S0641: Kobalos
Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.[1][2]
Analyst context for executives and security teams
Kobalos matters because ATT&CK describes it as a backdoor used against high-value Unix-like environments, including high-performance computing, academic servers, an endpoint security vendor, and a large ISP. For leaders, the practical issue is not just malware presence; it is whether Linux server estates have enough visibility to spot stealthy backdoor behavior, encrypted command-and-control, data staging, and attempts to hide activity.
Executive priority
Prioritize this as a resilience and visibility question for critical Linux infrastructure. Executives should ask whether SOC, IR, and infrastructure teams can prove coverage for server-side discovery, shell execution, altered binaries, command-history clearing, timestomping, encrypted or proxied outbound traffic, and possible exfiltration paths. This is especially relevant where Linux systems support research, hosting, security tooling, or other high-value services.
Technical view
ATT&CK provides no official detection text for Kobalos, so defenders should validate coverage through the mapped behaviors: System and Network Configuration Discovery, Unix Shell execution, Input Capture, Data Staging, Exfiltration Over Alternative Protocol, Multi-hop Proxy, Traffic Signaling, Compromise Host Software Binary, obfuscation/deobfuscation, timestomping, command-history clearing, and encrypted C2 using symmetric or asymmetric cryptography. Detection engineering should focus on Linux telemetry and behavioral correlation rather than a single malware indicator.
Likely telemetry
- Linux process execution and command-line history where available
- Shell activity, including bash/sh usage and script execution
- File integrity and binary change monitoring for system and application binaries
- Filesystem metadata changes that may indicate timestomping
- User account activity and authentication/session records
Detection direction
- Validate Linux server visibility first; ATT&CK platform mapping for this object is Linux, even though the description notes broader Unix-like relevance.
- Correlate discovery commands, shell execution, data staging, and unusual outbound traffic instead of relying on signatures alone.
- Tune for high-value server roles where administrative shell activity is common; reduce false positives by baselining normal maintenance, backup, monitoring, and research workloads.
- Review file integrity alerts for modified host software binaries and timestamp anomalies, especially where changes do not align with package management or approved deployment activity.
- Look for concealment patterns such as cleared command history, obfuscated artifacts, deobfuscation activity, traffic signaling, and encrypted C2-like flows.
Mitigation priorities
- Establish authoritative Linux asset inventory and identify high-value servers before tuning detections.
- Prioritize least privilege, controlled administrative access, and strong authentication for Linux server administration.
- Implement file integrity monitoring and change control for critical binaries and services.
- Restrict and monitor outbound network paths from sensitive Linux systems, including alternative protocols and proxy-like behavior.
- Retain sufficient endpoint, authentication, shell, file, and network logs to support incident response reconstruction.
Analyst notes and limits
The most useful defensive value comes from the ATT&CK relationships, which describe the behaviors defenders should validate around Kobalos. The object has no aliases, no official detection guidance, and no malware-specific tactics listed, so this take intentionally frames recommendations as validation and hunting direction rather than confirmed detection logic.
This summary uses only the supplied ATT&CK fields, references, and relationships. It does not assert current activity, attribution, guaranteed detection, or customer exposure. Local telemetry quality, Linux distribution differences, server roles, and administrative practices will determine which behaviors are observable and actionable.
Kobalos
Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.004 | Unix Shell Sub-technique | Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.CitationESET Kobalos Feb 2021 |
| Enterprise | T1554 | Compromise Host Software Binary | Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.CitationESET Kobalos Jan 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Kobalos can record the IP address of the target machine.CitationESET Kobalos Jan 2021 |
| Enterprise | T1070.003 | Clear Command History Sub-technique | Kobalos can remove all command history on compromised hosts.CitationESET Kobalos Feb 2021 |
| Enterprise | T1074 | Data Staged | Kobalos can write captured SSH connection credentials to a file under the |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Kobalos decrypts strings right after the initial communication, but before the authentication process.CitationESET Kobalos Jan 2021 |
| Enterprise | T1205 | Traffic Signaling | Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.CitationESET Kobalos Feb 2021CitationESET Kobalos Jan 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.CitationESET Kobalos Feb 2021CitationESET Kobalos Jan 2021 |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | Kobalos can exfiltrate credentials over the network via UDP.CitationESET Kobalos Jan 2021 |
| Enterprise | T1070.006 | Timestomp Sub-technique | |
| Enterprise | T1027 | Obfuscated Files or Information | Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.CitationESET Kobalos Feb 2021 |
| Enterprise | T1056 | Input Capture | Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.CitationESET Kobalos Feb 2021CitationESET Kobalos Jan 2021 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Kobalos's authentication and key exchange is performed using RSA-512.CitationESET Kobalos Feb 2021CitationESET Kobalos Jan 2021 |
| Enterprise | T1082 | System Information Discovery | Kobalos can record the hostname and kernel version of the target machine.CitationESET Kobalos Jan 2021 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Kobalos can chain together multiple compromised machines as proxies to reach their final targets.CitationESET Kobalos Feb 2021CitationESET Kobalos Jan 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 66e5e9abab36… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Kobalos Feb 2021
M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
Open source URL -
[2]
ESET Kobalos Jan 2021
M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
Open source URL -
[3]
Kobalos
(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)
-
[4]
mitre-attack S0641Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.