{
	"id": "6970d640-d2d6-4319-8249-839eaab4ec6a",
	"created_at": "2026-04-06T00:21:34.196023Z",
	"updated_at": "2026-04-10T13:11:45.469415Z",
	"deleted_at": null,
	"sha1_hash": "daaab4ecc6221a20f94367ae8699ba72f80c0b76",
	"title": "The Art of Domain Deception: Bifrost's New Tactic to Deceive Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4496512,
	"plain_text": "The Art of Domain Deception: Bifrost's New Tactic to Deceive\r\nUsers\r\nBy Anmol Maurya, Siddharth Sharma\r\nPublished: 2024-02-29 · Archived: 2026-04-05 16:51:41 UTC\r\nExecutive Summary\r\nWe recently found a new Linux variant of Bifrost (aka Bifrose), showcasing an innovative technique to evade\r\ndetection. It uses a deceptive domain, download.vmfare[.]com, which mimics the legitimate VMware domain.\r\nThis latest version of Bifrost aims to bypass security measures and compromise targeted systems.\r\nFirst identified in 2004, Bifrost is a remote access Trojan (RAT) that allows an attacker to gather sensitive\r\ninformation, like hostname and IP address. In this article, along with exploring Bifrost, we’ll also showcase a\r\nnotable spike in Bifrost’s Linux variants during the past few months. This spike raises concerns among security\r\nexperts and organizations.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire. Advanced URL\r\nFiltering and DNS Security. Cortex XDR can help detect and prevent Bifrost and related malicious behavior. If\r\nyou think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nIntroduction\r\nAttackers typically distribute Bifrost through email attachments or malicious websites. Once installed on a\r\nvictim's computer, Bifrost allows the attacker to gather sensitive information, like the victim’s hostname and IP\r\naddress.\r\nThe latest version of Bifrost reaches out to a command and control (C2) domain with a deceptive name,\r\ndownload.vmfare[.]com, which appears similar to a legitimate VMware domain. This is a practice known as\r\ntyposquatting. By leveraging this deceptive domain, the threat actors behind Bifrost aim to bypass security\r\nmeasures, evade detection, and ultimately compromise targeted systems.\r\nAs of late February, the deceptive domain has so far been undetected on VirusTotal as shown below in Figure 1.\r\nhttps://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nPage 1 of 8\n\nFigure 1. VirusTotal score for download.vmfare[.]com.\r\nMalware Overview: Bifrost\r\nWe found the latest sample of Bifrost (SHA256 hash:\r\n8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729) hosted on a server at 45.91.82[.]127.\r\nThe sample binary is compiled for x86 and seems stripped. A stripped binary is one from which debugging\r\ninformation and symbol tables have been removed. Attackers usually use this technique to hinder analysis.\r\nFigure 2 shows the sample’s file type using the file command from a terminal window in a Linux environment.\r\nFigure 2. Stripped binary.\r\nTo better understand how this latest version of Bifrost functions, we viewed the recent sample in a disassembler.\r\nThe malware first creates a socket via a setSocket function to establish communications, then it collects the user\r\ndata and sends it to the attacker’s server. The disassembled code illustrating this is shown below in Figure 3.\r\nhttps://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nPage 2 of 8\n\nFigure 3. Code flow of the malware seen in a disassembler.\r\nA snippet of code for the setSocket function is shown below in Figure 4, where the code pushes three values onto\r\nthe stack and later calls sys_socket(0x8063A80):\r\npush 2: This corresponds to the socket domain, which is AF_INET (IPv4 Internet Protocols).\r\npush 1: This corresponds to the socket type, which is SOCK_STREAM (TCP).\r\npush 6: This corresponds to the socket protocol, which is IPPROTO_TCP (TCP).\r\nFigure 4. Disassembler view of code for socket creation in the Bifrost sample.\r\nAfter socket creation, the malware collects user data as shown below in Figure 5, to send it over to the attacker's\r\nserver.\r\nhttps://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nPage 3 of 8\n\nFigure 5. Disassembled code showing how Bifrost collects victim data.\r\nThis recent sample uses RC4 encryption to encrypt collected victim data as shown below in Figure 6. Compared\r\nto previous Bifrost samples, we find small changes, like bitwise AND operations in the encryption process,\r\ndepending on the particular instance being studied.\r\nhttps://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nPage 4 of 8\n\nFigure 6. Disassembled code from the most recent Bifrost sample, indicating potentially modified\r\nRC4 encryption.\r\nSubsequently, the malware tries to make contact with a Taiwan-based public DNS resolver with the IP address\r\n168.95.1[.]1 shown below in Figure 7.\r\nhttps://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nPage 5 of 8\n\nFigure 7. Debugger output and disassembled code revealing the malware contacting a public DNS\r\nresolver at 168.95.1[.]1.\r\nAs evidenced by the logs in Figure 8, the malware initiates a DNS query to resolve the domain\r\ndownload.vmfare[.]com by employing the public DNS resolver at 168.95[.]1.1. This step is crucial in ensuring\r\nthat the malware can successfully connect to its intended destination.\r\nFigure 8. Malware initiating a DNS query to resolve the domain download.vmfare[.]com.\r\nhttps://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nPage 6 of 8\n\nThe malware often adopts such deceptive domain names as C2 instead of IP addresses to evade detection and\r\nmake it more difficult for researchers to trace the source of the malicious activity.\r\nExpanding Attack Surface\r\nUpon checking, we found that the malicious IP address at 45.91.82[.]127 hosts an ARM version of Bifrost as well.\r\nThe presence of this version indicates that the attacker is trying to expand their attack surface.\r\nThe ARM version functions the same as the x86 version we’ve analyzed in this article. By providing an ARM\r\nversion of the malware, attackers can expand their grasp, compromising devices that may not be compatible with\r\nx86-based malware. As ARM-based devices become more common, cybercriminals will likely change their tactics\r\nto include ARM-based malware, making their attacks stronger and able to reach more targets.\r\nCapturing Bifrost\r\nPalo Alto Networks Advanced WildFire detected a recent spike in Bifrost activity. For the last few months,\r\nWildFire detected more than 100 instances (hashes) of Bifrost samples, as illustrated below in Figure 9.\r\nFigure 9. Advanced WildFire report of Bifrost sample detections from October through January\r\n2024.\r\nConclusion\r\nThe Bifrost RAT remains a significant and evolving threat to individuals and organizations alike. With new\r\nvariants that employ deceptive domain strategies like typosquatting, a recent spike in Bifrost activity highlights\r\nthe dangerous nature of this malware.\r\nTracking and counteracting malware like Bifrost is crucial to safeguarding sensitive data and preserving the\r\nintegrity of computer systems. This also helps minimize the likelihood of unauthorized access and subsequent\r\nharm.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire, Advanced URL\r\nFiltering and DNS Security. Cortex XDR can help detect and prevent Bifrost and related malicious behavior.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam or call:\r\nhttps://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nPage 7 of 8\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nAcknowledgments\r\nWe would like to thank Bradley Duncan for his valuable input and suggestions that helped shape up this article.\r\nIndicators of Compromise\r\nMalware Samples\r\nSHA256 Hash Architecture\r\n8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729 x86\r\n2aeb70f72e87a1957e3bc478e1982fe608429cad4580737abe58f6d78a626c05 ARM\r\nDomain and IP Addresses\r\ndownload.vmfare[.]com\r\n45.91.82[.]127\r\nSource: https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nhttps://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/"
	],
	"report_names": [
		"new-linux-variant-bifrost-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434894,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/daaab4ecc6221a20f94367ae8699ba72f80c0b76.pdf",
		"text": "https://archive.orkl.eu/daaab4ecc6221a20f94367ae8699ba72f80c0b76.txt",
		"img": "https://archive.orkl.eu/daaab4ecc6221a20f94367ae8699ba72f80c0b76.jpg"
	}
}