OrBit Rootkit: Dynamic Linker Hijacking and the Commoditization of Linux Malware

For several years, a stealthy Linux rootkit known as OrBit has been quietly operating in the shadows of enterprise environments. While initially perceived as a bespoke, high-end piece of malware, recent forensic analysis reveals a more complex reality: OrBit is a highly evolved, repurposed toolkit that has transitioned from a niche tool into a widely adopted instrument for various threat actors.

First identified in 2022, OrBit leverages a sophisticated technique known as dynamic linker hijacking. By manipulating the system’s dynamic linker (ld.so), the rootkit ensures that a malicious shared library is injected into the memory space of every active process. This userland-based approach allows attackers to intercept critical system calls and authentication flows without needing to modify the Linux kernel itself.

A detailed technical report from Intezer clarifies that OrBit is actually a rebranded derivative of Medusa, an open-source LD_PRELOAD rootkit that surfaced on GitHub in late 2022. This discovery suggests that instead of investing in original R&D, modern threat actors are opting to refactor and harden existing open-source code to suit their specific operational requirements.

Unlike typical malware that relies on constant beaconing to a Command-and-Control (C2) server, OrBit functions primarily as a passive implant. It establishes a hidden SSH backdoor, allowing attackers to enter the system at will. Once inside, the rootkit hooks into the Pluggable Authentication Modules (PAM) framework. This allows it to intercept and log plaintext usernames and passwords during sudo elevation or SSH login attempts, subsequently caching them in obfuscated directories such as /lib/libseconf/.

Technical Architecture and Lineage Analysis

The true power of OrBit lies in its ability to manipulate the perception of the system administrator. By hooking more than 40 functions within libc, the rootkit can intercept requests to list files, view running processes, or check network sockets. To a standard administrator running ls, ps, or netstat, the system appears completely untainted.

Researchers have categorized the malware into two distinct developmental paths, or “Lineages”:

  • Lineage A: The “Full-Featured” build. This version includes the complete suite of capabilities: credential harvesting, network obfuscation, packet sniffing, and active backdoor access.
  • Lineage B: The “Lightweight” build. This variant strips away several high-profile features to minimize its computational footprint and reduce the likelihood of detection by heuristic-based EDR solutions. Interestingly, Lineage B often lacks embedded hardcoded passwords, suggesting a more modular authentication method.

As the malware progressed from 2022 toward 2026, the evolution was not marked by radical architectural shifts, but by incremental stability and evasion improvements. For instance, newer builds introduced a custom xread function to mitigate system crashes that would otherwise alert admins to the presence of the hooked libc. By 2025, the malware’s sophistication jumped significantly with the introduction of a multi-stage infection chain involving dedicated droppers and infectors that utilize cron jobs for persistent execution.

Most notably, the 2025 iterations broke the “passive” tradition by introducing limited external communication, downloading secondary payloads from remote domains—a move that brings OrBit much closer to traditional C2-driven malware behavior.

A Shared Toolkit: The Democratization of OrBit

The landscape of OrBit usage is increasingly crowded. While some infrastructure overlaps with the known RHOMBUS botnet, the malware has effectively become “commodity” high-end malware. It has been observed in the hands of diverse actors, ranging from the ransomware-affiliated BLOCKADE SPIDER to the highly sophisticated, state-sponsored espionage group UNC3886.

This shift from a single-actor tool to a shared toolkit means defenders cannot rely on attribution to predict an attack. Instead, the focus must shift toward behavioral detection. Monitoring for anomalous LD_PRELOAD configurations, unexpected writes to /lib/, and unauthorized modifications to PAM configuration files remains the most effective way to hunt for this threat.

Indicators of Compromise (IOCs)

SHA256 Hash Year Role Lineage
40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020 2022 payload A
ec7462c3f4a87430eb19d16cfd775c173f4ba60d2f43697743db991c3d1c3067 2022 payload A
f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8 2022 dropper
d419a9b17f7b4c23fd4e80a9bce130d2a13c307fccc4bfbc4d49f6b770d06d3b 2023 payload A
296d28eb7b66aa2cbea7d9c2e7dc1ad6ce6f97d44d34139760c38817aec083e7 2023 payload A
3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a 2023 payload B
4203271c1a0c24443b7e85cbf066c9928fcc69934772a431d779017fb85c9d73 2023 payload B
eea274eddd712fe0b4434dbef6a2a92810cb13b8be3deca0571410ee78d37c9f 2024 payload A
a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349 2024 payload A
a34299a16cf30dac1096c1d24188c72eed1f9d320b1585fe0de4692472e3d4dc 2024 payload B
b1dd18a6a4b0c6e2589312bbec55b392a20a95824ffe630a73c94d24504c553d 2024 payload B
989f7eb4f805591839bcbc321dd44418eb5694d1342e37b7f24126817f10e37e 2024 payload (extracted) B
8ea420d9aa341ba23cdea0ac03951bce866c933ba297268bc7db8a01ce8e9b8e 2024 payload (static ELF) A
26082cd36fdaf76ec0d74b7fbf455418c49fbab64b20892a873c415c3bb60675 2024 loader
48a68d0555f850c36f7d338b1a42ed1a661043cacf2ba2a4b0a347fac3cb3ee6 2024 dropper
fc2e0cb627a00d0e4509bd319271721ea74fb11150847213abe9e8fea060cc8a 2024 dropper
8e83cbb2ed12faba9b452ea41291bcebdce08162f64ac9a5f82592df62f47613 2025 payload A
2b2eeb2271c19e2097a0ef0d90b2b615c20f726590bbfee139403db1dced5b0a 2025 payload A
84828f31d741f92ce4bca98cfc2148ff8cff6663e2908a025b1386dd4953ffef 2025 payload (truncated) A
090b15fd8912cab340b22e715d44db079ec641db5e2f92916aa1f2bc9236e03e 2025 dropper
64a3ebd3ad3927fc783f6ac020d5a6192e9778fb16b51cceba06e4ee5416adff 2025 dropper
b85ed15756568b85148c1d432a8920f81e4b21f2bc38f0cf51d06ced619e0e77 2025 dropper
d3d204c19d93e5e37697c7f80dd0de9f76a2fb4517ced9cafd7d7d46a6e285ba 2025 dropper
73b95b7d1006caf8d3477e4a9a0994eaa469e98b70b8c198a82c4a12c91ad49a 2025 infector
04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9 2026 payload A
d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f 2026 payload A
b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784 2020 RHOMBUS dropper

Security Advisory: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Please re-fang these indicators only within secure, controlled environments such as MISP, VirusTotal, or your organization’s SIEM.

Related Articles

Back to top button