How OrBit Infects and Hides
A persistent Linux rootkit named OrBit has been operating undetected since 2022, using advanced stealth techniques to steal SSH and sudo credentials from compromised systems. Researchers discovered that OrBit is not a custom built threat but a modified version of the Medusa rootkit, an open source tool published on GitHub. Attackers have simply tweaked configuration files, changed passwords, and adjusted installation paths to evade detection.
Once deployed as a shared library, OrBit achieves persistence by altering the Linux dynamic linker. This forces every running process to load the malicious library automatically. The rootkit hooks over forty core system functions, intercepting file reads, directory listings, and network connections. It becomes invisible to administrators and most security tools by hiding its own files and processes.
Credential Theft and C2 Operations
OrBit specifically targets SSH and sudo login attempts, capturing usernames and passwords as they are entered. Stolen credentials are stored in a hidden directory called /lib/libseconf/, which standard scans cannot detect because the rootkit blocks visibility through its own hooks. The attackers maintain access using a secret SSH backdoor, eliminating the need to send commands over the network.
Intezer’s analysis tracked over a dozen samples from 2022 through early 2026. Two distinct build paths emerged. Lineage A is a full featured version carrying the complete attack toolkit. Lineage B is a stripped down variant that stopped appearing after 2024. Researchers believe operators consolidated back to the main build for ongoing campaigns.
Source: Cyber Security News
