S0486: Bonadan

Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[1]

EnterpriseS0486MalwareObject v1.0 Modified Apr 25, 2025, 14:43 UTC (UTC+00:00)

Bonadan matters because it is described as a malicious OpenSSH variant for Linux: a trusted remote administration component can become both a backdoor and a credential-theft point. The added cryptocurrency-mining capability also makes this relevant to availability and operating cost, not just confidentiality.

Executive priority

Prioritize assurance around Linux SSH integrity, privileged access, and incident readiness. Leaders should ask whether teams can prove OpenSSH binaries are trusted, detect unauthorized changes to host software, identify abnormal resource consumption, and respond to possible credential exposure if a Linux remote-access service is compromised.

Technical view

SOC and IR teams should validate coverage around the related ATT&CK behaviors: compromised host software binaries for persistence, command/script execution, system/user/process/network discovery, ingress tool transfer, encrypted command-and-control, and compute hijacking. Because no official ATT&CK detection text is provided, detection should be built from local baselines: known-good OpenSSH packages and hashes, normal Linux admin command patterns, expected SSH service behavior, normal egress destinations, and expected CPU/resource profiles.

Likely telemetry

Linux package inventory and software provenance records for OpenSSH
File integrity monitoring or endpoint telemetry for SSH-related binaries and configuration changes
Process execution logs for shell commands and discovery utilities
Linux authentication and SSH service logs
Network connection metadata, especially outbound sessions and file transfer activity

Detection direction

Compare OpenSSH binaries and related files against trusted package sources and approved baselines.
Correlate unexpected SSH binary changes with process execution, new outbound connections, and discovery commands.
Tune for Linux administrative false positives: commands for user, process, system, and network discovery may be legitimate but become higher risk when clustered with binary tampering or unusual egress.
Monitor for ingress tool transfer and encrypted outbound traffic using metadata and destination reputation where content inspection is not available.
Investigate sustained high compute usage on Linux systems, especially when paired with unknown processes or recent SSH software changes.

Mitigation priorities

Establish trusted software supply and package management for OpenSSH on Linux systems.
Use file integrity monitoring and change control for remote-access binaries and configurations.
Limit administrative privileges and SSH access paths to reduce the blast radius of compromised remote-access software.
Restrict unnecessary outbound connectivity and file transfer paths from servers.
Prepare IR procedures for suspected SSH backdoor cases, including host isolation, trusted rebuild or binary replacement, and credential rotation due to the described credential-stealing capability.

Analyst notes and limits

The ATT&CK object identifies Bonadan as a malicious OpenSSH version active since at least 2018, with a custom backdoor, cryptocurrency-mining module, and credential-stealing module. Relationship context links it to discovery, execution, command-and-control, persistence, and impact techniques, which should guide defensive validation.

MITRE provides no official detection text here and the supplied fields do not include hashes, indicators, delivery method, specific commands, infrastructure, or victim context. Local Linux telemetry and trusted software baselines are required to determine exposure or detection coverage.

Official MITRE ATT&CK definition

Bonadan

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 9 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Bonadan can XOR-encrypt C2 communications.CitationESET ForSSHe December 2018
Enterprise	T1082	System Information Discovery	Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.CitationESET ForSSHe December 2018
Enterprise	T1016	System Network Configuration Discovery	Bonadan can find the external IP address of the infected host.CitationESET ForSSHe December 2018
Enterprise	T1496.001	Compute Hijacking Sub-technique	Bonadan can download an additional module which has a cryptocurrency mining extension.CitationESET ForSSHe December 2018
Enterprise	T1554	Compromise Host Software Binary	Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.CitationESET ForSSHe December 2018
Enterprise	T1105	Ingress Tool Transfer	Bonadan can download additional modules from the C2 server.CitationESET ForSSHe December 2018
Enterprise	T1033	System Owner/User Discovery	Bonadan has discovered the username of the user running the backdoor.CitationESET ForSSHe December 2018
Enterprise	T1059	Command and Scripting Interpreter	Bonadan can create bind and reverse shells on the infected system.CitationESET ForSSHe December 2018
Enterprise	T1057	Process Discovery	Bonadan can use the `ps` command to discover other cryptocurrency miners active on the system.CitationESET ForSSHe December 2018

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Jul 16, 2020, 14:59 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:43 UTC (UTC+00:00)
Raw hash: 639b2216565952d2...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 25, 2025, 14:43 UTC (UTC+00:00)	Current bundle	`639b22165659…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ESET ForSSHe December 2018

Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
Open source URL
[2]
mitre-attack S0486
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use