S0502: Drovorub
Analyst context for executives and security teams
Drovorub matters because ATT&CK describes it as a Linux malware toolset with agent, client, server, and kernel modules, and links it to APT28 use. For leaders, the important point is not the malware name alone: this object represents a Linux-focused intrusion capability that can combine persistence, rootkit-style hiding, command execution, internal proxying, tool transfer, local data collection, and exfiltration over command-and-control channels. Linux server visibility, kernel-module control, and network egress evidence are therefore central to whether an organization could investigate or contain this class of activity.
Executive priority
Prioritize this as a Linux resilience and incident-readiness issue where critical workloads, identity infrastructure, security tooling, or sensitive data depend on Linux systems. Executives should ask whether SOC and IR teams can prove visibility into kernel module activity, suspicious shell execution, file transfer, C2-like web and non-application-layer traffic, internal proxy behavior, local data access, and post-activity file deletion. Because MITRE provides no official detection text for this software object, coverage should be validated through local telemetry and ATT&CK technique relationships rather than assumed from tool naming alone.
Technical view
Drovorub is a Linux malware software object associated in ATT&CK with use by APT28 and with techniques including Data from Local System, Rootkit, Obfuscated Files or Information, Exfiltration Over C2 Channel, Unix Shell, File Deletion, Web Protocols, Internal Proxy, Non-Application Layer Protocol, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, and Kernel Modules and Extensions. SOC and IR teams should validate detection and response around the behavior chain: Linux shell execution, unexpected tool or file transfer, encoded or obfuscated artifacts, kernel module load or persistence indicators, hidden or inconsistent process/file/network state, unusual local data access, proxy or traffic redirection patterns, and outbound C2/exfiltration paths over web or lower-level protocols.
Likely telemetry
- Linux process execution and command-line telemetry, especially Unix shell activity
- Linux authentication, privilege, and administrative activity logs
- Kernel module load/unload events and persistence-related module configuration evidence
- File creation, modification, deletion, and staging activity on Linux hosts
- Endpoint or host integrity evidence that can reveal rootkit-style hiding or discrepancies
Detection direction
- Map coverage to the related ATT&CK techniques rather than relying on a malware signature, because the official ATT&CK object does not provide detection guidance.
- Validate Linux EDR, audit, and logging depth for shell execution, file operations, module activity, and network connections; rootkit behavior can reduce trust in host-only views.
- Correlate kernel module events with new persistence, abnormal network listeners, hidden processes, or inconsistencies between endpoint and network observations.
- Tune detections for suspicious web and non-application-layer C2 patterns, while accounting for legitimate administrative, monitoring, backup, and service-to-service traffic.
- Look for sequences: ingress tool transfer followed by deobfuscation, shell execution, kernel-module interaction, data collection, file deletion, and outbound communications.
Mitigation priorities
- Establish an inventory of Linux systems that support critical business services and confirm they are covered by logging, endpoint monitoring, and egress visibility.
- Harden Linux administrative access and privilege use so kernel-module and persistence changes require controlled, auditable actions.
- Restrict and monitor loadable kernel module activity where operationally feasible, especially on critical servers.
- Control outbound network paths from Linux servers and monitor web, proxy, and non-application-layer traffic for unusual destinations or relay behavior.
- Improve incident response playbooks for suspected rootkit or kernel-level compromise, including preservation of network evidence and consideration that host evidence may be incomplete.
Analyst notes and limits
The strongest defensive value comes from treating Drovorub as a Linux behavior cluster: kernel modules and rootkit-style stealth, shell execution, file transfer, data collection, C2, proxying, exfiltration, obfuscation, decoding, and file deletion. The ATT&CK relationship to APT28 provides threat-intelligence context, but local risk decisions should be based on whether the organization operates important Linux assets and whether telemetry can withstand stealth and cleanup behaviors.
The supplied ATT&CK object has no official detection text, no malware-level tactics listed, no aliases, and no labels. This take uses only the official description, external references, platform field, and supplied ATT&CK relationships. It does not establish current activity, customer exposure, guaranteed detection, or impact. Local architecture, logging quality, kernel policy, and network controls are required to determine actual risk and coverage.
Drovorub
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1005 | Data from Local System | Drovorub can transfer files from the victim machine.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | Drovorub has used XOR encrypted payloads in WebSocket client to server messages.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Drovorub can delete specific files from a compromised host.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1547.006 | Kernel Modules and Extensions Sub-technique | Drovorub can use kernel modules to establish persistence.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | Drovorub can use TCP to communicate between its agent and client modules.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1014 | Rootkit | Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Drovorub can use a port forwarding rule on its agent module to relay network traffic through the client module to a remote host on the same network.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Drovorub can execute arbitrary commands as root on a compromised system.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Drovorub can exfiltrate files over C2 infrastructure.CitationNSA/FBI Drovorub August 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Drovorub can download files to a compromised host.CitationNSA/FBI Drovorub August 2020 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 759a2c7938f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NSA/FBI Drovorub August 2020
NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
Open source URL -
[2]
mitre-attack S0502Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.