REPTILE
Reptile is an open-source Linux rootkit, described in the content as a 2020-era kernel-space rootkit with backdoor capabilities. It is implemented as a loadable kernel module (LKM) and uses inline function patching through a custom framework called KHOOK. The content states that Reptile can communicate with command-and-control infrastructure using TLS over raw TCP. It is also described as having a loader that directly invokes the init_module syscall with an in-memory decrypted kernel blob, and a kmatryoshka module that acts as an in-kernel chainloader to decrypt and load another hidden LKM using a direct pointer to sys_init_module located via kallsyms_on_each_symbol().
The malware is associated in the content with UNC3886 activity. Researchers observed UNC3886 deploying REPTILE, alongside MEDUSA, after exploiting VMware vCenter and ESXi vulnerabilities. The rootkits were used on targeted virtual machines and during the RedPenguin campaign, where REPTILE and MEDUSA were used to hide attacker activity, maintain persistence, and support credential theft on compromised systems. The broader targeting context in the content includes VMware environments, ESXi hosts, and virtual machines.
The content also describes persistence and stealth behaviors attributed to Reptile. It installs a malicious udev rule under /etc/udev/rules.d/ that executes /lib/udev/reptile when /dev/random is added. Reptile is noted as using process or thread masquerading, including naming activity after kworker. In a related case, researchers confirmed that a kernel module named kworkerx was a modified version of the open-source Reptile project. That modified Reptile-based module was reported to hide files, processes, directories, and network connections; hook tcp4_seq_show to hide traffic on port 443; hook fillonedir, filldir, filldir64, and vfs_read to conceal filesystem and process artifacts; and hook inet_ioctl for user-space control using an ioctl trigger value of 0xE0E0E0E.
High-confidence indicators and artifacts directly mentioned in the content include the path /lib/udev/reptile, the persistence location /etc/udev/rules.d/, process masquerading as kworker, and the ioctl trigger value 0xE0E0E0E in the modified Reptile-derived kworkerx module.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Researchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueUNC3886 has used the publicly available rootkits REPTILE and MEDUSA.
Initial Access
1 techniqueResearchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities.
Execution
1 techniquePersistence
6 techniquesThe Reptile rootkit demonstrates this technique by installing a malicious udev rule under /etc/udev/rules.d/: ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/lib/udev/reptile"
Privilege Escalation
4 techniquesThe Reptile rootkit demonstrates this technique by installing a malicious udev rule under /etc/udev/rules.d/: ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="/lib/udev/reptile"
Stealth
7 techniquesResearchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities. The implants helped hide attacker activity, maintain persistence, and support credential theft across compromised systems.
To avoid scrutiny during process enumeration or system monitoring, rootkits often rename their processes and threads to match benign system components. Common disguises include: kworker, migration, or rcu_sched... sshd, systemd, dbus-daemon, or bash.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Sometimes that means hiding files or processes. Other times it means suppressing logs, concealing outbound connections, or masking remote access entirely.
Command and Control
5 techniquesFIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure. REPTILE can use TLS over raw TCP for secure C2.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux rootkit used to hide attacker activity, maintain persistence, and support credential theft on compromised systems, including VMware environments.
A Linux rootkit with a custom loader that directly invokes init_module and uses a kmatryoshka chainloader; also discussed for udev-based persistence, port knocking, masquerading via kworker, and indirect execution persistence techniques.
Modern Linux kernel rootkit/backdoor using inline function patching (via KHOOK framework) and a userspace loader; supports stealth and backdoor commands (e.g., signal-triggered actions).
... REPTILE ... (v1.0) ...
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.