{"id":53741,"date":"2023-09-19T15:11:44","date_gmt":"2023-09-19T15:11:44","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35029\/Chinese-Hackers-Use-Never-Before-Seen-Linux-Backdoor.html"},"modified":"2023-09-19T15:11:44","modified_gmt":"2023-09-19T15:11:44","slug":"chinese-hackers-use-never-before-seen-linux-backdoor","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/","title":{"rendered":"Chinese Hackers Use Never Before Seen Linux Backdoor"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/09\/trojan-backdoor-800x534.jpg\" alt=\"Trojan horse on top of blocks of hexadecimal programming codes. Illustration of the concept of online hacking, computer spyware, malware and ransomware.\"><figcaption class=\"caption\"><\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/security\/2023\/09\/never-before-seen-linux-backdoor-is-a-windows-malware-knockoff\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">39<\/span> <span class=\"visually-hidden\"> with <\/span> <\/a> <\/aside>\n<p> <!-- cache hit 118:single\/related:f048bde9403dc447fcf17e4661d9150e --><!-- empty --><\/p>\n<p>Researchers have discovered a never-before-seen backdoor for Linux that\u2019s being used by a threat actor linked to the Chinese government.<\/p>\n<p>The new backdoor originates from a Windows backdoor named Trochilus, which was <a href=\"https:\/\/web.archive.org\/web\/20160605160807\/https:\/\/www.arbornetworks.com\/blog\/asert\/wp-content\/uploads\/2016\/01\/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf\">first seen<\/a> in 2015 by researchers from Arbor Networks, now known as Netscout. They said that Trochilus executed and ran only in memory, and the final payload never appeared on disks in most cases. That made the malware difficult to detect. Researchers from NHS Digital in the UK <a href=\"https:\/\/digital.nhs.uk\/cyber-alerts\/2019\/cc-2929\">have said<\/a> Trochilus was developed by APT10, an advanced persistent threat group linked to the Chinese government that also goes by the names Stone Panda and MenuPass.<\/p>\n<p>Other groups eventually used it, and its source code has <a href=\"https:\/\/github.com\/RamadhanAmizudin\/malware\/tree\/62d0035db6bc9aa279b7c60250d439825ae65e41\/Trochilus\">been available<\/a> on GitHub for more than six years. Trochilus has been seen being used in campaigns that used a separate piece of malware known as RedLeaves.<\/p>\n<p>In June, researchers from security firm Trend Micro found an encrypted binary file on a server known to be used by a group they had been tracking since 2021. By searching VirusTotal for the file name, \u200b\u200blibmonitor.so.2, the researchers located an executable Linux file named \u201cmkmon.\u201d This executable contained credentials that could be used to decrypt the libmonitor.so.2 file and recover its original payload, leading the researchers to conclude that \u201cmkmon\u201d is an installation file that delivered and decrypted libmonitor.so.2.<\/p>\n<p>The Linux malware ported several functions found in Trochilus and combined them with a new Socket Secure (SOCKS) implementation. The Trend Micro researchers eventually named their discovery SprySOCKS, with \u201cspry\u201d denoting its swift behavior and the added SOCKS component.<\/p>\n<p>SprySOCKS implements the usual backdoor capabilities, including collecting system information, opening an interactive remote shell for controlling compromised systems, listing network connections, and creating a proxy based on the SOCKS protocol for uploading files and other data between the compromised system and the attacker-controlled command server. The following table shows some of the capabilities:<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<table border=\"1\" width=\"100%\" cellspacing=\"0\" cellpadding=\"1\">\n<tbody>\n<tr>\n<th scope=\"col\">Message ID<\/th>\n<th scope=\"col\">Notes<\/th>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x09<\/td>\n<td width=\"520\">Gets machine information<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x0a<\/td>\n<td width=\"520\">Starts interactive shell<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x0b<\/td>\n<td width=\"520\">Writes data to interactive shell<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x0d<\/td>\n<td width=\"520\">Stops interactive shell<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x0e<\/td>\n<td width=\"520\">Lists network connections (parameters: \u201cip\u201d, \u201cport\u201d, \u201ccommName\u201d, \u201cconnectType\u201d)<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x0f<\/td>\n<td width=\"520\">Sends packet (parameter: \u201ctarget\u201d)<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x14, 0x19<\/td>\n<td width=\"520\">Sends initialization packet<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x16<\/td>\n<td width=\"520\">Generates and sets clientid<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x17<\/td>\n<td width=\"520\">Lists network connections (parameters: \u201ctcp_port\u201d, \u201cudp_port\u201d, \u201chttp_port\u201d, \u201clisten_type\u201d, \u201clisten_port\u201d)<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x23<\/td>\n<td width=\"520\">Creates SOCKS proxy<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x24<\/td>\n<td width=\"520\">Terminates SOCKS proxy<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x25<\/td>\n<td width=\"520\">Forwards SOCKS proxy data<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x2a<\/td>\n<td width=\"520\">Uploads file (parameters: \u201ctransfer_id\u201d, \u201csize\u201d)<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x2b<\/td>\n<td width=\"520\">Gets file transfer ID<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x2c<\/td>\n<td width=\"520\">Downloads file (parameters: \u201cstate\u201d, \u201ctransferId\u201d, \u201cpackageId\u201d, \u201cpackageCount\u201d, \u201cfile_size\u201d)<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x2d<\/td>\n<td width=\"520\">Gets transfer status (parameters: \u201cstate\u201d, \u201ctransferId\u201d, \u201cresult\u201d, \u201cpackageId\u201d)<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x3c<\/td>\n<td width=\"520\">Enumerates files in root \/<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x3d<\/td>\n<td width=\"520\">Enumerates files in directory<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x3e<\/td>\n<td width=\"520\">Deletes file<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x3f<\/td>\n<td width=\"520\">Creates directory<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x40<\/td>\n<td width=\"520\">Renames file<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x41<\/td>\n<td width=\"520\">No operation<\/td>\n<\/tr>\n<tr>\n<td width=\"520\" height=\"31\">0x42<\/td>\n<td width=\"520\">Is related to operations 0x3c \u2013 0x40 (srcPath, destPath)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>After decrypting the binary and finding SprySOCKS, the researchers used the information they found to search VirusTotal for related files. Their search turned up a version of the malware with the release number 1.1. The version Trend Micro found was 1.3.6. The multiple versions suggest that the backdoor is currently under development.<\/p>\n<p>The command-and-control server that SprySOCKS connects to has major similarities to a server that was used in a campaign with a different piece of Windows malware known as RedLeaves. Like SprySOCKS, RedLeaves was also based on Trochilus. Strings that appear in both Trochilus and RedLeaves also appear in the SOCKS component that was added to SprySOCKS. The SOCKS code was borrowed from the <a href=\"https:\/\/github.com\/ldcsaa\/HP-Socket\">HP-Socket<\/a>, a high-performance network framework with Chinese origins.<\/p>\n<p>Trend Micro is attributing SprySOCKS to a threat actor it has dubbed Earth Lusca. The researchers discovered the group in 2021 and <a href=\"https:\/\/www.trendmicro.com\/en_ca\/research\/22\/a\/earth-lusca-sophisticated-infrastructure-varied-tools-and-techni.html\">documented<\/a> it the following year. Earth Lusca targets organizations around the world, primarily in governments in Asia. It uses social engineering to lure targets to watering-hole sites where targets are infected with malware. Besides showing interest in espionage activities, Earth Lusca seems financially motivated, with sights set on gambling and cryptocurrency companies.<\/p>\n<p>The same Earth Lusca server that hosted SprySOCKS also delivered the payloads known as Cobalt Strike and Winnti. Cobalt Strike is a hacking tool used by security professionals and threat actors alike. It provides a full suite of tools for finding and exploiting vulnerabilities. Earth Lusca was using it to expand its access after getting an initial toehold inside a targeted environment. Winnti, meanwhile, is the name of both a suite of malware that has been in use for more than a decade as well as the identifier for a host of distinct threat groups, all connected to the Chinese government&#8217;s intelligence apparatus, which has been among the world\u2019s <a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/05\/researchers-link-a-decade-of-potent-hacks-to-chinese-intelligence-group\/\">most prolific hacking syndicates<\/a>.<\/p>\n<p>Monday\u2019s Trend Micro report provides IP addresses, file hashes, and other evidence that people can use to determine if they&#8217;ve been compromised. Earth Lusca generally infects systems using recently fixed vulnerabilities often referred to as n-days. Timely patching is the best defense. Monday&#8217;s report provided no additional details on prevention or removal of the malware.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35029\/Chinese-Hackers-Use-Never-Before-Seen-Linux-Backdoor.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":53742,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[10703],"class_list":["post-53741","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinehackermalwarelinuxchinabackdoor"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Chinese Hackers Use Never Before Seen Linux Backdoor 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Chinese Hackers Use Never Before Seen Linux Backdoor 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-19T15:11:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/09\/trojan-backdoor-800x534.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Chinese Hackers Use Never Before Seen Linux Backdoor\",\"datePublished\":\"2023-09-19T15:11:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/\"},\"wordCount\":850,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/chinese-hackers-use-never-before-seen-linux-backdoor.jpg\",\"keywords\":[\"headline,hacker,malware,linux,china,backdoor\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/\",\"name\":\"Chinese Hackers Use Never Before Seen Linux Backdoor 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/chinese-hackers-use-never-before-seen-linux-backdoor.jpg\",\"datePublished\":\"2023-09-19T15:11:44+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/chinese-hackers-use-never-before-seen-linux-backdoor.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/09\\\/chinese-hackers-use-never-before-seen-linux-backdoor.jpg\",\"width\":800,\"height\":534},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-hackers-use-never-before-seen-linux-backdoor\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,malware,linux,china,backdoor\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackermalwarelinuxchinabackdoor\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Chinese Hackers Use Never Before Seen Linux Backdoor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Chinese Hackers Use Never Before Seen Linux Backdoor 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/","og_locale":"en_US","og_type":"article","og_title":"Chinese Hackers Use Never Before Seen Linux Backdoor 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-09-19T15:11:44+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/09\/trojan-backdoor-800x534.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Chinese Hackers Use Never Before Seen Linux Backdoor","datePublished":"2023-09-19T15:11:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/"},"wordCount":850,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/09\/chinese-hackers-use-never-before-seen-linux-backdoor.jpg","keywords":["headline,hacker,malware,linux,china,backdoor"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/","url":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/","name":"Chinese Hackers Use Never Before Seen Linux Backdoor 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/09\/chinese-hackers-use-never-before-seen-linux-backdoor.jpg","datePublished":"2023-09-19T15:11:44+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/09\/chinese-hackers-use-never-before-seen-linux-backdoor.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/09\/chinese-hackers-use-never-before-seen-linux-backdoor.jpg","width":800,"height":534},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/chinese-hackers-use-never-before-seen-linux-backdoor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,malware,linux,china,backdoor","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackermalwarelinuxchinabackdoor\/"},{"@type":"ListItem","position":3,"name":"Chinese Hackers Use Never Before Seen Linux Backdoor"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/53741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=53741"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/53741\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/53742"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=53741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=53741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=53741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}