Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 2 CVEs

Rekoobe

Rekoobe is a Linux trojan/backdoor that has been detected in the wild since at least 2015. The content describes it as a backdoor capable of receiving commands from an attacker-controlled server to download additional payloads, steal files, and execute a reverse shell. It is associated in the reporting with Chinese nation-state activity, particularly APT31 (also referred to as Zirconium), and one source notes partial lineage from the Tiny SHell codebase.

In the provided reporting, Rekoobe was delivered as a later-stage payload in a supply-chain attack involving a malicious Go module, github.com/xinfeisoft/crypto, which impersonated the legitimate golang.org/x/crypto package. That module modified ssh/terminal/terminal.go and hooked ReadPassword() to capture plaintext credentials entered at terminal prompts, write them locally to /usr/share/nano/.lock, exfiltrate them to attacker-controlled infrastructure, and then execute a shell-script stager. The stager established persistence by appending an attacker SSH key to /home/ubuntu/.ssh/authorized_keys, weakened host defenses by setting iptables default policies to ACCEPT, and downloaded additional payloads disguised as .mp5 files. The payload 555.mp5 was confirmed as the Rekoobe Linux backdoor; the staged payloads also included sss.mp5 as a loader/reconnaissance component.

Observed infrastructure and indicators directly mentioned in the content include communication with 154.84.63.184 over TCP port 443, including at least one flow that did not resemble a standard TLS ClientHello; staged payload names sss.mp5 and 555.mp5; SHA-256 for 555.mp5: 8b0ec8d0318347874e117f1aed1b619892a7547308e437a20e02090e5f3d2da6; and SHA-256 for sss.mp5: 4afdb3f5914beb0ebe3b086db5a83cef1d3c3c4312d18eff672dd0f6be2146bc. Separate Fortinet reporting in the content states that malware in one FortiOS intrusion cluster bore similarities to Rekoobe malware commonly used by APT31, in campaigns targeting highly selected victims including government, critical infrastructure, manufacturing, consultancies, and service providers/ISPs.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2022-42475FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCE

This malware bears similarities to Rekoobe Malware, which is commonly used by APT31.

via fortinet psirt blogfortinet.com
CVE-2023-27997XORtigate: FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCE

This malware bears similarities to Rekoobe Malware, which is commonly used by APT31.

via fortinet psirt blogfortinet.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
ZIRCONIUM

This malware bears similarities to Rekoobe Malware, which is commonly used by APT31.

via fortinet psirt blogfortinet.com
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1195.001Compromise Software Dependencies and Development ToolsEvidence4
TacticInitial Access

"A malicious Go module, disguised as a legitimate crypto library... exploits namespace confusion to appear routine in dependency graphs."

T1195.002Compromise Software Supply ChainEvidence1
TacticInitial Access

“uncovered a malicious Go module, github[.]com/xinfeisoft/crypto, that imitates the legitimate golang.org/x/crypto codebase but inserts a backdoor…”

Execution

3 techniques
T1059Command and Scripting InterpreterEvidence1
TacticExecution

“deploys the Rekoobe backdoor…”; “new Windows RAT named Moonrise…”

T1059.004Unix ShellEvidence4
TacticExecution

"Upon successful exfiltration, the module fetches and executes a shell script. This script acts as a Linux stager..."

T1204.005Malicious LibraryEvidence1
TacticExecution

“Any application that vendors or imports this module and invokes ReadPassword becomes a credential collection point.”

Persistence

1 technique
T1098.004SSH Authorized KeysEvidence1
TacticsPersistencePrivilege Escalation

"adding a threat actor's SSH key to the 'authorized_keys' file"

Privilege Escalation

1 technique
T1098.004SSH Authorized KeysEvidence1
TacticsPersistencePrivilege Escalation

"adding a threat actor's SSH key to the 'authorized_keys' file"

Stealth

3 techniques
T1036.008Masquerade File TypeEvidence1
TacticStealth

“downloads additional payloads… while disguising them with the .mp5 extension”

T1070Indicator RemovalEvidence1
TacticStealth

"executes them, and deletes them from disk to reduce forensic evidence."

T1070.004File DeletionEvidence1
TacticStealth

“then deletes the dropped files to reduce on disk artifacts”

Credential Access

1 technique
T1056.001KeyloggingEvidence2
TacticsCredential AccessCollection

"injects malicious code into the 'ssh/terminal/terminal.go' file... within the 'ReadPassword()' function... capture sensitive credentials entered by users at terminal password prompts"

Collection

2 techniques
T1005Data from Local SystemEvidence1
TacticCollection

"...steal files..."

T1056.001KeyloggingEvidence2
TacticsCredential AccessCollection

"injects malicious code into the 'ssh/terminal/terminal.go' file... within the 'ReadPassword()' function... capture sensitive credentials entered by users at terminal password prompts"

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1
TacticCommand and Control

"The backdoor is capable of receiving commands from an attacker-controlled server to download more payloads, steal files, and execute a reverse shell."

T1071.001Web ProtocolsEvidence1
TacticCommand and Control

“exfiltrates passwords via HTTP POST… fetches a GitHub hosted ‘update’ resource”

T1105Ingress Tool TransferEvidence4
TacticCommand and Control

"downloading further payloads. One of these payloads is a reconnaissance or loader program, while the other is the Rekoobe backdoor"

T1573Encrypted ChannelEvidence1
TacticCommand and Control

"communicated with 154[.]84[.]63[.]184 over TCP port 443 without a standard TLS handshake, suggesting custom encrypted traffic designed to pass as HTTPS."

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1
TacticExfiltration

"capture sensitive credentials... and send them to a remote endpoint."

Other

1 technique
T1562.004Disable or Modify System FirewallEvidence1

"loosening firewall restrictions by setting iptables policies to ACCEPT"

INDICATORS OF COMPROMISE

IOCs tracked for this family

20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
20 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.md5●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
scworldNews
Mar 2, 2026
Malicious Go module steals passwords, deploys Rekoobe backdoor | brief | SC Media

Linux backdoor/RAT delivered via a malicious Go supply-chain package; used to establish unauthorized access on Linux systems after credential harvesting and staging activity.

Read more
risky biz rssNews
Mar 2, 2026
LLMs can deanonymize internet users based on their comments

A backdoor deployed by a malicious Go module; the trojanized library steals user passwords and then installs the Rekoobe backdoor on compromised systems.

Read more
the hacker newsNews
Feb 27, 2026
Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

Linux backdoor/trojan that communicates with an attacker-controlled server to receive commands, download additional payloads, steal files, and provide reverse shell capability.

Read more
cyber security newsNews
Feb 27, 2026
Malicious Go Crypto Module Steals Passwords and Deploy Rekoobe Backdoor in Developer Environments

Linux backdoor delivered via a multi-stage supply-chain-driven dropper chain. In this campaign it is fetched from attacker infrastructure, executed on the victim host, and communicates outbound to 154[.]84[.]63[.]184 over TCP/443 using non-standard (non-TLS-handshake) traffic suggestive of custom encryption masquerading as HTTPS.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching20

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.