Threat Bulletin: Fire in the Woods – A New Variant of FireWood
Essential information
- Published
- 15/08/2025 11:38
- Modified
- 15/08/2025 13:07
- Tags
- 2025-08-15 backdoor firewood kernel rootkit linux project wood rat tea encryption
- Related entities
- 1 intrusion sets (apt), 10 techniques (mitre), 1 malware, 2 others
Description
A new, low-detected variant of the FireWood Linux backdoor has been discovered, showing changes in implementation and configuration while maintaining core functionality. This backdoor, linked to the 'Project Wood' malware lineage, operates as a remote access trojan on Linux systems, using kernel-level rootkit modules and TEA-based encryption for stealth and persistence. The new variant modifies the execution process, alters network communication, and updates file paths. It removes some commands and adds others, including a new 'auto-kill' feature. Samples have been found from Iran and the Philippines, indicating a potentially wide distribution. The backdoor has possible connections to the China-aligned Gelsemium APT group, though this association remains uncertain.