New backdoor malware targeting Linux operating systems has been discovered, hiding as a polkit daemon. It is has been named RedXOR for its network data encoding scheme based on XOR. 

Analysing the Tactics, Techniques, and Procedures (TTPs), RedXOR is thought to be developed by Chinese threat actors. The malware samples have low detection rates in VirusTotal, and is used in targeting attacks against legacy Linux systems.

There are also many similarities between RedXOR and the reported malware associated with Winnti umbrella threat group known as the PWNLNX backdoor, as well as to XOR.DDOS and Groundhog, two botnets attributed to Winnti by BlackBerry. The below samples can be used for reference:

The samples are both unstripped 64-bit ELF files called po1kitd-update-k. Similarities between the samples includes the use of old open-source kernel rootkits, both use the CheckLKM function, and both provide the attacker with a pseudo-terminal using Python pty shells and many other similarities.

The malware makes a remote connection to the command and control server over a TCP socket. The traffic is made to look like HTTP traffic. The command and control server instructs the malware to execute different commands returned in the JSESSIONID cookie. The malware can also be updated by the attacker by sending commands to the malware. The malware can also create new remote shells to get a pseudo-terminal (pty) interface and can perform network tunnelling.

How to Detect and Respond

Use the information below to detect and respond this threat. We suggest using the following indicators of compromise to ensure the RedXOR and the files it creates do not exist in your environment:

Indicators of Compromise

RedXOR Hashes


Process name

File and directories created on disk

Follow these steps if you are a victim of this malware:

  1. Kill the process.
  2. Delete all files related to the malware.
  3. Make sure your machine is clean and running only trusted code.
  4. Contact the Experts for assistance if needed.

Node Prevent

When you purchase one of our cyber insurance policies you’ll receive vital cybersecurity updates such as this and online training courses to keep your employees up-to-date with the current cyber threats.

Interested in Cyber Insurance?

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound