DeskRAT Linux persistence and command-set analysis
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers detailed DeskRAT's Linux persistence methods and command set, giving defenders concrete indicators for spotting the malware on BOSS Linux hosts. The analysis matters because the trojan can survive reboots through systemd, cron, autostart, and .bashrc modifications while also supporting file collection and payload execution. It also shows the malware using WebSockets for C2 and shifting toward dedicated staging infrastructure, which can complicate network-based detection.
Related Happenings
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical Analysis
H score34
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical AnalysisAbout this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
CHILLYHELL and ZynorRAT malware activity
Malware Activity
H score23
First: 10.09.2025 16:04
Last: 10.09.2025 16:04
Sources 1
About this happening:
The discovery of **CHILLYHELL** and **ZynorRAT** expands cross-platform malware risk across **macOS**, **Windows**, and **Linux** with backdoor, RAT, persistence, and exfiltration...
CHILLYHELL and ZynorRAT malware activity
Malware ActivityAbout this happening: The discovery of **CHILLYHELL** and **ZynorRAT** expands cross-platform malware risk across **macOS**, **Windows**, and **Linux** with backdoor, RAT, persistence, and exfiltration...
MystRodX / ChronosRAT backdoor activity with DNS and ICMP wake-up triggers
Malware Activity
H score23
First: 02.09.2025 17:56
Last: 02.09.2025 17:56
Sources 1
About this happening:
Researchers disclosed **MystRodX**/**ChronosRAT**, a stealthy **backdoor** that can capture data and execute remote commands on compromised systems. The malware uses **DNS** and *...
MystRodX / ChronosRAT backdoor activity with DNS and ICMP wake-up triggers
Malware ActivityAbout this happening: Researchers disclosed **MystRodX**/**ChronosRAT**, a stealthy **backdoor** that can capture data and execute remote commands on compromised systems. The malware uses **DNS** and *...
Timeline
-
24.10.2025 17:00 1 articles · 8mo ago
DeskRAT Linux persistence and commands
Technical Analysis UpdateResearchers analyzing DeskRAT on BOSS (Bharat Operating System Solutions) Linux identified four persistence mechanisms: a systemd service, a cron job, a Linux autostart entry under $HOME/.config/autostart, and a .bashrc launcher that runs a shell script from $HOME/.config/system-backup/. The malware also supports ping, heartbeat, browse_files, start_collection, and upload_execute commands for status beacons, directory listings, targeted file collection, and execution of Python, shell, or desktop payloads; related Linux variants communicate over either WebSockets or HTTP and can recursively collect files from /.
Show sources
- APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign — thehackernews.com — 24.10.2025 17:00