The OrBit hail of malware for four years infected servers under the guise of unique development.
Linux-magnoust OrBit, which for almost four years secretly infects servers and steals passwords, was not a unique development. Intezer experts found that the attackers for years use a slightly modified version of the open project Medusa, published on GitHub back in 2022. During this time, the malware fell into the arsenal of several hacker groups, including ransomware and participants in espionage campaigns.
For the first time, OrBit was described in the summer of 2022 as a complex Linux root kit, which is implemented in systems libraries, hides processes, files and network connections, and intercepts passwords from SSH sudo. Instead of contacting the control server, the attackers connected to infected machines through a built-in SSH backdoor. The malware hid its own files inside the system and replaced the operation of more than 40 system functions of Linux.
Now experts have analyzed dozens of OrBit samples loaded on VirusTotal from 2022 to 2026, and found two main branches of malware. The first, which is conventionally called Lineage A, contains a complete set of features: the theft of accounting data, the hover of network activity, bypass logging and intercepting network traffic. The second branch, Lineage B, turned out to be a lightweight version without part of the functions. The authors removed the interception of PAM authentication, hiding TCP ports and network analyzer to reduce the size and visibility of the lib.
For several years, operators regularly changed the built-in logins and passwords, installation paths and string encryption keys. Some builds contained frankly provocative directory names like /lib/fuckwhitehatshome/, and others were disguised as Linux system directories.
In 2023, the attackers added an xread function that allowed them to bypass their own interceptions of system calls and not break the work of programs like Git. Without such refinement, the malware could accidentally give out its presence due to failures in network connections and file reading.
In 2025, OrBit received a particularly dangerous update. The malware has learned to interfere with the server part of PAM-autentication through the pam_sm_authenticate function. Thanks to this mechanism, attackers can not only steal passwords, but also independently allow or block the login.
At the same time, a new scheme of infection appeared. Instead of a simple installer, operators began to use a two-stage bootloader. The first component infected ELF files of Linux and prescribed cron tasks that downloaded additional modules from the domain cf0[.]pw. The second component has already installed the rootkit itself through ld.so.preload. In fact, OrBit received a full-fledged remote control channel for the first time.
Experts also found a connection between the new OrBit boot boot and the RHOMBUS botnet, seen in 2020. Both malware used the same architecture and the same domain to load the payload.
OrBit’s additional interest was linked to several well-known groups. According to CrowdStrike, the malware was used by the BLOCKADE SPIDER group to covertly fixate in the VMware infrastructure before deploying the Embargo ransomer. In the Mandiant reports, the same set of tools appears in the operations of the Chinese spy group UNC3886 against the infrastructure of Juniper and VMware.
Analysis of the source code showed that almost all the “new” features of OrBit have already been present in the open project Medusa since the publication. Operators only turned on or disabled the necessary modules during assembly. The authors of the study came to the conclusion that the development of OrBit is more like setting up a ready-made designer than the creation of new malware.
At the same time, the first example of the OrBit appeared a few months before the publication of Medusa on GitHub. Experts believe that the authors either used a closed version of the project before a public release, or the source code was distributed among a limited circle of operators for a long time.
Linux-magnoust OrBit, which for almost four years secretly infects servers and steals passwords, was not a unique development. Intezer experts found that the attackers for years use a slightly modified version of the open project Medusa, published on GitHub back in 2022. During this time, the malware fell into the arsenal of several hacker groups, including ransomware and participants in espionage campaigns.
For the first time, OrBit was described in the summer of 2022 as a complex Linux root kit, which is implemented in systems libraries, hides processes, files and network connections, and intercepts passwords from SSH sudo. Instead of contacting the control server, the attackers connected to infected machines through a built-in SSH backdoor. The malware hid its own files inside the system and replaced the operation of more than 40 system functions of Linux.
Now experts have analyzed dozens of OrBit samples loaded on VirusTotal from 2022 to 2026, and found two main branches of malware. The first, which is conventionally called Lineage A, contains a complete set of features: the theft of accounting data, the hover of network activity, bypass logging and intercepting network traffic. The second branch, Lineage B, turned out to be a lightweight version without part of the functions. The authors removed the interception of PAM authentication, hiding TCP ports and network analyzer to reduce the size and visibility of the lib.
For several years, operators regularly changed the built-in logins and passwords, installation paths and string encryption keys. Some builds contained frankly provocative directory names like /lib/fuckwhitehatshome/, and others were disguised as Linux system directories.
In 2023, the attackers added an xread function that allowed them to bypass their own interceptions of system calls and not break the work of programs like Git. Without such refinement, the malware could accidentally give out its presence due to failures in network connections and file reading.
In 2025, OrBit received a particularly dangerous update. The malware has learned to interfere with the server part of PAM-autentication through the pam_sm_authenticate function. Thanks to this mechanism, attackers can not only steal passwords, but also independently allow or block the login.
At the same time, a new scheme of infection appeared. Instead of a simple installer, operators began to use a two-stage bootloader. The first component infected ELF files of Linux and prescribed cron tasks that downloaded additional modules from the domain cf0[.]pw. The second component has already installed the rootkit itself through ld.so.preload. In fact, OrBit received a full-fledged remote control channel for the first time.
Experts also found a connection between the new OrBit boot boot and the RHOMBUS botnet, seen in 2020. Both malware used the same architecture and the same domain to load the payload.
OrBit’s additional interest was linked to several well-known groups. According to CrowdStrike, the malware was used by the BLOCKADE SPIDER group to covertly fixate in the VMware infrastructure before deploying the Embargo ransomer. In the Mandiant reports, the same set of tools appears in the operations of the Chinese spy group UNC3886 against the infrastructure of Juniper and VMware.
Analysis of the source code showed that almost all the “new” features of OrBit have already been present in the open project Medusa since the publication. Operators only turned on or disabled the necessary modules during assembly. The authors of the study came to the conclusion that the development of OrBit is more like setting up a ready-made designer than the creation of new malware.
At the same time, the first example of the OrBit appeared a few months before the publication of Medusa on GitHub. Experts believe that the authors either used a closed version of the project before a public release, or the source code was distributed among a limited circle of operators for a long time.
