounts-daemon.login.conf\r\n/usr/share/accounts-daemon/accounts-daemon.so\r\n%SystemDrive%WindowsDefenderMsMpEng.dll\r\n%APPDATA%Windows NTDefenderMsMpEng.dll\r\n%SystemDrive%WindowsDefenderDefender.dll\r\n%APPDATA%Windows NTDefenderDefender.dll\r\nNetwork indicators\r\nbrian[.]krebsonsecurity[.]top\r\nbrian-krebs-erectile-dysfunction[.]com\r\nkrebsonfellatio[.]net\r\n185.193.126.198\r\nC2 public keys\r\nVersion 11\r\n—–BEGIN PGP PUBLIC KEY BLOCK—–\r\nmQGNBF/I9bUBDACtHQlddPduY2DXMrQHxsh+jCP2ojeMi+08VmuC/eCG3+x0815p\r\nymssBejVcCckahu0EIJZIl5WaRY+nOJKF9VOdLoegpVmqPmX3GE0FJBR/cGGLSqQ\r\nbofuDbWBIwQPVwHT+QriDpAK9M80H5f6FPm2HqcXJV2fI7FJ5pLWSTMRGhnTjt5D\r\naSiZqbXhYuq1W3S4zWSsh0TZPn0a4J44N/MwrlrPtr+Q+p31diEHPhQVQZ7a6QKD\r\nysM3SAx5hSUueli6nawRt6UkOhTbeL1SaGA1dv3PHliTLvOt+OZ6oEAU8aKp3Y2S\r\nPQ3jKkR7x6jzkRNbu3DoXz70Te97f5ZS0qS6WFWSnpTXWC8JN0NG0cG3tDZ9ClyH\r\nNhNnMKl040y33BzBzhQmQmHaX7NwwqEB54HIYsfE4fiSrKovxOkBBXcmS8sPhuhH\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 10 of 13\n\nHk6ZiXqEzlB+pIMvtXvNWT3qqhOC/ggmCUpt1YNHnOYoI93A+dlpbRSbmFOkSwL0\r\nZvd3RhzddtTIUf8AEQEAAbQnTWF0dCBIYXluaWUgPHBhemVyZnJvbXNpbHZlckBn\r\nbWFpbC5jb20+iQHUBBMBCAA+FiEEmgXO4h7loKvki421YmZthezMP4EFAl/I9bUC\r\nGwMFCQPCtQsFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQYmZthezMP4Ex/gv9\r\nFHhkSKm9u5REhdCF+Ez8jk4LzoLGOaNdA8hcMCVHBWCMeE3yTGHec1P16WAqJhG+\r\nLmlfpS7r0QIANeZC2W0rFI2b/lMBFzpzynR2Fi/Gpph4chNlzqlQJWgSvlBPsw0M\r\nnnNwpzRfQhbcSdS/j+zFPE01bSkpm93TczcIvXvdFqJQfpU03pHrAFAvA1pmBkEW\r\nNOmZ8JgLn+HReJQCeCteUbiBdGVIDPneyENZzRcO3fuXzlg3yysPIFKRBbGAqiCt\r\ngtf+RsoyQ19k5vTSjXHK1KYWVvE9dA4levuN8iYKLhPxpBDNGSkY0n5NqECQpkJW\r\noG0dTDzMDtbAAdjhsoFIv4vH3aGr3iuoYv1ax5WxBSRb2h4Zno0Np4emo91p8FS4\r\nKQXuNivYO5SXcEiXNRfDbUSN3J51b6v+SZGmdDhQUEWrEQ7MGl8eBT7DH3+ioZtO\r\nqtezE/MnDzRIZW+o7yeryF9/aqLCa5oEFKNKgHM6n9Jmh4KAip1oiJArCJUHUQkI\r\nuQGNBF/I9bUBDADrDvqlvnPjMQNXCWdlKjBgmiVAcWxRe5NmdIe4d43GdLXEOsWI\r\neTNY1/L5g4ZLXTeTgMo9ugU9bhwviWq6gro2hPXZVmBhHEVEAtICNjFTlHBOUhab\r\nU+riCEeNzE3jneqfS/x04eNirM7hAplSOMOtag49TPwjzqnqGr1r/oe8L1BXHcUP\r\nCl6EQzk4NSGrNVO8E7Ppm7yeDnK9C0+4LXaMu19np/r43lg1FBk6O4d/q4/S7p+q\r\nP/TILTDC0hPSQw+aAjQPKlfWAjZUQ0CcJT1A5x5SIVWqlpL85ltphdJzCmCiTtmm\r\nkMIvX86OxZkzhligkJ1r1QM8OL+t9Mzq9mglc6PHUXIISiaVvwI3ZWH1OxI6ate3\r\nznV8n3wfAbURDoTmPCMSNziSrvT39zsUCxY7zQoKoeNUBmx8AWW0Sgms2z1oK8ti\r\n+JekSBbxLNVElglwDgtSLkgA4dOnfTUtCDstZouxVnenhLD7jUSmhbS+XIkjsOUY\r\n+mXshXvqEb1rD5cAEQEAAYkBvAQYAQgAJhYhBJoFzuIe5aCr5IuNtWJmbYXszD+B\r\nBQJfyPW1AhsMBQkDwrULAAoJEGJmbYXszD+BbzUMAIviQCxye0jQVnHwT1JjnyjF\r\n7JaiJlU2nOQave16DmyHcu0rejJLhJoQXaA28Qgkv+6mOK4fXWyPV+iAcr3AKuTV\r\nEVY6EDwwUwGn/RxcIYVt8qSZanj+cd6g9iJR3UMb9//25ggIW618NvW0zODowwNu\r\nGDF5ei4cyhvA3NjCCqIvwxO+XRJynp+0lQl0ulOCS+Y+/V3H0+0EhIrJ8x5TvnE9\r\nyC8CtagR0S53mNtmbS3A8INV/Gj6M7/7BZ2eVkbZRVEoQkhmr/lvJ/n4QhYcgre9\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 11 of 13\n\n1iboJ75TorVEOH1B0Q/3IACBD/fEnSogjij8Vf/bdb4W/8LHpeV8bbtDzkzMfh7i\r\nSxoF8y1kBl/YXrbs4mFcwgQ8KKqKkYkMp9p527LF/gglE54xMMXdp2WG65oh5jZz\r\n0vzASRgwAI+K0LuN1+McUJwWtWQlcnQEEDlvbHVe1jKOrdqqf+BRxl2rNDU0P+u+\r\nmtrn7vMinEja8k6O2N2RsL0TvLyGD+sAPKUZG7Q/Bg==\r\n=gbms\r\n—–END PGP PUBLIC KEY BLOCK—–\r\nVersion 12\r\n—–BEGIN PGP PUBLIC KEY BLOCK—–\r\nmQGNBGBm0jYBDAC83QCJbnqPtHUfazjzNEeNmHY2zUeV8tXaKUkFyeIG9QmSSZ4u\r\n0Y+uNR3p5CkexQC0C6STIkDE43fYU92N+Olt7jFcYK718vPv6ieGSuuztJqnrOKX\r\n9jY/22iRPYFNjcw+LPQzm4CXyD3gugfp3Jm1JO99y5D5PDbP6yVpG6Fm6TmzOXku\r\ngrLoWBLWBn5Z6BJAB1YYM35vJpjC22eY6uFF6fhAW7K8mZNUKYHGwZOfkK5F+27Y\r\nlxiaOHjh0mjfisWWvcvlImd5dd7614Pu5Yl3PfH4p7fUZJsGofj+hyiZHd9luIM1\r\nyc9TWSQBSeBKIFM9iU7a4i0vB4rbY355tYBckuCVyt4NNBnDO0/zgVOZkf/qjTm+\r\nJUZlxQJ54Gs7aWueo/aWSaqCN/TIqD909coDbw+sUA1CojLsw+ghPJBBzB/sSjzA\r\nOCvGOVn+TCr8hV8OBpONXRQFUO4do6VALE/tqBlMMy12Lq/DunM87Mrb9zpJGZyh\r\nJkqGP05xdT9omIEAEQEAAbQnQnJpYW4gS3JlYnMgPGtyZWJzb25zZWN1cml0eUBn\r\nbWFpbC5jb20+iQHUBBMBCgA+FiEEOQFTY4snpri84X9c/wQVl3dsa2QFAmBm0jYC\r\nGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ/wQVl3dsa2QgEQv+\r\nPx8Vl1WxzlWWoZsAkmLsXZzPuudAAFWai97g89/D3+D8kxKAiqq2mam9YKx/Cimn\r\nB4HwGhE7ildWfVcJUx63t30Vm8rMIg1M63PQJ+CSIIU8cNEsWSOr8RIcfCTcenDZ\r\nZdK761c1xNXypag/oToTdDTOCRlfeLFkw2fgcHVsxJoIH00MtAT1utqo7xl15kGk\r\n0jodlv6mDp17E4JBcg2aT4HpzVUIgeDOzCi5b8QPj0X1iDes8DolYu1wHnNaVAXg\r\nSNshR5v5VbrFXvKfyx7sRA8lxQn4HkmnOH18drG+gsE0msFoveqf2M5BCzItY2bI\r\nwG+GQwUTAwciIh5AehbpKOqrk2m588PI11i0x8bc5z3/I3YZbWhdpyJAmNErE/Et\r\nX5nSqVn2lDoooDA9AwE6fRr2oNNxDLE0yREt88cD2EE3/iweQbpeGBSneIFKGdW3\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 12 of 13\n\nb8zQdJi30gAe7kVS3FFnYXqNaHNhKm/WvODzwRNLSAN6Z1KwJZ79Q3uh19vkl6vr\r\nuQGNBGBm0jYBDACxBNtcNethMzVIig0BIQbrCJ4wVS01waB3WWe71s9RUbJn/LFd\r\npey/f0NQrMdoUJP75Do91cS6SFI956F7l5AMWAWTDrNkiCQTG8ptegdAJQ81qWAd\r\nV0L2YH+8CNYmfmTOqh3L+cOya6yanNMMM1+c1zjQjCLWzOZog7tBm+1891Gwy8nT\r\nm1jf+oETqUcVV+ePrGaaNLWOB+U69/q6XOScaV/HeQrYLE6MTsoiFgKNEirrDDzj\r\nrd3bjFZzttD8Cuknt7rsOtZC393JHMSu4f2SPy2Wct1r77z2PxBIkKjTJS3Ax2Lf\r\n3rZ3Yt08v1Bmjyxq+zXoIUuSwSNnAP7AJyBKaOtZ/BRjT4xYL9uf0LaIC/a840SB\r\nB3f9N3YzfYgL6GeRib6vv6OrWRPjs/ld8kaj1/l6m2Ry+VIs/433AWMp6b0nQqnS\r\nEMy/72RuSxQogRbgNnwjk6mIBpEyeTQ7mXHslxK5fJVAOPdOGIVAQziQ82BdA9Yw\r\n92ha17TJ1nKz/x8AEQEAAYkBvAQYAQoAJhYhBDkBU2OLJ6a4vOF/XP8EFZd3bGtk\r\nBQJgZtI2AhsMBQkDwmcAAAoJEP8EFZd3bGtkCZAL/ioNDjl54jiVARfIdqSZPS77\r\ntkkB+dGSuJgeZ+60/1gDpGXaWEyx73Mfbp+DT80k2JQ86Cls9S5xuy95gECMo/JI\r\nJxc5gPdXEH+II+wmfVbQerf1cPmjlSliaRDczJKdO5R14i7IEnD56c+MYDqBvTvH\r\nNAyjFqPrVXBUcqiuDva8PvUN+dcLGBYwGemlNHCt0L7kQ6TPjldjqSjyeUragJYO\r\nAk4lz+E4cl+V5xKWjFw81S2+sHVLUNmR4KaY5iyfSBSDgNDFW5xQrnClJBg0+4cv\r\nQqDJRd4JJOYjBp/dLjmGeXmxuVyshGePUBYrOCsm1GTf3Razr+lgpn4OzW78MRVv\r\nJFfcpGhafyTvZQrV7qa7Na8fjSLr+drbDDxm3WP2Tz9Un0tuDvayLhTU/AnWY2MT\r\nv+LlwbUDmdrZx+VwMCj4ZwtYkVSqHUd1yfZ5s6I+yPcN6700Kw0dea628GEC+g9V\r\nQE+GLOcciRHTBgzaL16trl40wZQ8iMpgnn/FEz+grw==\r\n=6v1j\r\n—–END PGP PUBLIC KEY BLOCK—–\r\nSource: https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nhttps://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers"
	],
	"report_names": [
		"habitsrat-used-to-target-linux-and-windows-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434170,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca1b2ed54fa5135a144917ca60f1203fd82ee4d9.pdf",
		"text": "https://archive.orkl.eu/ca1b2ed54fa5135a144917ca60f1203fd82ee4d9.txt",
		"img": "https://archive.orkl.eu/ca1b2ed54fa5135a144917ca60f1203fd82ee4d9.jpg"
	}
}