A dangerous rootkit called OrBit has been quietly targeting Linux systems for years, stealing login credentials and hiding deep inside infected machines without triggering most security tools.
New research reveals that what was once believed to be a custom-built threat is actually a modified version of a publicly available rootkit, spreading across the globe through multiple hacker groups.
OrBit works by embedding itself into the core of a Linux system, hooking into more than forty basic system functions so that it becomes almost completely invisible.
Once inside a machine, it listens for login attempts through SSH and sudo, capturing usernames and passwords and saving them in a hidden directory that standard system scans cannot detect.
The attacker then connects back to the compromised system through a secret SSH backdoor, never needing to send commands across the internet.
Researchers at Intezer, said in a report shared with Cyber Security News (CSN), identified that OrBit is not original code at all.
It is actually built from a publicly available rootkit called Medusa, published on GitHub in December 2022.
The operator work done by hackers was not about writing new code but about configuring existing source files, rotating passwords, and changing install paths to stay hidden.
Hackers Use OrBit Rootkit
Intezer’s analysis tracked more than a dozen samples spanning from 2022 through early 2026.
The team walked each sample through static and differential analysis and discovered two separate build paths: a full-featured version called Lineage A, which carries the complete attack toolkit, and a stripped-down version called Lineage B, which drops several features for a lighter footprint.
Lineage B appears to have stopped surfacing after 2024, suggesting operators may have consolidated back into the main build.
OrBit is deployed as a shared library file on the target Linux machine. It achieves persistence by modifying the dynamic linker configuration so that the malicious library loads automatically into every process running on the system.
From that position, it intercepts file reads, directory listings, and network connection data, making itself invisible to both administrators and security tools.
The malware stores captured credentials and configuration data in a hidden directory called /lib/libseconf/, which standard tools cannot see due to the rootkit’s own hooks.
The most significant capability jump came in 2025, when the newest build added a hook called pam_sm_authenticate, a server-side authentication function.
Where earlier versions could only passively collect credentials when users typed them, this new version can also forge authentication outcomes, meaning attackers can approve or deny login attempts on a compromised system at will.
That same year, a new two-stage delivery chain appeared: an infector embeds a dropper, which then extracts and installs the rootkit, with a cron job created to fetch updated payloads from an external domain.
Multiple Hacker Groups Are Exploiting This Backdoor
One of the most alarming findings from this research is that at least three distinct hacker groups have been using OrBit.
The state-sponsored espionage group UNC3886, tracked by Mandiant, used the same codebase with a specific 0xAA encryption key, distinct credentials, and an install path that matched Intezer’s 2024 Lineage A samples exactly.
CrowdStrike noted in its 2026 Global Threat Report that BLOCKADE SPIDER, an eCrime group known for Embargo ransomware, used OrBit to quietly maintain access inside VMware virtualization environments.
A third campaign observed in 2025 used a dropper architecture identical to one linked to RHOMBUS, a Linux-based botnet first reported in 2020, with both droppers sharing the same C2 domain resolving to infrastructure in Russia.
Defenders are advised to monitor for co-occurring filenames such as sshpass.txt, .logpam, and .ports appearing inside unexpected directories, as these are fixed artifacts of the Medusa build pipeline regardless of which operator compiled the rootkit.
YARA rules that decode the XOR string table with a variable key and match on known plaintext entries can catch any version of this family, even builds using fresh credentials and renamed install paths.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSHA25640b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e30202022 OrBit payload, Lineage ASHA256ec7462c3f4a87430eb19d16cfd775c173f4ba60d2f43697743db991c3d1c30672022 OrBit payload, Lineage ASHA256f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c82022 dropperSHA256d419a9b17f7b4c23fd4e80a9bce130d2a13c307fccc4bfbc4d49f6b770d06d3b2023 payload, Lineage ASHA256296d28eb7b66aa2cbea7d9c2e7dc1ad6ce6f97d44d34139760c38817aec083e72023 payload, Lineage ASHA2563ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a2023 payload, Lineage BSHA2564203271c1a0c24443b7e85cbf066c9928fcc69934772a431d779017fb85c9d732023 payload, Lineage BSHA256eea274eddd712fe0b4434dbef6a2a92810cb13b8be3deca0571410ee78d37c9f2024 payload, Lineage ASHA256a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a3492024 payload, Lineage ASHA256a34299a16cf30dac1096c1d24188c72eed1f9d320b1585fe0de4692472e3d4dc2024 payload, Lineage BSHA256b1dd18a6a4b0c6e2589312bbec55b392a20a95824ffe630a73c94d24504c553d2024 payload, Lineage BSHA256989f7eb4f805591839bcbc321dd44418eb5694d1342e37b7f24126817f10e37e2024 payload (extracted), Lineage BSHA2568ea420d9aa341ba23cdea0ac03951bce866c933ba297268bc7db8a01ce8e9b8e2024 payload (static ELF), Lineage ASHA25626082cd36fdaf76ec0d74b7fbf455418c49fbab64b20892a873c415c3bb606752024 loader/installerSHA25648a68d0555f850c36f7d338b1a42ed1a661043cacf2ba2a4b0a347fac3cb3ee62024 dropperSHA256fc2e0cb627a00d0e4509bd319271721ea74fb11150847213abe9e8fea060cc8a2024 dropperSHA2568e83cbb2ed12faba9b452ea41291bcebdce08162f64ac9a5f82592df62f476132025 payload, Lineage ASHA2562b2eeb2271c19e2097a0ef0d90b2b615c20f726590bbfee139403db1dced5b0a2025 payload, Lineage ASHA25684828f31d741f92ce4bca98cfc2148ff8cff6663e2908a025b1386dd4953ffef2025 payload (truncated), Lineage ASHA256090b15fd8912cab340b22e715d44db079ec641db5e2f92916aa1f2bc9236e03e2025 dropperSHA25664a3ebd3ad3927fc783f6ac020d5a6192e9778fb16b51cceba06e4ee5416adff2025 dropperSHA256b85ed15756568b85148c1d432a8920f81e4b21f2bc38f0cf51d06ced619e0e772025 dropperSHA256d3d204c19d93e5e37697c7f80dd0de9f76a2fb4517ced9cafd7d7d46a6e285ba2025 dropperSHA25673b95b7d1006caf8d3477e4a9a0994eaa469e98b70b8c198a82c4a12c91ad49a2025 two-stage infectorSHA25604c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c92026 payload, Lineage ASHA256d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f2026 payload, Lineage ASHA256b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e437842020 RHOMBUS dropper (shared architecture)URLhttp://cf0[.]pw/0C2 domain used in 2025 cron-based persistence mechanismIP Address109.95.212[.]253Current resolution of C2 domain cf0[.]pw, Russia-based infrastructureIP Address109.95.211[.]141Related infrastructure sharing same BANNER_0_HASH-IP value, Russia-basedFile Path/lib/libseconf/Primary hidden working directory used across most OrBit variantsFile Path/lib/libntpVnQE6mk/Original 2022 OrBit hidden working directoryFile Path/lib/locate/Alternate install path used in UNC3886/MEDUSA 2024 clusterFile Namesshpass.txtCredential storage file artifact, fixed across Medusa build pipelineFile Name.logpamPAM credential log artifact, fixed across Medusa build pipelineFile Name/etc/cron.hourly/0Persistence script dropped by 2025 infector for remote payload download
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems appeared first on Cyber Security News.
