Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0394: HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[1]

EnterpriseS0394MalwareObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

HiddenWasp is a Linux-focused Trojan described by ATT&CK as providing remote control through a statically linked ELF binary. For leaders, the practical concern is not just malware presence: the related ATT&CK behaviors point to persistence, stealth, concealed command-and-control, tool transfer, and local account creation on Linux systems that may support critical applications, cloud workloads, or operational infrastructure.

Executive priority

Prioritize HiddenWasp-style coverage where Linux systems are business-critical or privileged: application servers, management hosts, build systems, and cloud/virtual infrastructure. The key executive questions are whether teams can prove visibility into privileged Linux changes, startup persistence, local account creation, suspicious ELF execution, and unusual outbound protocols. Because ATT&CK provides no official detection text for this object, coverage should be validated through telemetry and response readiness rather than assumed from malware naming alone.

Technical view

SOC and IR teams should map detection around the related techniques: rootkit-style hiding, encrypted or encoded files, RC script persistence, non-application-layer C2, ingress tool transfer, local account creation, deobfuscation, symmetric cryptography for C2, and dynamic linker hijacking. The object platform is Linux; the relationship to Windows Command Shell should be treated carefully and not generalized to HiddenWasp Linux coverage without local evidence. Detection should focus on correlated Linux behaviors rather than single indicators.

Likely telemetry

  • Linux process execution and command-line activity for ELF binaries, especially unusual statically linked binaries or execution from nonstandard paths
  • File integrity and change telemetry for RC scripts such as rc.local, rc.common, and distribution-specific startup scripts
  • Changes to local identity stores and privilege files, including new users, /etc/passwd, /etc/shadow, sudoers, and authentication logs
  • Dynamic linker-related telemetry such as LD_PRELOAD usage, /etc/ld.so.preload changes, and suspicious shared library loading paths
  • Network flow, firewall, proxy, and packet metadata capable of identifying unusual outbound protocols or non-application-layer communications

Detection direction

  • Build detections around combinations: new privileged local account plus RC script modification, unusual ELF execution plus outbound nonstandard protocol, or linker hijacking plus tool transfer.
  • Validate that Linux telemetry is collected before relying on rules; rootkit-related behavior may hide process, file, service, or network artifacts from normal host views.
  • Tune false positives for legitimate administration, software deployment, backup agents, security tooling, and approved LD_PRELOAD or startup-script usage.
  • Use network-side telemetry to compensate for possible host-level hiding, especially for unusual protocols or encrypted C2-like sessions.
  • Review relationship-driven coverage for T1014, T1027.013, T1037.004, T1095, T1105, T1136.001, T1140, T1573.001, and T1574.006 as the most relevant Linux-aligned behaviors.

Mitigation priorities

  • Harden privileged Linux administration: enforce least privilege, restrict root-level changes, and review local account creation paths.
  • Monitor and control startup persistence locations, especially RC scripts and other boot-time execution mechanisms.
  • Apply file integrity monitoring and change approval for dynamic linker configuration and sensitive system paths.
  • Restrict unnecessary outbound network paths and inspect or alert on unusual non-application-layer communications where feasible.
  • Control transfer of tools and binaries onto Linux systems through egress filtering, allowlisted administration channels, and logging.
Analyst notes and limits

This take is based on the ATT&CK software object for HiddenWasp and its supplied technique relationships. The strongest defensive value is in validating Linux host integrity, persistence, identity, and network telemetry rather than searching only for a named malware family.

ATT&CK provides no official detection guidance in the supplied object, no aliases, no malware tactics at the object level, and no indicators of compromise here. Local environment baselines, approved administrative practices, and collected telemetry are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1136.001 Local Account Sub-technique

HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.CitationIntezer HiddenWasp Map 2019
Enterprise T1095 Non-Application Layer Protocol

HiddenWasp communicates with a simple network protocol over TCP.CitationIntezer HiddenWasp Map 2019
Enterprise T1574.006 Dynamic Linker Hijacking Sub-technique

HiddenWasp adds itself as a shared object to the LD_PRELOAD environment variable.CitationIntezer HiddenWasp Map 2019
Enterprise T1573.001 Symmetric Cryptography Sub-technique

HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.CitationIntezer HiddenWasp Map 2019
Enterprise T1037.004 RC Scripts Sub-technique

HiddenWasp installs reboot persistence by adding itself to /etc/rc.local.CitationIntezer HiddenWasp Map 2019
Enterprise T1014 Rootkit

HiddenWasp uses a rootkit to hook and implement functions on the system.CitationIntezer HiddenWasp Map 2019
Enterprise T1059.003 Windows Command Shell Sub-technique

HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.CitationIntezer HiddenWasp Map 2019
Enterprise T1140 Deobfuscate/Decode Files or Information

HiddenWasp uses a cipher to implement a decoding function.CitationIntezer HiddenWasp Map 2019
Enterprise T1105 Ingress Tool Transfer

HiddenWasp downloads a tar compressed archive from a download server to the system.CitationIntezer HiddenWasp Map 2019
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

HiddenWasp encrypts its configuration and payload.CitationIntezer HiddenWasp Map 2019
Relationship explorer

All related ATT&CK context

uses · Technique T1136.001: Local Account Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1574.006: Dynamic Linker Hijacking Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1037.004: RC Scripts Enterprise uses · Technique T1014: Rootkit Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
e1e492b1e6c8535b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle e1e492b1e6c8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Intezer HiddenWasp Map 2019

    Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.

    Open source URL
  2. [2]
    HiddenWasp

    (Citation: Intezer HiddenWasp Map 2019)

  3. [3]
    mitre-attack S0394
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use