S1219: REPTILE
Analyst context for executives and security teams
REPTILE is an open-source Linux rootkit described by ATT&CK as providing backdoor access through multiple components. Its business significance is not simply “malware on Linux”; it represents a class of activity where compromised systems may deliberately hide files, services, network connections, and command channels. For leaders, that makes normal endpoint and log evidence less trustworthy unless Linux kernel/module integrity, persistence paths, and network signaling are explicitly covered.
Executive priority
Prioritize REPTILE as a resilience and assurance issue for Linux environments that support critical services, edge infrastructure, or sensitive operations. The ATT&CK relationships tie it to rootkit behavior, Unix shell execution, hidden artifacts, port-knocking/traffic signaling, encrypted command-and-control, and Linux persistence mechanisms such as udev rules and kernel modules. Executives should ask whether current monitoring can prove what is loaded into the kernel, what persists across reboot, and what network activity occurs before and after suspected signaling events.
Technical view
SOC and IR teams should validate Linux-focused coverage against the mapped behaviors: Rootkit (T1014), Unix Shell (T1059.004), Non-Application Layer Protocol (T1095), Deobfuscate/Decode Files or Information (T1140), Traffic Signaling and Port Knocking (T1205/T1205.001), Udev Rules (T1546.017), Kernel Modules and Extensions (T1547.006), Hidden Files and Directories (T1564.001), and Asymmetric Cryptography for C2 (T1573.002). Because ATT&CK provides no official detection text for REPTILE, local validation should focus on whether host telemetry, kernel/module state, persistence locations, shell execution, and network metadata remain visible when rootkit-style hiding is suspected.
Likely telemetry
- Linux kernel module inventory and load/unload events where available
- File integrity and change monitoring for kernel module paths, udev rule files, startup/persistence locations, and hidden files or directories
- Process and command-line telemetry for Unix shell execution
- Authentication and privilege-use logs relevant to administrative changes on Linux systems
- Network flow, packet, firewall, and IDS metadata for unusual non-application-layer communications, port-knocking-like sequences, and encrypted outbound sessions
Detection direction
- Do not rely only on standard process lists, directory listings, or listening-port checks; rootkit behavior may hide those views.
- Baseline approved Linux kernel modules, udev rules, and persistence mechanisms, then alert on unexpected changes or loads.
- Correlate low-volume connection attempts, closed-port sequences, or protocol anomalies with later service exposure or outbound connections to identify possible traffic signaling.
- Tune detections for administrative false positives: legitimate kernel updates, driver loads, udev changes, and maintenance scripts can resemble persistence activity without additional context.
- Use relationship context to hunt across the mapped techniques rather than a single malware name, since the object is open-source and ATT&CK provides no REPTILE-specific detection guidance.
Mitigation priorities
- Establish hardened Linux build and change-control standards for kernel modules, boot/startup behavior, udev rules, and privileged administrative actions.
- Maintain file integrity monitoring and trusted baselines for sensitive Linux persistence and kernel-extension locations.
- Restrict and monitor privileged access needed to load kernel modules or alter system persistence.
- Segment and monitor Linux systems that provide critical services, especially where unusual network signaling or non-standard protocols would be high risk.
- Prepare IR procedures for suspected rootkits, including trusted offline acquisition or out-of-band validation when live host telemetry may be unreliable.
Analyst notes and limits
ATT&CK lists REPTILE as a Linux malware object and describes it as an open-source rootkit with backdoor functionality. Relationships show use by campaign C0056 RedPenguin and group G1048 UNC3886, and use of multiple techniques spanning stealth, persistence, privilege escalation, execution, and command-and-control. Those relationships support defensive prioritization, but they should not be treated as proof of current activity in any specific environment.
Official detection is not provided. The object’s own platform is Linux; some related techniques include additional platforms, and one mapped technique, Launch Daemon, is macOS-specific, so platform applicability must be validated locally before building coverage assumptions. No guaranteed indicators, hashes, active exploitation claims, or environment exposure can be inferred from the supplied fields alone.
REPTILE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.004 | Launch Daemon Sub-technique | The REPTILE launcher can daemonize a process.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | REPTILE can use TLS over raw TCP for secure C2.CitationGoogle Cloud Mandiant UNC3886 2024CitationMandiant Fortinet Zero Day |
| Enterprise | T1205.001 | Port Knocking Sub-technique | REPTILE has the ability to control compromised endpoints via port knocking.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1546.017 | Udev Rules Sub-technique | REPTILE has used udev for persistence.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | REPTILE has the ability to communicate with the kernel-mode component to hide files.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | The REPTILE launcher component can decrypt kernel module code from a file and load it into memory.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1205 | Traffic Signaling | The REPTILE reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation.CitationGoogle Cloud Mandiant UNC3886 2024CitationMandiant Fortinet Zero Day |
| Enterprise | T1059.004 | Unix Shell Sub-technique | REPTILE can deploy components automatically with shell scripts.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1014 | Rootkit | REPTILE has the ability to hook kernel functions and modify functions data to achieve rootkit functionality such as hiding processes and network connections.CitationGoogle Cloud Mandiant UNC3886 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | REPTILE can communicate using TLS over raw TCP.CitationGoogle Cloud Mandiant UNC3886 2024CitationMandiant Fortinet Zero Day |
| Enterprise | T1547.006 | Kernel Modules and Extensions Sub-technique | The REPTILE rootkit is implemented as a loadable kernel module (LKM).CitationGoogle Cloud Mandiant UNC3886 2024 |
Groups, software, and campaigns
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
C0056: RedPenguin
The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 04a87d3e03f3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google Cloud Mandiant UNC3886 2024
Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
Open source URL -
[2]
mitre-attack S1219Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.