S1220: MEDUSA
Analyst context for executives and security teams
MEDUSA matters because it is a Linux rootkit with capabilities tied to stealth, command execution, dynamic linker hijacking, SSH session abuse, and credential logging. For leaders, the risk is not just malware on one host; it is loss of trust in Linux systems that may support administration, infrastructure, or edge environments, where normal tools can be misled by rootkit behavior.
Executive priority
Prioritize MEDUSA as an assurance and resilience issue for Linux estates: can the organization prove integrity of critical hosts, collect enough telemetry to investigate stealthy compromise, and rapidly rotate credentials if credential logging is suspected? The ATT&CK relationship context links MEDUSA to UNC3886 and the RedPenguin campaign, so organizations with Linux-based infrastructure, edge, telecom, defense, technology, or APJ/US exposure should ensure incident response and monitoring plans cover these environments without assuming endpoint visibility is complete.
Technical view
ATT&CK lists MEDUSA for Linux and relates it to Rootkit, Encrypted/Encoded File, SSH Hijacking, and Dynamic Linker Hijacking. SOC and IR teams should validate visibility into Linux shared library loading paths and environment variables such as LD_PRELOAD, unexpected linker configuration changes, suspicious command execution from privileged contexts, SSH session anomalies, and credential-related artifacts. Because no official ATT&CK detection text is provided, detections should be built from the related techniques and tested against local baselines rather than treated as signature-complete coverage.
Likely telemetry
- Linux file integrity monitoring for linker-related files, shared libraries, startup scripts, and privileged paths
- Process execution telemetry, including parent-child process context and commands launched from unusual privileged or service contexts
- Linux authentication and SSH logs, including session chaining, source/destination host patterns, and anomalous reuse of established trust relationships
- Environment variable and dynamic loader configuration evidence, especially around LD_PRELOAD or equivalent linker behavior
- Endpoint security or EDR telemetry where available, with awareness that rootkit behavior may reduce trust in host-only observations
Detection direction
- Validate coverage for T1574.006 by monitoring unauthorized changes to dynamic linker configuration and suspicious shared library loading on Linux systems.
- Validate coverage for T1014 by comparing host-reported state with trusted baselines, external network observations, and offline forensic collection where feasible.
- Tune SSH hijacking analytics around unusual lateral movement from already-authenticated Linux hosts, abnormal session timing, unexpected destination systems, and privileged account use.
- Account for false positives from legitimate administrators, debugging tools, performance agents, and security software that may use preload or shared library mechanisms.
- Do not rely only on file hashes or known indicators; ATT&CK notes encrypted/encoded file behavior, which can reduce simple string or pattern matching value.
Mitigation priorities
- Establish trusted baselines and file integrity controls for critical Linux systems, especially linker configuration, shared library paths, privileged binaries, and administrative tooling.
- Restrict write access to dynamic linker and privileged execution paths; enforce least privilege for administrators and service accounts.
- Harden SSH by limiting trust relationships, auditing key usage, monitoring privileged sessions, and reducing unnecessary host-to-host access.
- Prepare IR procedures for rootkit scenarios, including trusted evidence collection, isolation decisions, rebuild criteria, and credential rotation for accounts used on affected hosts.
- Ensure Linux and infrastructure monitoring is included in managed detection and incident response scope, not only traditional workstation/server EDR coverage.
Analyst notes and limits
The strongest decision value is to test whether the organization can still investigate and make containment decisions when a Linux host may be actively hiding files, processes, sessions, or credentials. MEDUSA should trigger control validation across Linux integrity monitoring, SSH lateral movement detection, credential response, and forensic readiness.
The supplied ATT&CK object has no official detection guidance, no malware tactics specified, and only a brief description. This take is derived from the official description, external reference metadata, and ATT&CK relationships to techniques, UNC3886, and RedPenguin. Local environment telemetry and baselines are required to determine actual exposure or coverage.
MEDUSA
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1563.001 | SSH Hijacking Sub-technique | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1014 | Rootkit | |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique |
Groups, software, and campaigns
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
C0056: RedPenguin
The RedPenguin project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. RedPenguin activity was separately attributed to UNC3886 and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fa877fbe1aad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google Cloud Mandiant UNC3886 2024
Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
Open source URL -
[2]
mitre-attack S1220Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.