OrBit Rootkit Steals SSH & Sudo Credentials from Hackers Harvest
For years, the stealthy OrBit rootkit has quietly targeted Linux systems. It operates by stealing login credentials and deeply embedding itself within compromised machines, often evading detection...
For years, the stealthy OrBit rootkit has quietly targeted Linux systems. It operates by stealing login credentials and deeply embedding itself within compromised machines, often evading detection from most security tools.
New research reveals that what was once believed to be a custom-built threat is actually a modified version of a publicly available rootkit, spreading across the globe through multiple hacker groups.
OrBit works by embedding itself into the core of a Linux system, hooking into more than forty basic system functions so that it becomes almost completely invisible.
Once inside a machine, it listens for login attempts through SSH and sudo, capturing usernames and passwords and saving them in a hidden directory that standard system scans cannot detect.
The attacker then connects back to the compromised system through a secret SSH backdoor, never needing to send commands across the internet.
Researchers at Intezer, said in a report shared with Cyber Security News (CSN), identified that OrBit is not original code at all.
It is actually built from a publicly available rootkit called Medusa, published on GitHub in December 2022.
The operator work done by hackers was not about writing new code but about configuring existing source files, rotating passwords, and changing install paths to stay hidden.
Hackers Use OrBit Rootkit
Intezer’s analysis tracked more than a dozen samples spanning from 2022 through early 2026.
The team walked each sample through static and differential analysis and discovered two separate build paths: a full-featured version called Lineage A, which carries the complete attack toolkit, and a stripped-down version called Lineage B, which drops several features for a lighter footprint.
Lineage B appears to have stopped surfacing after 2024, suggesting operators may have consolidated back into the main build.
OrBit is deployed as a shared library file on the target Linux machine. It achieves persistence by modifying the dynamic linker configuration so that the malicious library loads automatically into every process running on the system.
From that position, it intercepts file reads, directory listings, and network connection data, making itself invisible to both administrators and security tools.
The malware stores captured credentials and configuration data in a hidden directory called /lib/libseconf/, which standard tools cannot see due to the rootkit’s own hooks.
The most significant capability jump came in 2025, when the newest build added a hook called pam_sm_authenticate, a server-side authentication function.
Where earlier versions could only passively collect credentials when users typed them, this new version can also forge authentication outcomes, meaning attackers can approve or deny login attempts on a compromised system at will.
That same year, a new two-stage delivery chain appeared: an infector embeds a dropper, which then extracts and installs the rootkit, with a cron job created to fetch updated payloads from an external domain.
Multiple Hacker Groups Are Exploiting This Backdoor
One of the most alarming findings from this research is that at least three distinct hacker groups have been using OrBit.
The state-sponsored espionage group UNC3886, tracked by Mandiant, used the same codebase with a specific 0xAA encryption key, distinct credentials, and an install path that matched Intezer’s 2024 Lineage A samples exactly.
CrowdStrike noted in its 2026 Global Threat Report that BLOCKADE SPIDER, an eCrime group known for Embargo ransomware, used OrBit to quietly maintain access inside VMware virtualization environments.
A third campaign observed in 2025 used a dropper architecture identical to one linked to RHOMBUS, a Linux-based botnet first reported in 2020, with both droppers sharing the same C2 domain resolving to infrastructure in Russia.
Defenders are advised to monitor for co-occurring filenames such as sshpass.txt, .logpam, and .ports appearing inside unexpected directories, as these are fixed artifacts of the Medusa build pipeline regardless of which operator compiled the rootkit.
YARA rules that decode the XOR string table with a variable key and match on known plaintext entries can catch any version of this family, even builds using fresh credentials and renamed install paths.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020 | 2022 OrBit payload, Lineage A |
| SHA256 | ec7462c3f4a87430eb19d16cfd775c173f4ba60d2f43697743db991c3d1c3067 | 2022 OrBit payload, Lineage A |
| SHA256 | f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8 | 2022 dropper |
| SHA256 | d419a9b17f7b4c23fd4e80a9bce130d2a13c307fccc4bfbc4d49f6b770d06d3b | 2023 payload, Lineage A |
| SHA256 | 296d28eb7b66aa2cbea7d9c2e7dc1ad6ce6f97d44d34139760c38817aec083e7 | 2023 payload, Lineage A |
| SHA256 | 3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a | 2023 payload, Lineage B |
| SHA256 | 4203271c1a0c24443b7e85cbf066c9928fcc69934772a431d779017fb85c9d73 | 2023 payload, Lineage B |
| SHA256 | eea274eddd712fe0b4434dbef6a2a92810cb13b8be3deca0571410ee78d37c9f | 2024 payload, Lineage A |
| SHA256 | a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349 | 2024 payload, Lineage A |
| SHA256 | a34299a16cf30dac1096c1d24188c72eed1f9d320b1585fe0de4692472e3d4dc | 2024 payload, Lineage B |
| SHA256 | b1dd18a6a4b0c6e2589312bbec55b392a20a95824ffe630a73c94d24504c553d | 2024 payload, Lineage B |
| SHA256 | 989f7eb4f805591839bcbc321dd44418eb5694d1342e37b7f24126817f10e37e | 2024 payload (extracted), Lineage B |
| SHA256 | 8ea420d9aa341ba23cdea0ac03951bce866c933ba297268bc7db8a01ce8e9b8e | 2024 payload (static ELF), Lineage A |
| SHA256 | 26082cd36fdaf76ec0d74b7fbf455418c49fbab64b20892a873c415c3bb60675 | 2024 loader/installer |
| SHA256 | 48a68d0555f850c36f7d338b1a42ed1a661043cacf2ba2a4b0a347fac3cb3ee6 | 2024 dropper |
| SHA256 | fc2e0cb627a00d0e4509bd319271721ea74fb11150847213abe9e8fea060cc8a | 2024 dropper |
| SHA256 | 8e83cbb2ed12faba9b452ea41291bcebdce08162f64ac9a5f82592df62f47613 | 2025 payload, Lineage A |
| SHA256 | 2b2eeb2271c19e2097a0ef0d90b2b615c20f726590bbfee139403db1dced5b0a | 2025 payload, Lineage A |
| SHA256 | 84828f31d741f92ce4bca98cfc2148ff8cff6663e2908a025b1386dd4953ffef | 2025 payload (truncated), Lineage A |
| SHA256 | 090b15fd8912cab340b22e715d44db079ec641db5e2f92916aa1f2bc9236e03e | 2025 dropper |
| SHA256 | 64a3ebd3ad3927fc783f6ac020d5a6192e9778fb16b51cceba06e4ee5416adff | 2025 dropper |
| SHA256 | b85ed15756568b85148c1d432a8920f81e4b21f2bc38f0cf51d06ced619e0e77 | 2025 dropper |
| SHA256 | d3d204c19d93e5e37697c7f80dd0de9f76a2fb4517ced9cafd7d7d46a6e285ba | 2025 dropper |
| SHA256 | 73b95b7d1006caf8d3477e4a9a0994eaa469e98b70b8c198a82c4a12c91ad49a | 2025 two-stage infector |
| SHA256 | 04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9 | 2026 payload, Lineage A |
| SHA256 | d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f | 2026 payload, Lineage A |
| SHA256 | b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784 | 2020 RHOMBUS dropper (shared architecture) |
| URL | http://cf0[.]pw/0 | C2 domain used in 2025 cron-based persistence mechanism |
| IP Address | 109.95.212[.]253 | Current resolution of C2 domain cf0[.]pw, Russia-based infrastructure |
| IP Address | 109.95.211[.]141 | Related infrastructure sharing same BANNER_0_HASH-IP value, Russia-based |
| File Path | /lib/libseconf/ | Primary hidden working directory used across most OrBit variants |
| File Path | /lib/libntpVnQE6mk/ | Original 2022 OrBit hidden working directory |
| File Path | /lib/locate/ | Alternate install path used in UNC3886/MEDUSA 2024 cluster |
| File Name | sshpass.txt | Credential storage file artifact, fixed across Medusa build pipeline |
| File Name | .logpam | PAM credential log artifact, fixed across Medusa build pipeline |
| File Name | /etc/cron.hourly/0 | Persistence script dropped by 2025 infector for remote payload download |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.