Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems

HomeCyber Security News Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems By Tushar Subhra Dutta May 15, 2026 A dangerous rootkit called OrBit has been quietly targeting Linux systems for years, stealing login credentials and hiding deep inside infected machines without triggering most security tools. New research reveals that what was once believed to be a custom-built threat is actually a modified version of a publicly available rootkit, spreading across the globe through multiple hacker groups. OrBit works by embedding itself into the core of a Linux system, hooking into more than forty basic system functions so that it becomes almost completely invisible. Once inside a machine, it listens for login attempts through SSH and sudo, capturing usernames and passwords and saving them in a hidden directory that standard system scans cannot detect. The attacker then connects back to the compromised system through a secret SSH backdoor, never needing to send commands across the internet. Researchers at Intezer, said in a report shared with Cyber Security News (CSN), identified that OrBit is not original code at all. It is actually built from a publicly available rootkit called Medusa, published on GitHub in December 2022. The operator work done by hackers was not about writing new code but about configuring existing source files, rotating passwords, and changing install paths to stay hidden. Hackers Use OrBit Rootkit Intezer’s analysis tracked more than a dozen samples spanning from 2022 through early 2026. The team walked each sample through static and differential analysis and discovered two separate build paths: a full-featured version called Lineage A, which carries the complete attack toolkit, and a stripped-down version called Lineage B, which drops several features for a lighter footprint. Lineage B appears to have stopped surfacing after 2024, suggesting operators may have consolidated back into the main build. OrBit is deployed as a shared library file on the target Linux machine. It achieves persistence by modifying the dynamic linker configuration so that the malicious library loads automatically into every process running on the system. From that position, it intercepts file reads, directory listings, and network connection data, making itself invisible to both administrators and security tools. The malware stores captured credentials and configuration data in a hidden directory called /lib/libseconf/, which standard tools cannot see due to the rootkit’s own hooks. The most significant capability jump came in 2025, when the newest build added a hook called pam_sm_authenticate, a server-side authentication function. Where earlier versions could only passively collect credentials when users typed them, this new version can also forge authentication outcomes, meaning attackers can approve or deny login attempts on a compromised system at will. That same year, a new two-stage delivery chain appeared: an infector embeds a dropper, which then extracts and installs the rootkit, with a cron job created to fetch updated payloads from an external domain. Multiple Hacker Groups Are Exploiting This Backdoor One of the most alarming findings from this research is that at least three distinct hacker groups have been using OrBit. The state-sponsored espionage group UNC3886, tracked by Mandiant, used the same codebase with a specific 0xAA encryption key, distinct credentials, and an install path that matched Intezer’s 2024 Lineage A samples exactly. CrowdStrike noted in its 2026 Global Threat Report that BLOCKADE SPIDER, an eCrime group known for Embargo ransomware, used OrBit to quietly maintain access inside VMware virtualization environments. A third campaign observed in 2025 used a dropper architecture identical to one linked to RHOMBUS, a Linux-based botnet first reported in 2020, with both droppers sharing the same C2 domain resolving to infrastructure in Russia. Defenders are advised to monitor for co-occurring filenames such as sshpass.txt, .logpam, and .ports appearing inside unexpected directories, as these are fixed artifacts of the Medusa build pipeline regardless of which operator compiled the rootkit. YARA rules that decode the XOR string table with a variable key and match on known plaintext entries can catch any version of this family, even builds using fresh credentials and renamed install paths. Indicators of Compromise (IoCs):- Type Indicator Description SHA256 40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020 2022 OrBit payload, Lineage A SHA256 ec7462c3f4a87430eb19d16cfd775c173f4ba60d2f43697743db991c3d1c3067 2022 OrBit payload, Lineage A SHA256 f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8 2022 dropper SHA256 d419a9b17f7b4c23fd4e80a9bce130d2a13c307fccc4bfbc4d49f6b770d06d3b 2023 payload, Lineage A SHA256 296d28eb7b66aa2cbea7d9c2e7dc1ad6ce6f97d44d34139760c38817aec083e7 2023 payload, Lineage A SHA256 3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a 2023 payload, Lineage B SHA256 4203271c1a0c24443b7e85cbf066c9928fcc69934772a431d779017fb85c9d73 2023 payload, Lineage B SHA256 eea274eddd712fe0b4434dbef6a2a92810cb13b8be3deca0571410ee78d37c9f 2024 payload, Lineage A SHA256 a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349 2024 payload, Lineage A SHA256 a34299a16cf30dac1096c1d24188c72eed1f9d320b1585fe0de4692472e3d4dc 2024 payload, Lineage B SHA256 b1dd18a6a4b0c6e2589312bbec55b392a20a95824ffe630a73c94d24504c553d 2024 payload, Lineage B SHA256 989f7eb4f805591839bcbc321dd44418eb5694d1342e37b7f24126817f10e37e 2024 payload (extracted), Lineage B SHA256 8ea420d9aa341ba23cdea0ac03951bce866c933ba297268bc7db8a01ce8e9b8e 2024 payload (static ELF), Lineage A SHA256 26082cd36fdaf76ec0d74b7fbf455418c49fbab64b20892a873c415c3bb60675 2024 loader/installer SHA256 48a68d0555f850c36f7d338b1a42ed1a661043cacf2ba2a4b0a347fac3cb3ee6 2024 dropper SHA256 fc2e0cb627a00d0e4509bd319271721ea74fb11150847213abe9e8fea060cc8a 2024 dropper SHA256 8e83cbb2ed12faba9b452ea41291bcebdce08162f64ac9a5f82592df62f47613 2025 payload, Lineage A SHA256 2b2eeb2271c19e2097a0ef0d90b2b615c20f726590bbfee139403db1dced5b0a 2025 payload, Lineage A SHA256 84828f31d741f92ce4bca98cfc2148ff8cff6663e2908a025b1386dd4953ffef 2025 payload (truncated), Lineage A SHA256 090b15fd8912cab340b22e715d44db079ec641db5e2f92916aa1f2bc9236e03e 2025 dropper SHA256 64a3ebd3ad3927fc783f6ac020d5a6192e9778fb16b51cceba06e4ee5416adff 2025 dropper SHA256 b85ed15756568b85148c1d432a8920f81e4b21f2bc38f0cf51d06ced619e0e77 2025 dropper SHA256 d3d204c19d93e5e37697c7f80dd0de9f76a2fb4517ced9cafd7d7d46a6e285ba 2025 dropper SHA256 73b95b7d1006caf8d3477e4a9a0994eaa469e98b70b8c198a82c4a12c91ad49a 2025 two-stage infector SHA256 04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9 2026 payload, Lineage A SHA256 d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f 2026 payload, Lineage A SHA256 b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784 2020 RHOMBUS dropper (shared architecture) URL http://cf0[.]pw/0 C2 domain used in 2025 cron-based persistence mechanism IP Address 109.95.212[.]253 Current resolution of C2 domain cf0[.]pw, Russia-based infrastructure IP Address 109.95.211[.]141 Related infrastructure sharing same BANNER_0_HASH-IP value, Russia-based File Path /lib/libseconf/ Primary hidden working directory used across most OrBit variants File Path /lib/libntpVnQE6mk/ Original 2022 OrBit hidden working directory File Path /lib/locate/ Alternate install path used in UNC3886/MEDUSA 2024 cluster File Name sshpass.txt Credential storage file artifact, fixed across Medusa build pipeline File Name .logpam PAM credential log artifact, fixed across Medusa build pipeline File Name /etc/cron.hourly/0 Persistence script dropped by 2025 infector for remote payload download Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Microsoft Details Kazuar Malware’s Modular Architecture and P2P Botnet Operations No Blind Spots: How Top MSSPs Prevent Incidents with Live Threat Visibility Amazon Redshift JDBC Driver Vulnerabilities Enables Remote Code Execution Attacks New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks Critical GitLab Vulnerabilities Enables XSS and Unauthenticated DoS Attacks Latest News Cyber Security News Microsoft Warns of Attackers Using Trusted HPE Operations Agent for Malware-Free Intrusions Cyber Security News Tycoon 2FA Operators Adopt OAuth Device Code Phishing to Bypass MFA Cyber Security News PraisonAI Vulnerability Exploited Within Hours of Public Disclosure Cyber Security News Amazon Redshift JDBC Driver Vulnerabilities Enables Remote Code Execution Attacks Cyber Security News Multiple cPanel Vulnerabilities Allows Access to Sensitive System Resources