S0362: Linux Rabbit
Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[1]
Analyst context for executives and security teams
Linux Rabbit matters because it represents Linux-focused malware used against servers and IoT devices with the stated campaign goal of installing cryptocurrency miners. For business leaders, the practical issue is not only malware removal; it is whether exposed Linux systems, remote access paths, weak credentials, and shell-based persistence can turn infrastructure into unauthorized compute capacity and create operational, cloud-cost, and incident-response burden.
Executive priority
Prioritize Linux and IoT asset visibility, externally reachable remote services, credential hygiene, and evidence that server activity is monitored. The ATT&CK relationships connect Linux Rabbit to valid account abuse, password spraying, external remote services, user discovery, encoded command-and-control, and Unix shell configuration modification. Those areas are decision points for budget and risk ownership: identity controls, remote access governance, Linux endpoint logging, and incident response readiness should be validated before an event forces emergency discovery.
Technical view
SOC and IR teams should treat this object as Linux malware context tied to discovery, credential access, initial access or persistence through remote services and valid accounts, command-and-control encoding, and Unix shell configuration persistence. Because ATT&CK does not provide an official detection section for Linux Rabbit, detection engineering should validate coverage around the related techniques rather than rely on a single malware signature: unusual authentication patterns consistent with password spraying, use of valid accounts from unexpected sources, externally exposed remote service logins, user-enumeration activity, suspicious changes to shell startup files, and anomalous encoded outbound traffic from Linux hosts.
Likely telemetry
- Linux authentication logs and remote access logs for externally reachable services
- Identity provider, VPN, SSH, or other remote service authentication events where available
- Account lockout, failed login, and broad low-rate login attempt records relevant to password spraying
- Linux process execution and command-line telemetry, especially user and environment discovery commands
- File integrity or audit records for Unix shell configuration files in /etc and user home directories
Detection direction
- Map detections to the related ATT&CK techniques: T1110.003, T1078, T1133, T1033, T1132, and T1546.004.
- Tune password-spraying analytics for distributed, low-and-slow attempts across many accounts, not only repeated failures against one user.
- Correlate successful remote service logins with geography, source network, device posture, account role, and subsequent Linux process activity to reduce false positives.
- Monitor shell configuration modifications, but account for legitimate administrator changes, configuration management tools, and user customization.
- Look for user discovery followed by persistence or outbound network activity; isolated username checks may be benign on multi-user Linux systems.
Mitigation priorities
- Inventory Linux servers, IoT devices, and externally reachable remote services before prioritizing control gaps.
- Reduce exposure of remote services and require strong authentication controls for externally accessible access paths.
- Strengthen credential controls against password spraying, including monitoring, rate limiting or lockout policies where appropriate, and review of commonly targeted accounts.
- Limit and review valid account privileges used on Linux systems, especially accounts with remote access or administrative capability.
- Implement file integrity monitoring or audit controls for Unix shell configuration locations used for persistence.
Analyst notes and limits
This take is based on the ATT&CK software object for Linux Rabbit and its supplied relationships. The official description identifies a 2018 campaign targeting Linux servers and IoT devices and states the goal was installation of cryptocurrency miners. The relationship context provides the most useful defensive direction: credential abuse, password spraying, external remote services, user discovery, encoded C2, and Unix shell configuration modification.
ATT&CK does not provide an official detection section, tactics are not specified on the malware object, and the supplied fields do not include indicators, hashes, commands, vulnerabilities, affected products, or current exploitation status. Any assessment of exposure or detection coverage requires local asset, identity, network, and Linux logging evidence.
Linux Rabbit
Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1110.003 | Password Spraying Sub-technique | Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. CitationAnomali Linux Rabbit 2018 |
| Enterprise | T1133 | External Remote Services | Linux Rabbit attempts to gain access to the server via SSH.CitationAnomali Linux Rabbit 2018 |
| Enterprise | T1546.004 | Unix Shell Configuration Modification Sub-technique | Linux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files. CitationAnomali Linux Rabbit 2018 |
| Enterprise | T1033 | System Owner/User Discovery | Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain. CitationAnomali Linux Rabbit 2018 |
| Enterprise | T1132 | Data Encoding | Linux Rabbit sends the payload from the C2 server as an encoded URL parameter. CitationAnomali Linux Rabbit 2018 |
| Enterprise | T1078 | Valid Accounts | Linux Rabbit acquires valid SSH accounts through brute force. CitationAnomali Linux Rabbit 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | b412c202b7d2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Anomali Linux Rabbit 2018
Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.
Open source URL -
[2]
anomali-linux-rabbit
Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.
Open source URL -
[3]
mitre-attack S0362Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.