OrBit Linux Rootkit Evolves Over Four Years, Becomes Shared Tool for Cyber Threats
A stealthy Linux rootkit known as OrBit has been actively abused by threat actors for over four years, evolving from a custom-built tool into a widely adopted malware framework. Initially documented in 2022, OrBit was later revealed to be a repackaged version of Medusa, an open-source LD_PRELOAD rootkit published on GitHub in late 2022. Rather than developing new malware, attackers have modified and redeployed this publicly available codebase with varying configurations, credentials, and evasion techniques.
How OrBit Operates
OrBit functions as a userland rootkit, hijacking the system’s dynamic linker (ld.so) to inject a malicious shared library into every running process. This allows it to:
- Intercept authentication flows by hooking into Pluggable Authentication Modules (PAM), capturing SSH and sudo credentials.
- Store stolen credentials in hidden directories (e.g.,
/lib/libseconf/). - Hide its presence by manipulating over 40 libc functions, masking files, processes, and network connections from administrators.
Unlike traditional malware, OrBit operates as a passive implant, avoiding direct command-and-control (C2) communication. Instead, attackers access compromised systems via a hidden SSH backdoor.
Evolution and Variants
Researchers have identified two primary variants of OrBit:
- Lineage A – A full-featured version with credential harvesting, network hiding, packet capture, and backdoor access.
- Lineage B – A lighter variant with reduced functionality, likely designed to minimize detection.
Over time, attackers have rotated credentials, adjusted installation paths, and introduced compatibility fixes (e.g., a custom xread function to prevent system instability). Key developments include:
- 2025: Introduction of audit log evasion and an advanced PAM hook capable of manipulating authentication outcomes.
- 2025: Shift to a multi-stage infection chain, including a dropper and infector that spreads via cron jobs and downloads payloads from remote domains a first for OrBit.
- 2026: Continued refinement, with infrastructure overlaps observed with the RHOMBUS botnet.
Widespread Adoption by Threat Actors
OrBit is no longer tied to a single group. Multiple threat actors have deployed it, including:
- BLOCKADE SPIDER (ransomware-linked)
- UNC3886 (state-backed espionage group)
This adoption highlights a broader trend: Linux environments, including critical infrastructure and virtualized systems, are increasingly targeted by shared malware toolkits.
Detection and Indicators of Compromise (IOCs)
Despite superficial changes (e.g., file paths, passwords), OrBit’s core behaviors remain consistent. Defenders are advised to monitor for:
- Hidden filesystem artifacts (e.g.,
/lib/libseconf/). - Credential harvesting activity via PAM hooks.
- Known hashes (see partial list below).
Sample IOCs (SHA-256)
| Hash | Year | Role | Lineage |
|---|---|---|---|
40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020 |
2022 | Payload | A |
3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a |
2023 | Payload | B |
a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349 |
2024 | Payload | A |
04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9 |
2025 | Infector | |
d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f |
2026 | Payload | A |
OrBit’s persistence and adaptability underscore the growing sophistication of Linux-targeted threats, with attackers leveraging open-source tools to evade detection and maintain long-term access.
Source: https://gbhackers.com/orbit-rootkit-targets-linux/
SentinelOne cybersecurity rating report: https://www.rankiteo.com/company/sentinelone
CrowdStrike cybersecurity rating report: https://www.rankiteo.com/company/crowdstrike
"id": "SENCRO1778848441",
"linkid": "sentinelone, crowdstrike",
"type": "Cyber Attack",
"date": "1/2022",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': ['Critical Infrastructure',
'Virtualized Systems'],
'type': 'Organizations using Linux systems'}],
'attack_vector': 'LD_PRELOAD hijacking, PAM hooking, SSH backdoor',
'data_breach': {'sensitivity_of_data': 'High (privileged access credentials)',
'type_of_data_compromised': 'Authentication credentials (SSH, '
'sudo)'},
'date_publicly_disclosed': '2022',
'description': 'A stealthy Linux rootkit known as OrBit has been actively '
'abused by threat actors for over four years, evolving from a '
'custom-built tool into a widely adopted malware framework. '
'Initially documented in 2022, OrBit was later revealed to be '
'a repackaged version of Medusa, an open-source LD_PRELOAD '
'rootkit. Attackers have modified and redeployed this publicly '
'available codebase with varying configurations, credentials, '
'and evasion techniques. OrBit functions as a userland '
'rootkit, hijacking the system’s dynamic linker to inject a '
'malicious shared library into every running process, '
'intercepting authentication flows, storing stolen '
'credentials, and hiding its presence.',
'impact': {'data_compromised': 'SSH and sudo credentials, authentication '
'flows',
'identity_theft_risk': 'High (stolen credentials)',
'operational_impact': 'Long-term unauthorized access, hidden '
'network connections, and process '
'manipulation',
'systems_affected': 'Linux systems, including critical '
'infrastructure and virtualized environments'},
'initial_access_broker': {'backdoors_established': 'Hidden SSH backdoor',
'entry_point': 'LD_PRELOAD hijacking, SSH backdoor'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Linux environments are increasingly targeted by shared '
'malware toolkits, and open-source tools can be repurposed '
'for malicious use. Defenders must monitor for subtle '
'behavioral indicators and hidden artifacts.',
'motivation': ['Espionage', 'Ransomware', 'Credential Harvesting'],
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
'Linux systems, detection of '
'hidden artifacts, and PAM '
'hooking activity.',
'root_causes': 'Repurposing of open-source '
'LD_PRELOAD rootkit (Medusa) for '
'malicious use, lack of detection '
'for subtle behavioral indicators '
'in Linux environments.'},
'recommendations': ['Monitor for hidden filesystem artifacts (e.g., '
'/lib/libseconf/).',
'Detect PAM hooking activity and credential harvesting.',
'Use known IOCs (hashes, file paths) for detection.',
'Implement enhanced monitoring for Linux systems, '
'especially in critical infrastructure.'],
'references': [{'source': 'Cybersecurity Research Report'}],
'response': {'enhanced_monitoring': 'Monitoring for hidden filesystem '
'artifacts, PAM hooking activity, and '
'known IOCs'},
'threat_actor': ['BLOCKADE SPIDER', 'UNC3886'],
'title': 'OrBit Linux Rootkit Evolution and Widespread Adoption',
'type': 'Rootkit',
'vulnerability_exploited': 'Open-source LD_PRELOAD rootkit (Medusa) '
'repurposed for malicious use'}