{"id":50797,"date":"2023-03-01T00:00:00","date_gmt":"2023-03-01T00:00:00","guid":{"rendered":"urn:uuid:c7acef96-eca7-9117-2ab8-2e841051e417"},"modified":"2023-03-01T00:00:00","modified_gmt":"2023-03-01T00:00:00","slug":"iron-tigers-sysupdate-reappears-adds-linux-targeting","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/","title":{"rendered":"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/iron-tiger-sysupdate-adds-linux-targeting.jpg\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/iron-tiger-sysupdate-adds-linux-targeting.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>The persistence is ensured by copying a script similarly named as the current filename to the <i>\/usr\/lib\/systemd\/system\/<\/i> directory, and creating a symlink to this file in the <i>\/etc\/ystem\/system\/multi-user.target.wants\/<\/i> directory. Thus, this method only works if the current process has root privileges. The content of the script is:<\/p>\n<p><span class=\"blockquote\">[Unit]<br \/>Description=xxx<br \/>[Service]<br \/>Type=forking<br \/>ExecStart=&lt;path to current file&gt; -x<br \/>ExecStop=\/usr\/bin\/id<br \/>[Install]<br \/>WantedBy=multi-user.target<\/span><\/p>\n<p>After running the code dependent on the parameters, if the operator has not chosen a GUID with the \u201c-f\u201d parameter, the malware generates a random GUID and writes it to a file similarly named as the current file, with a \u201cd\u201d appended to it. Then, the malware retrieves information on the compromised computer and sends it to the C&amp;C.<\/p>\n<p>The following information is sent to the C&amp;C, encrypted with a hardcoded key and DES CBC algorithm:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">GUID<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Host name<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Username<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Local IP address and port used to send the request<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Current PID<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Kernel version and machine architecture<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Current file path<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Boolean (0 if it was launched with exactly one parameter, 1 otherwise)<\/span><\/li>\n<\/ul>\n<p>For the DNS C&amp;C communication version, the malware retrieves the configured DNS server by reading the content of the <i>\/etc\/resolv.conf<\/i> file, or uses the DNS server operated by Google at IP address 8.8.8.8.<\/p>\n<p>In 2022, we already <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/h\/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\">noticed<\/a> that this threat actor was interested in platforms other than Windows, with the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/h\/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html#:~:text=Malware%20analysis-,rshell,-The%20rshell%20executable\">rshell<\/a> malware family running on Linux and Mac OS. For these reasons, we would not be surprised to see SysUpdate samples for the Mac OS platform in the future. Interestingly, most of the Linux samples we found used the new DNS tunneling feature we detailed in Figure 2, while only one of the Windows\u2019 samples used it.<\/p>\n<p><span class=\"body-subhead-title\">Certificate compromise<\/span><\/p>\n<p>Another interesting part of this campaign is the fact that some of the malicious files are signed with a certificate with the following signer: \u201cPermyakov Ivan Yurievich IP\u201d. Looking for that name in search engines brings results from the official <a href=\"https:\/\/vmpsoft.com\/\">VMProtect<\/a> website. The email address linked to the Authenticode certificate also links to that domain name. VMProtect is a commercial software intended to make analysis of code extremely difficult by implementing a custom virtual machine with non-standard architecture. The software has been <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/cyber-attacks\/winnti-group-resurfaces-with-portreuse-backdoor-now-engages-in-illicit-cryptocurrency-mining\">used<\/a> <a href=\"https:\/\/vb2020.vblocalhost.com\/uploads\/VB2020-06.pdf\">by<\/a> <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/purplefox-adds-new-backdoor-that-uses-websockets.html\">multiple APT<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/18\/f\/new-killdisk-variant-hits-latin-american-financial-organizations-again.html\">cybercrime groups<\/a> in the past to obfuscate their malware.<\/p>\n<p>When searching on malware repositories for other files signed by the same certificate, we find multiple files named \u201cVMProtectDemo.exe\u201d, \u201cVMProtect.exe\u201d, or \u201cVMProtect_Con.exe\u201d, which suggests that an official demo version of VMProtect is also signed by this certificate. It appears that the threat actor managed to retrieve the private key allowing him to sign malicious code. As of this writing, the certificate is now revoked.<\/p>\n<p>Using stolen certificates to sign malicious code is a common practice for this threat actor, as we already highlighted in <a href=\"https:\/\/www.erai.com\/CustomUploads\/ca\/wp\/2015_12_wp_operation_iron_tiger.pdf\">2015<\/a> and in all our <a href=\"https:\/\/www.trendmicro.com\/en_no\/research\/21\/d\/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html\">recent<\/a> <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/h\/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\">investigations<\/a>. Interestingly, the threat actor not only signed some of its malicious executables with the stolen certificate, but also used VMProtect to obfuscate one of them.<\/p>\n<p>In late January 2023, a Redline stealer sample (detected by Trend Micro as TrojanSpy.Win32.REDLINE.YXDA1Z, SHA256: e24b29a1df287fe947018c33590a0b443d6967944b281b70fba7ea6556d00109) signed by the same certificate was uploaded. We do not believe that the stealer is linked to Iron Tiger, considering that the network infrastructure is different, and previous reports document the malware\u2019s goals to be centered on committing cybercrime than data theft. This could mean other users managed to extract the same private key from the VMProtect demo version, or it was sold in the underground to different groups, Iron Tiger among them.<\/p>\n<p><span class=\"body-subhead-title\">Infection vector<\/span><\/p>\n<p>We did not find an infection vector. However, we noticed that one of the executables packed with VMProtect and signed with the stolen certificate was named \u201cyoudu_client_211.9.194.exe\u201d. <a href=\"https:\/\/youdu.im\/\">Youdu<\/a> is the name of a Chinese instant messaging application aimed for use of enterprise customers. Its website mentions multiple customers in many industries, some of them in critical sectors such as government, energy, healthcare, or banking. But they also have other customers in industries such as gaming, IT, media, construction, and retail, apparently all located inside China.<\/p>\n<p>The properties of the malicious file also match the usual Youdu version numbering. However, the legitimate files are signed with a \u201cXinda.im\u201d certificate instead of the stolen VMProtect certificate.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/iron-tiger-sysupdate-adds-linux-targeting.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":50798,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9521,9511,9508,9555,9513,9523],"class_list":["post-50797","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware","tag-trend-micro-research-network"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-01T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/iron-tiger-sysupdate-adds-linux-targeting.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting\",\"datePublished\":\"2023-03-01T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/\"},\"wordCount\":751,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting.jpg\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Network\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/\",\"name\":\"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting.jpg\",\"datePublished\":\"2023-03-01T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/03\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting.jpg\",\"width\":641,\"height\":350},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iron-tigers-sysupdate-reappears-adds-linux-targeting\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/","og_locale":"en_US","og_type":"article","og_title":"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-03-01T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/iron-tiger-sysupdate-adds-linux-targeting.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting","datePublished":"2023-03-01T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/"},"wordCount":751,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/03\/iron-tigers-sysupdate-reappears-adds-linux-targeting.jpg","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Malware","Trend Micro Research : Network"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/","url":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/","name":"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/03\/iron-tigers-sysupdate-reappears-adds-linux-targeting.jpg","datePublished":"2023-03-01T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/03\/iron-tigers-sysupdate-reappears-adds-linux-targeting.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/03\/iron-tigers-sysupdate-reappears-adds-linux-targeting.jpg","width":641,"height":350},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/iron-tigers-sysupdate-reappears-adds-linux-targeting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Iron Tiger\u2019s SysUpdate Reappears, Adds Linux Targeting"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50797","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50797"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50797\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50798"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50797"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}