NoodleRAT
NoodleRAT is a backdoor malware family with both Windows and Linux variants. The Windows variant (Win.NOODLERAT) has been observed in at least two command-structure clusters, referred to as Type 0x03A2 and Type 0x132A, which differ in command IDs and feature sets. Reported Windows capabilities include module initialization and execution, file upload and download, recursive directory listing, pipe-based communication, and starting a TCP server to proxy packets to the C2 server; the Type 0x132A cluster also includes a self-delete function. The content associates Type 0x03A2 with Iron Tiger and other unknown espionage clusters, while Type 0x132A is attributed only to Calypso APT, suggesting one shared and one more exclusive variant.
The Linux variant (Linux.NOODLERAT) is an ELF-based backdoor with a different design from the Windows version and is considered a distinct family despite similarities to other Linux backdoors such as Rekoobe and Tiny SHell. Reported Linux capabilities include reverse shell access, file upload and download, scheduled execution, SOCKS tunneling, and initialization. Behavioral details directly mentioned in the content include copying itself to /tmp/CCCCCCCC, spoofing its process name by overwriting argv, decrypting embedded configuration data with RC4 using the hardcoded key "r0st@#$", and connecting to a configured C2 server.
NoodleRAT has been described as shared among multiple groups conducting espionage or cybercrime. The content links Linux NoodleRAT to Chinese-speaking or China-linked activity, including use by Rocke for financially motivated operations, the Cloud Snooper campaign for espionage, and broader use by Chinese espionage and cybercrime groups. It is also listed as related to ShadowPad, GODZILLA, IOX, GOST, Wstunnel, RingQ, and VShell in reporting on the China-aligned SHADOW-EARTH-053 campaign. In that reporting, Linux NoodleRAT backdoors were found after exploitation of React2Shell (CVE-2025-55182), and separate telemetry noted NOODLERAT ELF samples retrieved from 194[.]38[.]11[.]3:1790 using check[.]office365-update[.]com as C2. Targeting mentioned in the content includes government, defense, technology, transportation, and critical infrastructure organizations, particularly in South Asia, Southeast Asia, and East Asia.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole: React2Shell (CVE-2025-55182). | In a separate instance, the incident responders found Linux NoodleRat backdoors deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole: React2Shell (CVE-2025-55182), a critical flaw in React Server Components that can allow attackers to run arbitrary code on vulnerable servers.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
During our analysis, we discovered that there are different types of Win.NOODLERAT that implement various command IDs... Linux.NOODLERAT is an ELF version of Noodle RAT, but with a different design.
During our analysis, we discovered that there are different types of Win.NOODLERAT that implement various command IDs... Linux.NOODLERAT is an ELF version of Noodle RAT, but with a different design.
During our analysis, we discovered that there are different types of Win.NOODLERAT that implement various command IDs... Linux.NOODLERAT is an ELF version of Noodle RAT, but with a different design.
These samples were NOODLERAT ELF files, a malware family that is shared among multiple groups performing espionage or cybercrime.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
The Chinese spies typically gain initial access to victim environments via vulnerable Microsoft Exchange Servers... The years-old ProxyLogon (CVE-2021-26855), which can be chained with other Microsoft Exchange Server bugs (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to achieve remote code execution, is a favorite.
Command and Control
2 techniques
Command and Control
I'm concerned about what they are leaving behind: What type of C2 on a sleep cycle is still lingering in these environments?
In mid-December 2025, SHADOW-EARTH-053 retrieved one ShadowPad sample from the IP address 194[.]38[.]11[.]3 listening on port 1790. Sandbox telemetry showed Linux samples being retrieved from the same IP and port in early December. These samples were NOODLERAT ELF files...
IOCs tracked for this family
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Verticals Targeted: Government, Defense, Technology, Transportation, Critical Infrastructure Regions Targeted: South Asia, Southeast Asia, East Asia Related Families: ShadowPad, GODZILLA, NOODLERAT, IOX, GOST, Wstunnel, RingQ, VShell
A backdoor used by Chinese espionage and cybercrime groups, observed here on Linux systems after exploitation of a server-side vulnerability.
NOODLERAT is a Linux ELF remote access malware family used by multiple groups for espionage or cybercrime; in this case samples were linked with low confidence to SHADOW-EARTH-053 and used the domain check[.]office365-update[.]com as C&C.
A backdoor/RAT used by Chinese espionage and cybercrime groups, observed here on Linux systems following exploitation of a server-side vulnerability.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.