Subscribe

Stealthy OrBit Malware Steals Data From Linux Devices

July 8, 2022

A newly detected Linux malware is being used to covertly steal information from backdoored Linux systems and infect all running processes on the network.

Intezer Labs security researchers, who first spotted the malware, named it OrBit. OrBit hijacks shared libraries to seize function calls by modifying the LD_PRELOAD environment variable on compromised devices.

While it can achieve persistence via two different methods to stop removal attempts, OrBit may also be deployed as a volatile implant when copied in shim-memory.

It can also hook some functions to evade detection, manipulate process behavior, maintain persistence by infecting new processes, and conceal network activity that would expose its presence.

For example, the moment it injects into a running process, OrBit can control its output to conceal any traces of its existence by filtering out what is logged.

“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine,” explained Intezer Labs security researcher Nicole Fishbein.

Incidentally, OrBit is not the first highly-evasive Linux malware to come out recently that is capable of using identical methods to totally compromise and backdoor devices.

Symbiote also utilizes the LD_PRELOAD directive to load itself into running processes, rendering itself as a system-wide parasite without any traces of infection.

BPFDoor, another recently detected malware targeting Linux systems, disguises itself by using the names of common Linux daemons, which helps it in remaining undetected for five years or even more.

Both these strains use BPF (Berkeley Packet Filter) hooking functionality to monitor and control network traffic, thus helping hide their communication channels from security tools.

For more information, read the original story in Bleeping Computer.

Top Stories

eBay cutting 800 jobs amid strategic realignment

U.S. Pentagon presses Anthropic to lift AI use restrictions

Canada ‘disappointed’ as OpenAI fails to offer new safety protocols after B.C. school shooting

Amodei says Anthropic had Claude before ChatGPT 

Meta facial recognition glasses spark backlash as detection app launches

A quick primer on graph databases

Related Articles

Android malware taps Google’s Gemini AI, but Google says users are safe

February 23, 2026 Researchers say they’ve identified a new strain of Android malware that uses Google’s own Gemini AI model more...

Over 10 million U.S. users affected in Conduent data breach

February 23, 2026 Texas officials are warning about what could be the largest data breach in U.S. history, with notification more...

FBI flags surge in ATM jackpotting

February 20, 2026 ATM jackpotting attacks are accelerating from rare security demonstrations into a growing criminal enterprise, according to a more...

Fake Olympics Shop ads on Meta target shoppers with cloned sites

February 20, 2026 Bitdefender Labs says it is tracking an ongoing scam campaign on Meta platforms targeting users in the more...

Picture of TND Newsdesk

TND Newsdesk

Picture of TND Newsdesk

TND Newsdesk

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn
Tech News Day is a daily publication featuring key news stories about technology and how it affects businesses.

Follow Us

X-twitter Linkedin-in

Popular categories

Tech News Delivered

New, Relevant Tech Stories. Our selection is done by industry professionals – executives like you who pick the top stories for that day. Our writers summarize them to give you the key takeaways.
Subscribe
© 2025 TECHNEWSDAY. All rights reserved.