Recent analysis reveals that the OrBit rootkit has been targeting Linux systems globally, covertly capturing login credentials and remaining undetected by many security measures. This rootkit, initially thought to be custom-made, is now identified as a modified version of a publicly available tool, Medusa, spreading via various hacking entities.
OrBit’s Modus Operandi
The OrBit rootkit embeds itself deeply into a Linux system, connecting to over forty fundamental functions, rendering it nearly invisible. Once infiltrated, it eavesdrops on SSH and sudo login attempts, collecting and storing credentials in a concealed directory, undetectable by typical system scans. Hackers then establish a connection through a hidden SSH backdoor, bypassing internet command transmission.
Intezer’s researchers, in a report shared with Cyber Security News, disclosed that OrBit is not original, but a derivative of Medusa, a rootkit available on GitHub since December 2022. Hackers have repurposed existing code, altering source files, rotating passwords, and changing installation paths to evade detection.
Technical Analysis and Variants
Intezer’s research documented more than a dozen OrBit samples from 2022 to 2026 through static and differential analysis. Two distinct build paths emerged: Lineage A, a full-featured version, and Lineage B, a simplified variant that ceased development after 2024, suggesting a consolidation into the main build.
OrBit achieves persistence by modifying the dynamic linker configuration, ensuring the rootkit loads into every system process. This allows it to intercept file access, directory listings, and network data, maintaining invisibility from administrators and security tools. The rootkit stores captured information in a hidden directory, /lib/libseconf/, unreachable by standard tools due to its own hooks.
Exploitation by Multiple Hacker Groups
The research highlights that at least three hacker groups have used OrBit. Notably, UNC3886, a state-sponsored group, utilized OrBit with unique encryption keys and installation paths identical to Intezer’s 2024 Lineage A samples. BLOCKADE SPIDER, an eCrime group noted for Embargo ransomware, also used OrBit to maintain access in VMware environments, according to CrowdStrike’s 2026 Global Threat Report.
Another 2025 campaign involved a dropper architecture similar to the Linux-based RHOMBUS botnet, sharing infrastructure in Russia. Security experts recommend monitoring for specific filenames like sshpass.txt and .logpam in unusual directories, as these are consistent artifacts of the Medusa build pipeline. YARA rules can detect any version of this rootkit family, despite new credentials and paths.
In summary, the OrBit rootkit represents a significant threat to Linux systems, with multiple sophisticated hacker groups exploiting its capabilities. Continuous vigilance and updated detection measures are crucial for cybersecurity defenses.
