Hackers are continuing to abuse a stealthy Linux rootkit known as OrBit to harvest SSH and sudo credentials, with new research showing the threat has quietly evolved over four years while remaining active in the wild.
First analyzed in 2022, OrBit was initially believed to be a custom-built Linux userland rootkit. It operates by hijacking the system’s dynamic linker (ld.so), ensuring a malicious shared library is loaded into every running process.
This allows attackers to intercept authentication flows, capture credentials, and hide their presence from administrators.
According to intezer report, reveals that OrBit is not a unique creation. Instead, it is a repackaged version of Medusa, an open-source LD_PRELOAD rootkit published on GitHub in late 2022.
Rather than developing new malware, threat actors have been modifying and redeploying this publicly available codebase with different configurations, credentials, and stealth techniques.
Once deployed, OrBit acts as a passive implant. It does not rely on traditional command-and-control communication. Instead, attackers access compromised systems through a hidden SSH backdoor.
Meanwhile, the rootkit hooks into Pluggable Authentication Modules (PAM) to silently capture usernames and passwords from SSH logins and sudo activity storing them locally in hidden directories such as /lib/libseconf/.
OrBit Rootkit Targets Linux
The malware’s stealth capabilities are particularly advanced. By hooking more than 40 libc functions, OrBit can hide files, processes, and network connections, effectively making infected systems appear clean even under inspection.
Researchers tracking samples from 2022 to 2026 identified two main variants. The first, called Lineage A, is a full-featured build that includes credential harvesting, network hiding, packet capture, and backdoor access.
The second, Lineage B, is a lighter version that removes several capabilities, likely to reduce its footprint and avoid detection. Notably, Lineage B samples often lack embedded passwords, suggesting alternative authentication methods.
Over time, attackers have not significantly changed the core code. Instead, they have rotated credentials, modified installation paths, and adjusted features.
For example, newer variants introduced compatibility fixes like a custom “xread” function to prevent system instability that could reveal the rootkit.
Later versions also added audit log evasion and, in 2025, a more advanced PAM hook that allows attackers to manipulate authentication outcomes, not just observe them.
A major shift occurred in 2025 when operators introduced a multi-stage infection chain. This included a dropper and an infector capable of spreading the malware across systems and establishing persistence via cron jobs.
Unlike earlier versions, this variant introduced limited external communication by downloading payloads from a remote domain, marking the first time OrBit showed command-and-control-like behavior.
Infrastructure linked to this campaign overlaps with older malware activity, including the RHOMBUS botnet, though attribution remains uncertain.
At the same time, multiple threat groups have been observed using OrBit, including the ransomware-linked BLOCKADE SPIDER and the state-backed UNC3886 espionage group.
This widespread adoption highlights a key shift in the threat landscape. OrBit is no longer tied to a single actor but has become a shared toolkit used by multiple groups for persistence and credential theft across Linux environments, including critical infrastructure and virtualized systems.
Security experts warn that defenders should focus less on attributing attacks to a specific group and more on detecting the underlying behaviors of the Medusa-based rootkit.
Its consistent build patterns, hidden filesystem artifacts, and credential harvesting techniques remain reliable indicators of compromise, even as attackers continue to modify superficial elements like paths and passwords.
IOCs
| SHA256 | Year | Role | Lineage |
|---|---|---|---|
| 40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020 | 2022 | payload | A |
| ec7462c3f4a87430eb19d16cfd775c173f4ba60d2f43697743db991c3d1c3067 | 2022 | payload | A |
| f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8 | 2022 | dropper | – |
| d419a9b17f7b4c23fd4e80a9bce130d2a13c307fccc4bfbc4d49f6b770d06d3b | 2023 | payload | A |
| 296d28eb7b66aa2cbea7d9c2e7dc1ad6ce6f97d44d34139760c38817aec083e7 | 2023 | payload | A |
| 3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a | 2023 | payload | B |
| 4203271c1a0c24443b7e85cbf066c9928fcc69934772a431d779017fb85c9d73 | 2023 | payload | B |
| eea274eddd712fe0b4434dbef6a2a92810cb13b8be3deca0571410ee78d37c9f | 2024 | payload | A |
| a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349 | 2024 | payload | A |
| a34299a16cf30dac1096c1d24188c72eed1f9d320b1585fe0de4692472e3d4dc | 2024 | payload | B |
| b1dd18a6a4b0c6e2589312bbec55b392a20a95824ffe630a73c94d24504c553d | 2024 | payload | B |
| 989f7eb4f805591839bcbc321dd44418eb5694d1342e37b7f24126817f10e37e | 2024 | payload (extracted) | B |
| 8ea420d9aa341ba23cdea0ac03951bce866c933ba297268bc7db8a01ce8e9b8e | 2024 | payload (static ELF) | A |
| 26082cd36fdaf76ec0d74b7fbf455418c49fbab64b20892a873c415c3bb60675 | 2024 | loader | – |
| 48a68d0555f850c36f7d338b1a42ed1a661043cacf2ba2a4b0a347fac3cb3ee6 | 2024 | dropper | – |
| fc2e0cb627a00d0e4509bd319271721ea74fb11150847213abe9e8fea060cc8a | 2024 | dropper | – |
| 8e83cbb2ed12faba9b452ea41291bcebdce08162f64ac9a5f82592df62f47613 | 2025 | payload | A |
| 2b2eeb2271c19e2097a0ef0d90b2b615c20f726590bbfee139403db1dced5b0a | 2025 | payload | A |
| 84828f31d741f92ce4bca98cfc2148ff8cff6663e2908a025b1386dd4953ffef | 2025 | payload (truncated) | A |
| 090b15fd8912cab340b22e715d44db079ec641db5e2f92916aa1f2bc9236e03e | 2025 | dropper | – |
| 64a3ebd3ad3927fc783f6ac020d5a6192e9778fb16b51cceba06e4ee5416adff | 2025 | dropper | – |
| b85ed15756568b85148c1d432a8920f81e4b21f2bc38f0cf51d06ced619e0e77 | 2025 | dropper | – |
| d3d204c19d93e5e37697c7f80dd0de9f76a2fb4517ced9cafd7d7d46a6e285ba | 2025 | dropper | – |
| 73b95b7d1006caf8d3477e4a9a0994eaa469e98b70b8c198a82c4a12c91ad49a | 2025 | infector | — |
| 04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9 | 2026 | payload | A |
| d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f | 2026 | payload | A |
| b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784 | 2020 | RHOMBUS dropper | – |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
