By rssfeeds-admin Initially thought to be a highly customized and novel threat, recent analysis reveals a much darker, pragmatic truth. OrBit is actually a selectively weaponized clone of Medusa, an open-source rootkit freely available on GitHub.
Instead of writing new malware from scratch, multiple distinct threat actors are simply flipping configuration switches on a public repository to maintain an invisible grip on infected Linux systems.
Deployed as a shared library, OrBit uses LD_PRELOAD techniques to patch the dynamic linker, forcing its malicious code into every running system process.
Once entrenched, it operates as a passive implant. It hooks into over forty standard system functions to harvest passwords and render its files, network connections, and processes completely invisible to security tools.
OrBit Rootkit Steals Credentials
Security analysts tracking the malware’s evolution from 2022 to 2026 uncovered two distinct evolutionary branches of this toolkit, both originating from the Medusa source code.
Lineage A represents the full-featured build. It leverages advanced hooks to sniff network packets, hide specific TCP ports, and intercept authentication requests.
In 2025, operators even added a new hook to forge authentication outcomes, allowing attackers to approve or deny login attempts at will.
Conversely, Lineage B is a stripped-down, lightweight variant. Threat actors deploying Lineage B deliberately removed packet capture and password interception capabilities to maintain a much smaller forensic footprint.
Across both lineages, operators frequently rotate encryption keys, swap installation paths (like moving from /lib/libseconf/ to /lib/locate/), and change hardcoded backdoor credentials to evade detection.
To ensure the rootkit does not accidentally break normal server operations, operators implemented clever compatibility fixes.
By exporting a custom function that directly calls system read operations, the rootkit bypasses its own filtering mechanisms for critical programs like Git. Without this bypass, the rootkit would corrupt data streams and easily expose its presence to administrators.
According to Intezer research, it has been rapidly adopted by multiple unrelated adversary groups. The state-sponsored espionage group UNC3886 utilizes the full Lineage A build to target virtualization infrastructure.
Researchers matched UNC3886’s specific configurations including identical encryption keys, backdoor credentials, and installation paths directly to the 2024 OrBit clusters.
Similarly, the cybercrime syndicate BLOCKADE SPIDER uses OrBit to ensure stealthy persistence while preparing enterprise networks for Embargo ransomware deployments.
Indicators of Compromise (IOCs)
Below is a summary of key OrBit payloads and droppers observed between 2022 and 2025.
| SHA256 (Prefix) | Year | Role | Lineage | Working Directory |
|---|---|---|---|---|
| 40b5127c | 2022 | Payload | A | /lib/libntpVnQE6mk/ |
| ec7462c3 | 2022 | Payload | A | /lib/libseconf/ |
| d419a9b1 | 2023 | Payload | A | /lib/fuckwhitehatshome/ |
| 3ba6c174 | 2023 | Payload | B | /lib/libseconf/ |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Use OrBit Rootkit to Steal Linux SSH and Sudo Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.