{
  "name": "Chinese Hackers Attacking Linux Devices With New SSH Backdoor",
  "slug": "chinese-hackers-attacking-linux-devices-with-new-ssh-backdoor",
  "description": "Chinese hackers, specifically the DaggerFly espionage group, are targeting Linux devices with a sophisticated SSH backdoor called ELF/Sshdinjector.A!tr. The Lunar Peek campaign, active since mid-November 2024, primarily focuses on network appliances and IoT devices. The attack involves a dropper that deploys malicious binaries, including a modified SSH library and infected versions of common utilities. The core backdoor communicates with a remote C2 server, enabling system information gathering, data exfiltration, and arbitrary command execution. The malware uses a custom communication protocol with hardcoded identifiers and can perform various actions through specific command IDs. Users are advised to keep their AntiVirus definitions up-to-date to mitigate the threat.",
  "published": "2025-02-05T21:05:24+00:00",
  "created_at": "2025-02-05T21:05:24+00:00",
  "modified_at": "2025-02-05T21:18:50+00:00",
  "created_at_opencti": "2025-02-05T21:05:24+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-05",
    "c2 server",
    "iot",
    "linux",
    "lunar peek campaign",
    "network appliances",
    "ssh backdoor"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "45.125.64.200"
      },
      {
        "id": "",
        "name": "0e2ed47c0a1ba3e1f07711fb90ac8d79cb3af43e82aa4151e5c7d210c96baebb"
      },
      {
        "id": "",
        "name": "94e8540ea39893b6be910cfee0331766e4a199684b0360e367741facca74191f"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d680653a-b1d8-4051-905d-f24788e1a77c",
        "name": "DaggerFly",
        "slug": "daggerfly"
      }
    ],
    "attack_patterns": [
      {
        "id": "e87116ac-f56b-4b15-a5e2-a4ed737555d5",
        "name": "T1543.002"
      },
      {
        "id": "f65930b0-5581-4f3d-a367-a86ac78f407b",
        "name": "T1021.004"
      },
      {
        "id": "14ea0786-b57c-4a30-8e4e-46944d17eb18",
        "name": "T1036.004"
      },
      {
        "id": "41af8283-2fa5-469e-9c29-e8ad77b4f224",
        "name": "T1014"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://cybersecuritynews.com/chinese-hackers-attacking-linux-devices/",
    "https://otx.alienvault.com/pulse/67a3e0a43d76e9a2654dfdc4"
  ]
}