S0401: Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[1]
Analyst context for executives and security teams
Exaramel for Linux matters because it represents a Linux backdoor, compiled as a 64-bit ELF binary, with ATT&CK relationships that map to persistence, command-and-control, file transfer, shell execution, user discovery, obfuscation, and cleanup behaviors. For leaders, the practical question is whether Linux servers and appliances have enough endpoint, persistence, and network telemetry to spot a backdoor that blends into normal web traffic and survives through cron or systemd mechanisms.
Executive priority
Prioritize this as a Linux resilience and incident-readiness issue, especially for environments where Linux systems support critical services. MITRE relates this malware to Sandworm Team and to techniques that can support durable access and command-and-control. Executives should ask whether Linux monitoring is comparable to Windows monitoring, whether SOC playbooks cover cron/systemd/setuid persistence, and whether incident response can quickly validate outbound web-based C2, tool transfer, and file deletion activity.
Technical view
ATT&CK identifies Exaramel for Linux as a Go-based 64-bit ELF backdoor for Linux. No official detection text is provided, so defenders should validate coverage through the related techniques: fallback C2 channels, web protocol C2, ingress tool transfer, Unix shell execution, user discovery, cron and systemd persistence, system process modification, setuid/setgid abuse, encoded or encrypted files, deobfuscation, and file deletion. Detection engineering should focus on behavior chains rather than a single indicator: new or modified Linux persistence entries, suspicious ELF execution, outbound HTTP/S-like traffic from unusual processes, file staging or transfer, shell activity, and cleanup attempts.
Likely telemetry
- Linux process execution telemetry, including parent-child process context for shells and ELF binaries
- Cron and crontab creation or modification records
- Systemd unit file creation, modification, enablement, and service start events
- File integrity or audit telemetry for setuid/setgid permission changes
- Linux authentication and user/session context for system owner or user discovery activity
Detection direction
- Validate that Linux hosts are not a telemetry blind spot; the object platform is Linux and official detection guidance is not provided.
- Build detections around related behavior clusters: persistence through cron or systemd plus outbound web traffic, shell execution, file transfer, or file deletion.
- Tune for administrative false positives: cron jobs, systemd services, setuid/setgid binaries, and shell scripts are common on Linux, so alerting should compare against known baselines and change-control context.
- Confirm that network monitoring can distinguish expected service traffic from unusual outbound web protocol activity by uncommon processes or hosts.
- Correlate file deletion with prior file creation, tool transfer, or suspicious execution to avoid relying on missing artifacts after cleanup.
Mitigation priorities
- Establish and maintain baselines for authorized cron jobs, systemd services, privileged binaries, and expected outbound destinations on Linux systems.
- Centralize Linux audit, process, persistence, and network logs so IR can reconstruct activity even if files are deleted locally.
- Apply least-privilege and change-control practices around service creation, scheduled tasks, and setuid/setgid permissions.
- Restrict and monitor outbound web access from servers that do not require broad internet communication.
- Prepare IR procedures to triage suspicious Linux ELF binaries, persistence entries, file transfers, and shell activity without assuming Windows-centric tooling will be sufficient.
Analyst notes and limits
The ATT&CK object does not list tactics directly, but its relationships map to command-and-control, execution, persistence, privilege escalation, discovery, and stealth techniques. The strongest decision value is to test whether Linux persistence and C2 behaviors are observable and actionable in the local SOC workflow.
MITRE provides no official detection text for this object, no aliases or labels, and only Linux as the platform. This take is derived from the supplied description, external reference, and relationship context; local asset roles, baselines, logs, and compensating controls are required to assess actual exposure or coverage.
Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Exaramel for Linux has a command to download a file from and to a remote C2 server.CitationESET TeleBots Oct 2018CitationANSSI Sandworm January 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Exaramel for Linux can run |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Exaramel for Linux uses HTTPS for C2 communications.CitationESET TeleBots Oct 2018CitationANSSI Sandworm January 2021 |
| Enterprise | T1543 | Create or Modify System Process | Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root.CitationANSSI Sandworm January 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Exaramel for Linux can decrypt its configuration file.CitationANSSI Sandworm January 2021 |
| Enterprise | T1008 | Fallback Channels | Exaramel for Linux can attempt to find a new C2 server if it receives an error.CitationANSSI Sandworm January 2021 |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.CitationESET TeleBots Oct 2018CitationANSSI Sandworm January 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.CitationANSSI Sandworm January 2021 |
| Enterprise | T1548.001 | Setuid and Setgid Sub-technique | Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.CitationANSSI Sandworm January 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Exaramel for Linux uses RC4 for encrypting the configuration.CitationESET TeleBots Oct 2018CitationANSSI Sandworm January 2021 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Exaramel for Linux has a command to execute a shell command on the system.CitationESET TeleBots Oct 2018CitationANSSI Sandworm January 2021 |
| Enterprise | T1053.003 | Cron Sub-technique | Exaramel for Linux uses crontab for persistence if it does not have root privileges.CitationESET TeleBots Oct 2018CitationANSSI Sandworm January 2021 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 87d368415c13… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET TeleBots Oct 2018
Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
Open source URL -
[2]
Exaramel for Linux
(Citation: ESET TeleBots Oct 2018)
-
[3]
mitre-attack S0401Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.