OrBit Rootkit: Dynamic Linker Hijacking and the Commoditization of Linux Malware
For several years, a stealthy Linux rootkit known as OrBit has been quietly operating in the shadows of enterprise environments. While initially perceived as a bespoke, high-end piece of malware, recent forensic analysis reveals a more complex reality: OrBit is a highly evolved, repurposed toolkit that has transitioned from a niche tool into a widely adopted instrument for various threat actors.
First identified in 2022, OrBit leverages a sophisticated technique known as dynamic linker hijacking. By manipulating the system’s dynamic linker (ld.so), the rootkit ensures that a malicious shared library is injected into the memory space of every active process. This userland-based approach allows attackers to intercept critical system calls and authentication flows without needing to modify the Linux kernel itself.
A detailed technical report from Intezer clarifies that OrBit is actually a rebranded derivative of Medusa, an open-source LD_PRELOAD rootkit that surfaced on GitHub in late 2022. This discovery suggests that instead of investing in original R&D, modern threat actors are opting to refactor and harden existing open-source code to suit their specific operational requirements.
Unlike typical malware that relies on constant beaconing to a Command-and-Control (C2) server, OrBit functions primarily as a passive implant. It establishes a hidden SSH backdoor, allowing attackers to enter the system at will. Once inside, the rootkit hooks into the Pluggable Authentication Modules (PAM) framework. This allows it to intercept and log plaintext usernames and passwords during sudo elevation or SSH login attempts, subsequently caching them in obfuscated directories such as /lib/libseconf/.
Technical Architecture and Lineage Analysis
The true power of OrBit lies in its ability to manipulate the perception of the system administrator. By hooking more than 40 functions within libc, the rootkit can intercept requests to list files, view running processes, or check network sockets. To a standard administrator running ls, ps, or netstat, the system appears completely untainted.
Researchers have categorized the malware into two distinct developmental paths, or “Lineages”:
- Lineage A: The “Full-Featured” build. This version includes the complete suite of capabilities: credential harvesting, network obfuscation, packet sniffing, and active backdoor access.
- Lineage B: The “Lightweight” build. This variant strips away several high-profile features to minimize its computational footprint and reduce the likelihood of detection by heuristic-based EDR solutions. Interestingly, Lineage B often lacks embedded hardcoded passwords, suggesting a more modular authentication method.
As the malware progressed from 2022 toward 2026, the evolution was not marked by radical architectural shifts, but by incremental stability and evasion improvements. For instance, newer builds introduced a custom xread function to mitigate system crashes that would otherwise alert admins to the presence of the hooked libc. By 2025, the malware’s sophistication jumped significantly with the introduction of a multi-stage infection chain involving dedicated droppers and infectors that utilize cron jobs for persistent execution.
Most notably, the 2025 iterations broke the “passive” tradition by introducing limited external communication, downloading secondary payloads from remote domains—a move that brings OrBit much closer to traditional C2-driven malware behavior.
A Shared Toolkit: The Democratization of OrBit
The landscape of OrBit usage is increasingly crowded. While some infrastructure overlaps with the known RHOMBUS botnet, the malware has effectively become “commodity” high-end malware. It has been observed in the hands of diverse actors, ranging from the ransomware-affiliated BLOCKADE SPIDER to the highly sophisticated, state-sponsored espionage group UNC3886.
This shift from a single-actor tool to a shared toolkit means defenders cannot rely on attribution to predict an attack. Instead, the focus must shift toward behavioral detection. Monitoring for anomalous LD_PRELOAD configurations, unexpected writes to /lib/, and unauthorized modifications to PAM configuration files remains the most effective way to hunt for this threat.
Indicators of Compromise (IOCs)
| SHA256 Hash | Year | Role | Lineage |
|---|---|---|---|
| 40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020 | 2022 | payload | A |
| ec7462c3f4a87430eb19d16cfd775c173f4ba60d2f43697743db991c3d1c3067 | 2022 | payload | A |
| f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8 | 2022 | dropper | – |
| d419a9b17f7b4c23fd4e80a9bce130d2a13c307fccc4bfbc4d49f6b770d06d3b | 2023 | payload | A |
| 296d28eb7b66aa2cbea7d9c2e7dc1ad6ce6f97d44d34139760c38817aec083e7 | 2023 | payload | A |
| 3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a | 2023 | payload | B |
| 4203271c1a0c24443b7e85cbf066c9928fcc69934772a431d779017fb85c9d73 | 2023 | payload | B |
| eea274eddd712fe0b4434dbef6a2a92810cb13b8be3deca0571410ee78d37c9f | 2024 | payload | A |
| a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349 | 2024 | payload | A |
| a34299a16cf30dac1096c1d24188c72eed1f9d320b1585fe0de4692472e3d4dc | 2024 | payload | B |
| b1dd18a6a4b0c6e2589312bbec55b392a20a95824ffe630a73c94d24504c553d | 2024 | payload | B |
| 989f7eb4f805591839bcbc321dd44418eb5694d1342e37b7f24126817f10e37e | 2024 | payload (extracted) | B |
| 8ea420d9aa341ba23cdea0ac03951bce866c933ba297268bc7db8a01ce8e9b8e | 2024 | payload (static ELF) | A |
| 26082cd36fdaf76ec0d74b7fbf455418c49fbab64b20892a873c415c3bb60675 | 2024 | loader | – |
| 48a68d0555f850c36f7d338b1a42ed1a661043cacf2ba2a4b0a347fac3cb3ee6 | 2024 | dropper | – |
| fc2e0cb627a00d0e4509bd319271721ea74fb11150847213abe9e8fea060cc8a | 2024 | dropper | – |
| 8e83cbb2ed12faba9b452ea41291bcebdce08162f64ac9a5f82592df62f47613 | 2025 | payload | A |
| 2b2eeb2271c19e2097a0ef0d90b2b615c20f726590bbfee139403db1dced5b0a | 2025 | payload | A |
| 84828f31d741f92ce4bca98cfc2148ff8cff6663e2908a025b1386dd4953ffef | 2025 | payload (truncated) | A |
| 090b15fd8912cab340b22e715d44db079ec641db5e2f92916aa1f2bc9236e03e | 2025 | dropper | – |
| 64a3ebd3ad3927fc783f6ac020d5a6192e9778fb16b51cceba06e4ee5416adff | 2025 | dropper | – |
| b85ed15756568b85148c1d432a8920f81e4b21f2bc38f0cf51d06ced619e0e77 | 2025 | dropper | – |
| d3d204c19d93e5e37697c7f80dd0de9f76a2fb4517ced9cafd7d7d46a6e285ba | 2025 | dropper | – |
| 73b95b7d1006caf8d3477e4a9a0994eaa469e98b70b8c198a82c4a12c91ad49a | 2025 | infector | — |
| 04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9 | 2026 | payload | A |
| d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f | 2026 | payload | A |
| b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784 | 2020 | RHOMBUS dropper | – |
Security Advisory: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Please re-fang these indicators only within secure, controlled environments such as MISP, VirusTotal, or your organization’s SIEM.