S1078: RotaJakiro
RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (`root` or `user`).[1][2]
Analyst context for executives and security teams
RotaJakiro matters because it is a Linux backdoor with persistence, discovery, collection, command-and-control, and exfiltration-related behaviors mapped in ATT&CK. Its stated ability to operate based on root versus user permissions makes Linux endpoint visibility and privilege context important for response decisions. For leaders, the practical question is whether critical Linux servers, workstations, or Linux-based infrastructure have enough host and network evidence to find stealthy persistence and C2 patterns before data collection or exfiltration becomes an incident-impact issue.
Executive priority
Prioritize this as a Linux resilience and evidence-readiness concern. The ATT&CK relationships show behaviors that can affect persistence, command-and-control, automated collection, and exfiltration over C2. Security leaders should ask whether Linux assets are fully inventoried, whether privileged and user-level execution is monitored, whether persistence locations such as systemd, boot/logon scripts, shell configuration, and XDG autostart are audited, and whether outbound network controls can identify non-standard ports, non-application-layer protocols, encoded traffic, or encrypted C2-like channels. This is also useful for compliance and incident readiness because it tests whether the organization can produce reliable Linux host, process, file, service, and network evidence during an investigation.
Technical view
RotaJakiro is a 64-bit Linux backdoor used by APT32 according to the supplied ATT&CK relationship. MITRE provides no dedicated detection text, so defenders should validate coverage through the related techniques: masquerading as legitimate resources, Linux persistence via boot/logon scripts, systemd services, Unix shell configuration changes, and XDG autostart entries; discovery of processes and system information; execution through native APIs, shared modules, and IPC; automated collection; and C2/exfiltration behaviors involving non-standard ports, non-application-layer protocols, standard encoding, symmetric cryptography, and exfiltration over the C2 channel. IR teams should preserve permission context, because the official description notes execution can differ depending on root or user access.
Likely telemetry
- Linux process creation and command-line telemetry, including parent/child process context
- File creation, modification, and permission changes in service, startup, shell configuration, and user autostart locations
- systemd unit file changes and service enable/start events
- Boot or logon initialization script changes
- XDG .desktop autostart entry changes
Detection direction
- Because no official MITRE detection guidance is supplied for S1078, build detection validation from the mapped techniques rather than from the malware name alone.
- Baseline legitimate Linux service, startup, shell, and XDG autostart changes, then alert on new or modified entries that launch unusual binaries or user-writable paths.
- Look for executable names or locations that approximate trusted Linux resources, especially when paired with persistence or outbound network activity.
- Correlate process discovery and system information discovery with new persistence artifacts or suspicious outbound communications to reduce false positives from normal administration.
- Review outbound traffic for non-standard port use, protocol/port mismatches, non-application-layer protocol communications, and encrypted or encoded sessions that are not expected for the host role.
Mitigation priorities
- Start with Linux asset inventory and logging coverage for systems where a backdoor would create material operational or data risk.
- Restrict and monitor changes to systemd services, boot/logon scripts, shell configuration files, and XDG autostart entries using least privilege and change-control expectations.
- Harden privileged access on Linux systems and review where users can create persistent startup mechanisms.
- Apply egress control and monitoring so Linux hosts cannot freely use unexpected ports or protocols without review.
- Maintain incident response procedures for collecting Linux host artifacts, persistence locations, process context, user/root privilege evidence, and network flow history.
Analyst notes and limits
The strongest decision value is not a single indicator but the combination of Linux persistence, stealth/resource-name matching, discovery, modular execution, automated collection, and C2/exfiltration-related behaviors. RotaJakiro’s plugin architecture, Linux focus, and root/user execution distinction make endpoint depth and privilege context especially important for SOC and IR teams.
The supplied ATT&CK object does not include official detection text, aliases, labels, or object-level tactics. This take is derived from the official description, external references, and supplied ATT&CK relationships only. Local validation is required to determine whether the organization has relevant Linux telemetry, whether observed persistence changes are malicious, and whether outbound traffic is abnormal for a given host role.
RotaJakiro
RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (`root` or `user`).[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RotaJakiro uses the AES algorithm, bit shifts in a function called `rotate`, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the `head` and `key` sections in the network packet structure used for C2 communications.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1546.004 | Unix Shell Configuration Modification Sub-technique | When executing with non-root level permissions, RotaJakiro can install persistence by adding a command to the .bashrc file that executes a binary in the `${HOME}/.gvfsd/.profile/` folder.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1106 | Native API | When executing with non-root permissions, RotaJakiro uses the the `shmget` API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the `execvp` API to help its dead process "resurrect".CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | RotaJakiro uses ZLIB Compression to compresses data sent to the C2 server in the `payload` section network communication packet.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a `.conf` file in the `/etc/init/` folder.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1082 | System Information Discovery | RotaJakiro executes a set of commands to collect device information, including `uname`. Another example is the `cat /etc/*release | uniq` command used to collect the current OS distribution.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Depending on the Linux distribution and when executing with root permissions, RotaJakiro may install persistence using a `.service` file under the `/lib/systemd/system/` folder.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1129 | Shared Modules | RotaJakiro uses dynamically linked shared libraries (`.so` files) to execute additional functionality using `dlopen()` and `dlsym()`.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1571 | Non-Standard Port | RotaJakiro uses a custom binary protocol over TCP port 443.Citationnetlab360 rotajakiro vs oceanlotus |
| Enterprise | T1095 | Non-Application Layer Protocol | RotaJakiro uses a custom binary protocol using a type, length, value format over TCP.Citationnetlab360 rotajakiro vs oceanlotus |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | RotaJakiro has used the filename `systemd-daemon` in an attempt to appear legitimate.Citationnetlab360 rotajakiro vs oceanlotus |
| Enterprise | T1559 | Inter-Process Communication | When executing with non-root permissions, RotaJakiro uses the the `shmget API` to create shared memory between other known RotaJakiro processes. This allows processes to communicate with each other and share their PID.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1057 | Process Discovery | RotaJakiro can monitor the `/proc/[PID]` directory of known RotaJakiro processes as a part of its persistence when executing with non-root permissions. If the process is found dead, it resurrects the process. RotaJakiro processes can be matched to an associated Advisory Lock, in the `/proc/locks` folder, to ensure it doesn't spawn more than one process.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1119 | Automated Collection | Depending on the Linux distribution, RotaJakiro executes a set of commands to collect device information and sends the collected information to the C2 server.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | When executing with user-level permissions, RotaJakiro can install persistence using a .desktop file under the `$HOME/.config/autostart/` folder.CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1041 | Exfiltration Over C2 Channel | RotaJakiro sends device and other collected data back to the C2 using the established C2 channels over TCP. CitationRotaJakiro 2021 netlab360 analysis |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | RotaJakiro encrypts C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression.CitationRotaJakiro 2021 netlab360 analysis |
Groups, software, and campaigns
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a4a5f14dae93… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
RotaJakiro 2021 netlab360 analysis
Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
Open source URL -
[2]
netlab360 rotajakiro vs oceanlotus
Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
Open source URL -
[3]
mitre-attack S1078Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.