S0410: Fysbis
Analyst context for executives and security teams
Fysbis matters because it represents a Linux backdoor with documented ATT&CK relationships to persistence, discovery, credential collection, command execution, command-and-control encoding, and stealth behaviors. For leaders, the practical question is not whether this specific malware is present, but whether Linux estates have enough visibility to prove that service persistence, shell activity, keylogging indicators, file cleanup, and encoded network traffic would be noticed during an incident.
Executive priority
Prioritize this as a Linux security readiness and incident response validation item. The object is associated in ATT&CK with APT28 and multiple Linux-relevant techniques, but MITRE provides no official detection guidance for the malware itself. Executives should ask whether business-critical Linux servers, developer workstations, and cloud-hosted Linux systems are covered by endpoint telemetry, service-change monitoring, log retention, and response playbooks sufficient to investigate backdoor-style activity and credential exposure.
Technical view
SOC and IR teams should validate coverage around the related behaviors: systemd service creation or modification, XDG autostart entries, masqueraded services or files, Unix shell execution, process/system/file discovery, file deletion, keylogging, encrypted or encoded files, and standard-encoded C2 data. Because the official object lists Linux as the platform and does not provide detection text, detection engineering should be behavior-led rather than signature-only, with attention to baselining normal Linux service names, paths, startup files, shell usage, and outbound traffic patterns.
Likely telemetry
- Linux process creation and command-line telemetry
- systemd unit file creation, modification, enablement, and execution logs
- XDG autostart .desktop file creation or modification events
- File integrity or endpoint telemetry for suspicious file placement, deletion, and masquerading
- Authentication and user session context for interactive or non-interactive shell activity
Detection direction
- Build detections around behavior clusters rather than the Fysbis name alone, especially persistence plus discovery plus outbound communication on Linux hosts.
- Tune service and startup-file monitoring to distinguish approved administrative changes from unexpected systemd or XDG autostart modifications.
- Look for masquerading by comparing service names, executable locations, ownership, permissions, and expected package-managed paths.
- Correlate Unix shell execution with process discovery, system information discovery, file enumeration, and subsequent file deletion.
- Review network detections for standard encoding in command-and-control contexts, while accounting for benign encoded application traffic to reduce false positives.
Mitigation priorities
- Establish asset and ownership clarity for Linux systems so unexpected services, startup entries, and binaries can be investigated quickly.
- Restrict and monitor privileged changes to systemd units and user autostart locations.
- Apply least privilege and hardening on Linux endpoints and servers to reduce opportunities for persistence and credential collection.
- Maintain endpoint, file integrity, and network logging with retention adequate for incident reconstruction.
- Use change management or configuration management baselines to identify unauthorized service names, file locations, and startup entries.
Analyst notes and limits
The supplied ATT&CK object identifies Fysbis as a Linux-based backdoor used by APT28 and links it to several techniques that are highly useful for defensive validation. The strongest value for defenders is mapping those relationships into Linux telemetry and control checks. Because no official detection text is provided, local engineering should focus on confirming visibility and detections for the related techniques rather than assuming malware-specific coverage.
This take uses only the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, malware capabilities beyond the listed relationships, or guaranteed detection. Environment-specific baselines, logs, and control configurations are required to determine actual risk and coverage.
Fysbis
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Fysbis can use Base64 to encode its C2 traffic.CitationFysbis Dr Web Analysis |
| Enterprise | T1083 | File and Directory Discovery | Fysbis has the ability to search for files.CitationFysbis Dr Web Analysis |
| Enterprise | T1056.001 | Keylogging Sub-technique | Fysbis can perform keylogging.CitationFysbis Palo Alto Analysis |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Fysbis has masqueraded as the rsyncd and dbus-inotifier services.CitationFysbis Dr Web Analysis |
| Enterprise | T1057 | Process Discovery | Fysbis can collect information about running processes.CitationFysbis Dr Web Analysis |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Fysbis has been encrypted using XOR and RC4.CitationFysbis Dr Web Analysis |
| Enterprise | T1070.004 | File Deletion Sub-technique | Fysbis has the ability to delete files.CitationFysbis Dr Web Analysis |
| Enterprise | T1082 | System Information Discovery | Fysbis has used the command |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Fysbis has established persistence using a systemd service.CitationFysbis Dr Web Analysis |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.CitationFysbis Dr Web Analysis |
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | If executing without root privileges, Fysbis adds a `.desktop` configuration file to the user's `~/.config/autostart` directory.CitationRed Canary Netwire Linux 2022CitationFysbis Dr Web Analysis |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Fysbis has the ability to create and execute commands in a remote shell for CLI.CitationFysbis Palo Alto Analysis |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 6e5bf2b18b90… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Fysbis Palo Alto Analysis
Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
Open source URL -
[2]
mitre-attack S0410Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.