DeskRAT Linux persistence and command-set analysis
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers detailed DeskRAT's Linux persistence methods and command set, giving defenders concrete indicators for spotting the malware on BOSS Linux hosts. The analysis matters because the trojan can survive reboots through systemd, cron, autostart, and .bashrc modifications while also supporting file collection and payload execution. It also shows the malware using WebSockets for C2 and shifting toward dedicated staging infrastructure, which can complicate network-based detection.
Related Happenings
CHILLYHELL and ZynorRAT malware activity
Malware Activity
First: 10.09.2025 16:04
Last: 10.09.2025 16:04
Sources 1
About this happening:
The discovery of **CHILLYHELL** and **ZynorRAT** expands cross-platform malware risk across **macOS**, **Windows**, and **Linux** with backdoor, RAT, persistence, and exfiltration...
CHILLYHELL and ZynorRAT malware activity
Malware ActivityAbout this happening: The discovery of **CHILLYHELL** and **ZynorRAT** expands cross-platform malware risk across **macOS**, **Windows**, and **Linux** with backdoor, RAT, persistence, and exfiltration...
MystRodX / ChronosRAT backdoor activity with DNS and ICMP wake-up triggers
Malware Activity
First: 02.09.2025 17:56
Last: 02.09.2025 17:56
Sources 1
About this happening:
Researchers disclosed **MystRodX**/**ChronosRAT**, a stealthy **backdoor** that can capture data and execute remote commands on compromised systems. The malware uses **DNS** and *...
MystRodX / ChronosRAT backdoor activity with DNS and ICMP wake-up triggers
Malware ActivityAbout this happening: Researchers disclosed **MystRodX**/**ChronosRAT**, a stealthy **backdoor** that can capture data and execute remote commands on compromised systems. The malware uses **DNS** and *...
Timeline
-
24.10.2025 17:00 1 articles · 7mo ago
DeskRAT Linux persistence and commands
Technical Analysis UpdateResearchers analyzing DeskRAT on BOSS (Bharat Operating System Solutions) Linux identified four persistence mechanisms: a systemd service, a cron job, a Linux autostart entry under $HOME/.config/autostart, and a .bashrc launcher that runs a shell script from $HOME/.config/system-backup/. The malware also supports ping, heartbeat, browse_files, start_collection, and upload_execute commands for status beacons, directory listings, targeted file collection, and execution of Python, shell, or desktop payloads; related Linux variants communicate over either WebSockets or HTTP and can recursively collect files from /.
Show sources
- APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign — thehackernews.com — 24.10.2025 17:00