S0221: Umbreon
A Linux rootkit that provides backdoor access and hides from defenders.
Analyst context for executives and security teams
Umbreon matters because it is described as a Linux rootkit that provides backdoor access while hiding from defenders. For leaders, the practical issue is not just malware removal; rootkit behavior can undermine trust in host evidence, delay incident containment, and force harder recovery decisions such as rebuilding systems from known-good sources.
Executive priority
Prioritize this as a Linux server resilience and incident-response readiness issue. Executives should ask whether critical Linux systems have sufficient endpoint, account, and network telemetry to investigate hidden persistence and command-and-control behavior, and whether IR plans define when a potentially rootkit-compromised host must be isolated, rebuilt, or forensically preserved. This also supports audit and compliance discussions around privileged access, local account governance, and evidence integrity.
Technical view
ATT&CK lists Umbreon for Linux and relates it to Rootkit (T1014), Local Accounts (T1078.003), Non-Application Layer Protocol (T1095), and Traffic Signaling (T1205). SOC and IR teams should validate coverage for hidden files/processes/network connections, unexpected local account use, unusual non-application-layer or low-level network communications, and traffic patterns that could indicate signaling before access is enabled. The relationship to Windows Command Shell (T1059.003) is present in the supplied relationship set, but it conflicts with the object platform of Linux and should be treated as relationship context requiring local validation rather than assumed Umbreon behavior in a Linux environment.
Likely telemetry
- Linux endpoint telemetry for process, file, module, service, and persistence changes
- Privileged and local account authentication logs on Linux hosts
- Network flow, packet, or sensor data capable of showing ICMP/UDP/SOCKS-like or other non-application-layer communications
- Host firewall, listening port, and connection-state evidence, including cases where ports appear closed until triggered
- File integrity and baseline comparison data for critical system paths and binaries
Detection direction
- Because ATT&CK provides no official detection text for Umbreon, detection engineering should be technique-led rather than signature-led.
- Validate Linux rootkit hunting coverage by comparing host-reported state against independent sources where possible, such as network observations, file integrity baselines, and offline forensic review.
- Tune for suspicious local account use, especially unexpected privilege, remote access, or service account behavior on Linux systems.
- Review network detections for non-application-layer command-and-control and traffic signaling patterns, while accounting for legitimate administrative, monitoring, and network diagnostic traffic that can create false positives.
- Treat absence of endpoint alerts cautiously: rootkit behavior is specifically associated with hiding programs, files, network connections, services, drivers, or other system components.
Mitigation priorities
- Harden and monitor Linux privileged access, with emphasis on local account governance, password hygiene, least privilege, and review of administrative accounts.
- Maintain known-good baselines for critical Linux systems so defenders can compare expected files, services, modules, accounts, and network behavior during an investigation.
- Ensure network monitoring can observe suspicious low-level or non-application-layer communications, not only standard application logs.
- Define IR playbooks for suspected rootkit cases, including isolation, evidence preservation, credential review, and rebuild criteria.
- Use vulnerability and configuration management to reduce exposure on internet-facing or high-value Linux systems, even though the supplied ATT&CK object does not specify an exploited vulnerability.
Analyst notes and limits
The strongest decision value from this object is the combination of Linux platform, rootkit hiding behavior, backdoor access, local account abuse, and stealthy command-and-control relationships. This should drive validation of Linux EDR/host logging, independent network visibility, privileged account controls, and IR rebuild authority.
The official ATT&CK object provides a short description and no official detection guidance, aliases, labels, or tactics. The assessment is therefore based only on the supplied description, external references, and listed technique relationships. Local environment architecture, telemetry quality, and confirmed indicators are required before judging exposure or detection coverage.
Umbreon
A Linux rootkit that provides backdoor access and hides from defenders.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packetCitationUmbreon Trend Micro |
| Enterprise | T1014 | Rootkit | Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.CitationUmbreon Trend Micro |
| Enterprise | T1205 | Traffic Signaling | Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.CitationUmbreon Trend Micro |
| Enterprise | T1095 | Non-Application Layer Protocol | Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.CitationUmbreon Trend Micro |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Umbreon creates valid local users to provide access to the system.CitationUmbreon Trend Micro |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7acce11243bf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Umbreon
(Citation: Umbreon Trend Micro)
-
[2]
Umbreon Trend Micro
Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
Open source URL -
[3]
mitre-attack S0221Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.