{
	"id": "57feaa35-e8fd-4919-b6ae-8b88dc39c441",
	"created_at": "2026-04-06T00:11:13.25119Z",
	"updated_at": "2026-04-10T03:21:25.957504Z",
	"deleted_at": null,
	"sha1_hash": "ead8fb36ede5f65934c6ba2fb7228c6ac351b46f",
	"title": "Kobalos – A complex Linux threat to high performance computing infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 836551,
	"plain_text": "Kobalos – A complex Linux threat to high performance computing\r\ninfrastructure\r\nBy Marc-Etienne M.LéveilléIgnacio Sanmillan\r\nArchived: 2026-04-05 16:04:30 UTC\r\nESET Research\r\nESET researchers publish a white paper about unique multiplatform malware they’ve named Kobalos\r\n02 Feb 2021  •  , 6 min. read\r\nESET researchers have analyzed malware that has been targeting high performance computing (HPC) clusters,\r\namong other high-profile targets. We reverse engineered this small, yet complex, malware that is portable to many\r\noperating systems including Linux, BSD, Solaris, and possibly AIX and Windows. We have named this malware\r\nKobalos for its tiny code size and many tricks; in Greek mythology, a Kobalos is a small, mischievous creature.\r\nToday we publish a paper titled “A wild Kobalos appears: Tricksy Linux malware goes after HPCs” describing the\r\ninner working of this threat.\r\nPerhaps unrelated to the events involving Kobalos, there were multiple security incidents involving HPC clusters\r\nin the past year. Some of them hit the press and details were made public in an advisory from the European Grid\r\nInfrastructure (EGI) CSIRT about cases where cryptocurrency miners were deployed. The EGI CSIRT advisory\r\nshows compromised servers in Poland, Canada and China were used in these attacks. Press articles also mention\r\nhttps://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/\r\nPage 1 of 7\n\nArcher, a breached UK-based supercomputer where SSH credentials were stolen, but do not contain details about\r\nwhich malware was used, if any.\r\nWe’ve worked with the CERN Computer Security Team and other organizations involved in mitigating attacks on\r\nscientific research networks. According to them, the usage of the Kobalos malware predates the other incidents.\r\nWhile we know Kobalos compromised large HPC clusters, no one could link the Kobalos incidents to the use of\r\ncryptocurrency malware. The malware and the techniques described in these other attacks are different. We also\r\nknow Kobalos is not exclusively targeting HPCs: we found that a large Asian ISP, a North American endpoint\r\nsecurity vendor (not us), as well as some personal servers were also compromised by this threat.\r\nTiny code, big targets\r\nThorough analysis of Kobalos revealed that it is sometimes possible to remotely determine if a system is\r\ncompromised by connecting to the SSH server using a specific TCP source port. Using that knowledge, ESET\r\nresearchers scanned the internet to find potential victims. We were able to identify multiple targets of Kobalos,\r\nincluding HPC systems.\r\nFigure 1. Industry and region of compromised organizations\r\nWe notified all identified victims and worked with them to remediate.\r\nhttps://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/\r\nPage 2 of 7\n\nThe backdoor\r\nKobalos is a generic backdoor in the sense that it contains broad commands that don't reveal the intent of the\r\nattackers. In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal\r\nsessions, and allows proxying connections to other Kobalos-infected servers.\r\nFigure 2. Overview of Kobalos features and ways to access them\r\nThere are multiple ways for the operators to reach a Kobalos-infected machine. The method we’ve seen the most\r\nis where Kobalos is embedded in the OpenSSH server executable (sshd) and will trigger the backdoor code if the\r\nconnection is coming from a specific TCP source port. There are other stand-alone variants that are not embedded\r\nin sshd. These variants either connect to a C\u0026C server that will act as a middleman, or wait for an inbound\r\nconnection on a given TCP port.\r\nSomething that makes Kobalos unique is the fact that the code for running a C\u0026C server is in Kobalos itself. Any\r\nserver compromised by Kobalos can be turned into a C\u0026C server by the operators sending a single command. As\r\nthe C\u0026C server IP addresses and ports are hardcoded into the executable, the operators can then generate new\r\nKobalos samples that use this new C\u0026C server.\r\nThe sidekick\r\nIn most systems compromised by Kobalos, the SSH client is compromised to steal credentials. This credential\r\nstealer is unlike any of the malicious OpenSSH clients we’ve seen before, and we’ve looked at tens of them in the\r\nhttps://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/\r\nPage 3 of 7\n\npast eight years. The sophistication of this component is not the same as Kobalos itself: there was no effort to\r\nobfuscate early variants of the credential stealer. For example, strings were left unencrypted and stolen usernames\r\nand passwords are simply written to a file on disk. However, we found newer variants that contain some\r\nobfuscation and the ability to exfiltrate credentials over the network.\r\nThe presence of this credential stealer may partially answer how Kobalos propagates. Anyone using the SSH\r\nclient of a compromised machine will have their credentials captured. Those credentials can then be used by the\r\nattackers to install Kobalos on the newly discovered server later.\r\nHow it hides\r\nAnalyzing Kobalos isn’t as trivial as most Linux malware because all of its code is held in a single function that\r\nrecursively calls itself to perform subtasks.\r\nhttps://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/\r\nPage 4 of 7\n\nFigure 3. Control flow graph of Kobalos\r\nThis makes it more challenging to analyze. Additionally, all strings are encrypted so it’s more difficult to find the\r\nmalicious code than when looking at the samples statically.\r\nUsage of the backdoor requires a private 512-bit RSA key and a 32-byte-long password. Once authenticated, RC4\r\nkeys are exchanged and the rest of the communication is encrypted with them.\r\nThe network protocol is summarized by the sequence diagram.\r\nFigure 4. Sequence diagram summarizing Kobalos network protocols\r\nESET products detect the Kobalos malware as Linux/Kobalos or Linux/Agent.IV. The SSH credential stealer is\r\ndetected as Linux/SSHDoor.EV, Linux/SSHDoor.FB or Linux/SSHDoor.FC. A YARA rule is also available in\r\nESET’s malware-ioc repository on GitHub.\r\nhttps://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/\r\nPage 5 of 7\n\nFrom a network perspective, it is possible to detect Kobalos by looking for non-SSH traffic on the port attributed\r\nto an SSH server. When the Kobalos backdoor communicates with an operator, there is no SSH banner (SSH-2.0‑…) exchanged, neither from the client nor the server.\r\nWe have suggested before setting up two-factor authentication (2FA) for connecting to SSH servers. Kobalos is\r\nanother case where 2FA could have mitigated the threat, since the use of stolen credentials seems to be one of the\r\nways it is able to propagate to different systems.\r\nConclusion\r\nWe were unable to determine the intentions of the operators of Kobalos. No other malware, except for the SSH\r\ncredential stealer, was found by the system administrators of the compromised machines. We also didn’t have\r\naccess to network traffic captures of the operators in action.\r\nThe way Kobalos is tightly contained in a single function and the usage of an existing open port to reach Kobalos\r\nmakes this threat harder to find. Hopefully the details we reveal today in our new publication will help raise\r\nawareness around this threat and put its activity under the microscope. This level of sophistication is only rarely\r\nseen in Linux malware. Given that it’s more advanced than the average and that it compromised rather large\r\norganizations, Kobalos may be running around for a little while.\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nWe would like to acknowledge the work of Maciej Kotowicz from MalwareLab.pl who also analyzed Kobalos\r\nindependently and with whom we mutually share results. He presented on this threat at the Oh My H@ck 2020\r\nconference.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 8 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence\r\nT1554\r\nCompromise Client Software\r\nBinary\r\nKobalos may embed its malicious payload\r\nin the OpenSSH server and replace the\r\nlegitimate file (sshd).\r\nKobalos replaces the SSH client on\r\ncompromised systems to steal credentials.\r\nT1205 Traffic Signaling\r\nKobalos may be triggered by an incoming\r\nTCP connection to a legitimate service\r\nfrom a specific source port.\r\nDefense\r\nEvasion\r\nT1070.003 Clear Command History\r\nNo command history related to the attack\r\nwas found on Kobalos-infected machines.\r\nhttps://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/\r\nPage 6 of 7\n\nTactic ID Name Description\r\nT1070.006 Timestomp\r\nWhen files are replaced by Kobalos\r\noperators, timestamps are forged.\r\nT1027.002 Software Packing\r\nKobalos’s code is flattened into a single\r\nfunction using a custom packer and its\r\nstrings are encrypted.\r\nCommand and\r\nControl\r\nT1573.001\r\nEncrypted\r\nChannel: Symmetric\r\nCryptography\r\nKobalos’s post-authentication\r\ncommunication channel is encrypted with\r\nRC4.\r\nT1573.002\r\nEncrypted\r\nChannel: Asymmetric\r\nCryptography\r\nKobalos’s authentication and key exchange\r\nis performed using RSA-512.\r\nT1090.003 Proxy: Multi-hop Proxy\r\nKobalos can serve as a proxy to other\r\nKobalos-compromised systems.\r\nSource: https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/\r\nhttps://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
	],
	"report_names": [
		"kobalos-complex-linux-threat-high-performance-computing-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434273,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ead8fb36ede5f65934c6ba2fb7228c6ac351b46f.pdf",
		"text": "https://archive.orkl.eu/ead8fb36ede5f65934c6ba2fb7228c6ac351b46f.txt",
		"img": "https://archive.orkl.eu/ead8fb36ede5f65934c6ba2fb7228c6ac351b46f.jpg"
	}
}