S0430: Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[1]
Analyst context for executives and security teams
Winnti for Linux matters because it represents Linux-focused trojan activity with documented stealth and command-and-control behaviors, not just a Windows malware concern. For organizations that depend on Linux servers for applications, cloud workloads, telecom, technology, government, finance, or other critical operations, the practical issue is whether defenders can see hidden host artifacts, unusual egress, transferred tools, and encrypted or signaled communications before incident response depends on compromised evidence.
Executive priority
Treat this as a Linux resilience and visibility question: do critical Linux systems have defensible monitoring, egress control, and forensic readiness? The ATT&CK relationships tie this malware to multiple threat groups and techniques involving rootkit behavior, obfuscation, traffic signaling, encrypted C2, and tool transfer. Leaders should prioritize evidence that SOC and IR teams can investigate Linux compromise even when malware attempts to hide files, services, connections, or network activity.
Technical view
Validate coverage around Linux hosts for the related techniques: Rootkit, Encrypted/Encoded File, Web Protocols, Non-Application Layer Protocol, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Traffic Signaling, and Symmetric Cryptography. Detection engineering should not rely only on normal process, file, or socket listings because rootkit behavior can hide artifacts. Correlate host integrity signals, kernel/module or service changes, suspicious file creation and decoding activity, external file transfer, and outbound HTTP/S or non-application-layer communications. Network detections should account for common web traffic camouflage, encrypted payloads, and traffic-signaling patterns that may only appear as unusual packet sequences or dormant services until triggered.
Likely telemetry
- Linux endpoint telemetry for process execution, file creation/modification, service changes, and persistence-relevant artifacts
- Kernel, module, driver, or host integrity monitoring where available for rootkit-oriented visibility
- Linux audit logs, system logs, authentication logs, and administrative activity records
- Network flow records, firewall logs, proxy logs, and HTTP/S metadata for outbound command-and-control patterns
- Packet or protocol metadata capable of identifying non-application-layer communications where legally and operationally appropriate
Detection direction
- Confirm that Linux monitoring is tamper-resistant enough to remain useful when rootkit behavior may hide files, services, network connections, or processes.
- Tune web-protocol detections to distinguish legitimate high-volume HTTP/S activity from unusual external communications by Linux servers, while managing false positives from normal application traffic.
- Look for tool ingress patterns: new executable files, unexpected downloads, transfers from external systems, and follow-on execution or decoding behavior.
- Add network analytics for non-application-layer protocol use from Linux systems where such traffic is unusual for the asset role.
- Use relationship context to enrich triage, but do not treat group association alone as proof of attribution.
Mitigation priorities
- Start with inventory and criticality: identify Linux systems whose compromise would affect business continuity or regulated evidence.
- Improve Linux logging and endpoint visibility before relying on detections that malware may hide from local tools.
- Restrict and monitor outbound network access from servers, including web protocols and non-application-layer protocols that are not required for business use.
- Control file ingress paths and investigate unexpected tool transfers to Linux hosts.
- Maintain baseline integrity for critical binaries, services, modules, and configuration so hidden or modified components can be challenged during IR.
Analyst notes and limits
The official ATT&CK object identifies Winnti for Linux as a Linux-targeting trojan seen since at least 2015 and notes that the malware family is shared across a number of actors. Supplied relationships show use by APT41, Aquatic Panda, and Earth Lusca, and software use of techniques associated with stealth, persistence, command-and-control, and tool transfer. The decision value is strongest for organizations with important Linux server, cloud, or network-facing workloads.
MITRE does not provide official detection text for this object, and the software object itself lists tactics as not specified. No indicators, hashes, command syntax, infrastructure, specific affected products, or campaign timing are supplied here. Coverage conclusions require local asset roles, telemetry availability, baselines, and incident evidence.
Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Winnti for Linux has used HTTP in outbound communications.CitationChronicle Winnti for Linux May 2019 |
| Enterprise | T1095 | Non-Application Layer Protocol | Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.CitationChronicle Winnti for Linux May 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.CitationChronicle Winnti for Linux May 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).CitationChronicle Winnti for Linux May 2019 |
| Enterprise | T1205 | Traffic Signaling | Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.CitationChronicle Winnti for Linux May 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Winnti for Linux can encode its configuration file with single-byte XOR encoding.CitationChronicle Winnti for Linux May 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. CitationChronicle Winnti for Linux May 2019 |
| Enterprise | T1014 | Rootkit | Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.CitationChronicle Winnti for Linux May 2019 |
Groups, software, and campaigns
G1006: Earth Lusca
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]
Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0143: Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b2095d3ef778… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Chronicle Winnti for Linux May 2019
Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
Open source URL -
[2]
mitre-attack S0430Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.