Friday, May 2, 2025
HomeCyber AttackNSA Revealed A Russian APT28 Hackers Made Previously Undisclosed Stealthy "Drovorub" Linux...

NSA Revealed A Russian APT28 Hackers Made Previously Undisclosed Stealthy “Drovorub” Linux Malware

Published on

SIEM as a Service

Follow Us on Google News

Recently, NSA, along with FBI, has revealed a Russian APT28 Linux malware named “Drovorub.” The experts asserted that this malware is managed by the Russian hackers, and the main motive of this malware was to plant backdoors inside hacked networks. 

The threat actors named the group “Fancy Bear,” and it takes advantage of various functions accessible to Linux Kernels.

“Drovorub” is a ‘swiss-army-knife’ that enables the threat actors to execute several functions, like Stealing files and remotely control the victim’s computer. 

- Advertisement - Google News

The “Drovorub” malware is consist of four tools that are turned into one specific thing; in short, Drovorub is a malware series that has four elements, and here they are:-

  • The kernel module rootkit
  • Implant
  • Command and Control (C2) Server
  • A port forwarding tool

“APT Hackers behind this malware has implemented a various evasion techniques from userspace, including specified files and directories, processes and evidence of those processes within th “/proc” filesystem, network ports and sessions, and specified loaded kernel modules, to include itself.” NSA said.

With the help of this technique Drovorub-kernel module performs various operations such as hiding process hiding, file hiding, socket hiding, netfilter hiding, and hiding from raw socket receives.

Work procedure of Drovorub malware

Drovorub works silently; the threat actors execute this malware with any prior notification. This malware is generally installed in an environment that are managed by the threat actors. 

It utilizes a MySQL database to handle joining agents and clients, as well as it also controls the authentication, tasking, and enrollment of all new agents and clients. Once it gets installed in the server, the client or the victim obtains commands from the server.

It enables the files to be transferred between the threat actors and the victim. This malware also has some extra set of capabilities like the port forwarding and remote ROOT shells.

The key function of this malware is that it controls the hiding of the client, and then it processes files and network ports from the user-space. It happens because the client is packed with the kernel module to implement hiding abilities to both.

Moreover, unless the UEFI secure boot is enabled in Full or Thorough mode, this malware remains hidden in the infected systems and survives reboots, as it has a high skill set.

The experts justified that Drovorub malware mainly has four elements that are rolled into one specific thing, as you can see in the above image, the component, and their function.

Mitigations Recommended

The security experts at NSA have affirmed that they are investigating the whole matter. But, until and unless it won’t get fixed, they have recommended users to follow and implement the mitigations they offered as the mitigations are intended to stop Drovorub’s resolution.

  • Apply Linux Updates.
  • The system managers should regularly check for and run the most advanced version of vendor-supplied software for their computer systems to take benefit of software improvements and the most advanced security detection and mitigation safeguards.
  • Prevent Untrusted Kernel Modules.
  • All the system owners are recommended to configure systems to store only modules with a compelling digital signature, as it makes it more challenging for a threat actor to import an ill-disposed kernel module into the system.

Both, NSA, and FBI are trying their best to determine this Linux malware, and they have confirmed that they would soon fix this issue, till then they strongly recommended the users to follow the mitigation properly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Citrix Warns That Hackers May Exploit the New Patched Flaw Quickly

US GOV Exposes Chinese Espionage Malware “TAIDOOR” Secretly Used To For a Decade

Latest articles

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security in 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

TheWizards Deploy ‘Spellbinder Hacking Tool’ for Global Adversary-in-the-Middle Attack

ESET researchers have uncovered sophisticated attack techniques employed by a China-aligned threat actor dubbed...