Hacker uncovers Linux variant of DinodasRAT

Researchers have discovered that Red Hat and Ubuntu are being attacked by a Linux version of the DinodasRAT (aka XDealer) malware, which has likely been active since 2022.

Last fall, ESET talked about the DinodasRAT malware that attacked Windows systems. The researchers called these attacks “Operation Jacana” and wrote that they were targeting government organizations for the purpose of cyber espionage.


In addition, recently experts from Trend Micro reported about a Chinese APT group they track under the name Earth Krahang. This group used the XDealer malware to hack Windows and Linux systems of government organizations around the world.

In his reportnow published by Kaspersky Lab, details the Linux variant of DinodasRAT (aka XDealer), which experts describe as a cross-platform backdoor written in C++.

Researchers do not report anything about how the malware initially spread, but note that since October 2023 it has been attacking victims in China, Taiwan, Turkey and Uzbekistan. According to them, DinodasRAT gives the attacker complete control over compromised systems, and hackers mainly use it to gain and maintain access to targets through Linux servers.

“The backdoor is fully functional and gives operators full control over the infected machine, allowing data exfiltration and espionage,” the experts write.

Researchers say that when launched, the Linux variant of DinodasRAT creates a hidden file in the directory where its binary is located, which acts as a mutex that prevents multiple instances of the malware from running on the infected device. Next, the malware is fixed in the system using SystemV or SystemD.


The infected machine is flagged using information about the infection, hardware and system support, after which an infection report is sent to the command and control server.

Communication with the hackers' server is carried out over TCP or UDP protocols, and the malware uses the Tiny Encryption Algorithm (TEA) in CBC mode to protect this data exchange.

According to the report, DinodasRAT has the capabilities to monitor, control and exfiltrate data from compromised systems. And its main functions include:

  • monitoring and collecting data on user actions, system configuration and running processes;
  • receiving commands to execute from the management server, including actions with files and directories, executing shell commands and updating the address of the management server;
  • listing, starting, stopping and managing processes and services on the infected system;
  • remote shell for direct execution of commands or files;
  • Proxying C&C communications through remote servers.
  • downloading new versions of malware;
  • deleting yourself and erasing all traces of previous activity from the system.