S0021: Derusbi
Analyst context for executives and security teams
Derusbi matters because ATT&CK describes it as malware with both Windows and Linux variants and links it to multiple China-associated espionage groups. For leaders, the decision value is not a single signature: it is whether the organization can see post-compromise behavior across mixed operating systems, including command-and-control resilience, host discovery, credential collection through keylogging, screen/audio/video capture, and stealth actions such as file deletion and timestomping.
Executive priority
Prioritize Derusbi as a coverage-validation case for high-value environments that run both Windows and Linux. The ATT&CK relationships point to behaviors that affect incident scoping, data protection, executive communications privacy, and evidence preservation. Security leaders should ask whether SOC and IR teams can correlate endpoint, identity, network, and file-system evidence well enough to distinguish legitimate administration from discovery, capture, stealth, and non-standard encrypted C2 activity.
Technical view
ATT&CK does not provide a Derusbi-specific detection note, so defenders should validate coverage through the related techniques. On Windows, emphasize registry queries, DLL injection, Regsvr32 proxy execution, keylogging indicators, screen/audio/video capture, file deletion, timestomping, and unusual C2 over fallback channels, non-standard ports, non-application-layer protocols, or symmetric encryption. On Linux, emphasize shell execution, user/process/system/file discovery, capture of screen/audio/video devices where applicable, file deletion, timestomping, and network communications that do not match expected protocol-port patterns.
Likely telemetry
- Endpoint process creation and command-line telemetry for Windows and Linux
- Windows Registry access/query telemetry
- Module load, process injection, and suspicious Regsvr32 execution evidence on Windows
- File creation, deletion, metadata timestamp changes, and file-system audit logs
- User, process, system, and directory enumeration events
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on a Derusbi name match, because the supplied ATT&CK object has no official detection text.
- Validate Windows-specific visibility for Query Registry, DLL Injection, and Regsvr32 abuse; these can be noisy, so tune around unusual parent processes, command-line context, unsigned or unexpected modules, and rare host/user patterns.
- Validate Linux visibility for Unix shell execution and discovery commands, especially when followed by file-system changes or unusual outbound communications.
- Correlate discovery, capture, stealth, and C2 behaviors in sequence; individual actions such as process listing or file deletion may be benign, but combinations can materially raise confidence.
- Review blind spots around encrypted or non-standard C2, especially where network tools only classify traffic by port or where east-west traffic is not inspected.
Mitigation priorities
- Start with visibility: confirm EDR, host logging, and network telemetry cover both Windows and Linux systems in scope.
- Reduce execution and stealth opportunities by controlling script/shell use, monitoring trusted Windows utilities such as Regsvr32, and limiting unnecessary administrative privileges.
- Harden credential and sensitive-session exposure by validating controls and alerting around keylogging-like behavior and unauthorized peripheral capture attempts.
- Improve egress governance by baselining expected protocol-port use and investigating non-standard, fallback, or non-application-layer communications.
- Strengthen incident readiness with log retention and forensic collection procedures that account for file deletion and timestamp manipulation.
Analyst notes and limits
The supplied ATT&CK data identifies Derusbi as malware used by multiple Chinese APT groups, with observed Windows and Linux variants. Relationship context links it to Axiom, Deep Panda, Leviathan, and APT41, and to techniques spanning command and control, discovery, execution, collection, credential access, privilege escalation, and stealth. Because no official Derusbi detection guidance is provided, the strongest defensive use is as an ATT&CK-based control and telemetry validation scenario.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, exploit paths, or guaranteed detection. Local environment evidence is required to determine relevance, prevalence, false positives, and control effectiveness.
Derusbi
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | Derusbi is capable of logging keystrokes.CitationFireEye Periscope March 2018 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Derusbi is capable of creating a remote Bash shell and executing commands.CitationFidelis TurboCitationFireEye Periscope March 2018 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.CitationThreatGeek Derusbi Converge |
| Enterprise | T1082 | System Information Discovery | Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.CitationFidelis Turbo |
| Enterprise | T1070.006 | Timestomp Sub-technique | The Derusbi malware supports timestomping.CitationNovetta-AxiomCitationFidelis Turbo |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Derusbi injects itself into the secure shell (SSH) process.CitationAirbus Derusbi 2015 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.CitationFidelis TurboCitationFireEye Periscope March 2018 |
| Enterprise | T1571 | Non-Standard Port | Derusbi has used unencrypted HTTP on port 443 for C2.CitationFidelis Turbo |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.CitationFidelis Turbo |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1123 | Audio Capture | Derusbi is capable of performing audio captures.CitationFireEye Periscope March 2018 |
| Enterprise | T1083 | File and Directory Discovery | Derusbi is capable of obtaining directory, file, and drive listings.CitationFidelis TurboCitationFireEye Periscope March 2018 |
| Enterprise | T1008 | Fallback Channels | Derusbi uses a backup communication method with an HTTP beacon.CitationFidelis Turbo |
| Enterprise | T1095 | Non-Application Layer Protocol | Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.CitationFidelis Turbo |
| Enterprise | T1113 | Screen Capture | Derusbi is capable of performing screen captures.CitationFireEye Periscope March 2018 |
| Enterprise | T1125 | Video Capture | Derusbi is capable of capturing video.CitationFireEye Periscope March 2018 |
| Enterprise | T1057 | Process Discovery | Derusbi collects current and parent process IDs.CitationFidelis TurboCitationFireEye Periscope March 2018 |
| Enterprise | T1012 | Query Registry | Derusbi is capable of enumerating Registry keys and values.CitationFireEye Periscope March 2018 |
Groups, software, and campaigns
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G0009: Deep Panda
Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 8e508ebe6236… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Novetta-Axiom
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Open source URL -
[2]
ThreatConnect Anthem
ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
Open source URL -
[3]
Fidelis Turbo
Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
Open source URL -
[4]
Derusbi
(Citation: Novetta-Axiom)
-
[5]
FireEye Periscope March 2018
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Open source URL -
[6]
PHOTO
(Citation: FireEye Periscope March 2018)
-
[7]
mitre-attack S0021Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.