Evolving Cyber Threat: The OrBit Rootkit Continues to Target Linux Systems
Cybersecurity researchers have noted an ongoing trend of hackers exploiting a sophisticated Linux rootkit known as OrBit, which has been actively deployed for four years. This stealthy malware is primarily used to harvest SSH and sudo credentials, and it has shown remarkable resilience and evolution since it was first identified in 2022.
When OrBit was first analyzed, cybersecurity experts categorized it as a custom-built Linux userland rootkit. Its main mechanism involves hijacking the system’s dynamic linker (ld.so), ensuring that a malicious shared library is automatically loaded into every running process on the machine. This method allows attackers to intercept authentication flows, effectively capturing sensitive credentials while simultaneously cloaking their activity from system administrators.
According to a detailed report from cybersecurity firm Intezer, it has come to light that OrBit is not merely a bespoke creation; rather, it represents a repackaged variation of an open-source rootkit called Medusa, which became publicly available on GitHub in late 2022. This revelation indicates that rather than developing new malware from scratch, cybercriminals have been repurposing existing publicly accessible code, tweaking configurations, credentials, and stealth techniques to suit their criminal objectives.
Once embedded in a system, OrBit installs itself as a passive implant. Interestingly, this rootkit does not rely on traditional command-and-control communication to coordinate with its operators. Instead, it utilizes a concealed SSH backdoor to enable attackers to gain access to compromised systems without drawing attention.
One of the more alarming features of OrBit is its integration with Pluggable Authentication Modules (PAM). This allows the rootkit to covertly capture usernames and passwords from SSH logins and sudo commands, with the harvested credentials stored in hidden directories, such as /lib/libseconf/. This operational stealth makes it exceedingly difficult for system administrators to detect unauthorized activity.
The rootkit’s stealth capabilities are highly advanced, employing hooks into over 40 standard C library functions (libc). This extensive hooking enables OrBit to conceal files, processes, and network connections, leading to infected systems that appear clean and unaltered even during thorough inspections.
Over the years, researchers tracking OrBit’s variants from 2022 to 2026 have identified two primary branches of the rootkit: Lineage A and Lineage B. Lineage A represents a comprehensive build that includes a range of features from credential harvesting to network cloaking, and even packet capture. In contrast, Lineage B is a streamlined version designed to minimize its footprint and reduce the risk of detection. Notably, samples from Lineage B often lack embedded passwords, hinting at the employment of alternative authentication mechanisms.
The core code of OrBit has not undergone significant alterations; instead, attackers have opted to rotate credentials, modify installation paths, and adjust certain functionalities. For instance, recent variants have incorporated compatibility fixes, such as a custom “xread” function to mitigate system instability that could risk exposing the rootkit’s presence.
A significant evolution took place in 2025 when attackers adopted a multi-stage infection chain. This new model features a dropper and an infector designed to propagate the malware across systems while ensuring persistence through cron jobs. Unlike earlier iterations, this more sophisticated variant relies on minimal external communication, including the capability to download additional payloads from a remote domain, marking a notable shift towards command-and-control-like behavior.
Infrastructure tied to the latest campaigns reveals overlaps with prior malware activities, including connections to the RHOMBUS botnet, although definitive attribution remains unclear. Multiple threat groups, including those associated with ransomware such as BLOCKADE SPIDER and state-backed entities like UNC3886, have adopted OrBit, signaling a more systemic and widespread use for credential theft and system infiltration in a variety of environments, including critical infrastructure and virtualized systems.
Cybersecurity experts caution that defenders should pivot their focus away from attributing attacks to specific threat actors. Instead, they recommend emphasizing the detection of the underlying behaviors of the Medusa-based rootkit. Consistent patterns in OrBit’s builds, along with hidden file system artifacts and credential harvesting techniques, remain reliable indicators of compromise, which should be prioritized to counteract this evolving threat landscape.
With the continued advancement and deployment of OrBit, the international cybersecurity community remains on high alert, recognizing the persistent threat it poses to Linux environments. As attackers refine their tactics and tools, staying one step ahead will require ongoing vigilance and a proactive approach to security.