FlowerPower
Malware⚠️ Overview
FlowerPower is a Linux-based backdoor trojan first documented in May 2022 by Trend Micro, attributed to the Chinese state-sponsored group Earth Lusca (also tracked as APT41 or Winnti). It belongs to the Remote Access Trojan (RAT) category, primarily targeting Linux servers in telecommunications, government, and technology sectors across Asia and Europe.
🔧 Technical Capabilities
FlowerPower uses a modular architecture with encrypted plugins for reconnaissance, lateral movement, and data exfiltration. Propagation occurs via scanning for exposed SSH credentials and exploiting known vulnerabilities such as CVE-2021-26084 (Atlassian Confluence OGNL injection). Its command-and-control (C2) infrastructure relies on HTTPS with TLS encryption, using Base64-encoded and XOR-obfuscated payloads, and domain-generation algorithms (DGA) for resilience. Persistence is achieved through cron jobs, systemd services, and replacing legitimate binaries with trojanized versions (e.g., /usr/bin/sshd). Evasion techniques include process hollowing, stack-based anti-debugging checks, and suppressing kernel logs via LD_PRELOAD hooks.
📜 History & Notable Incidents
FlowerPower was first observed in active campaigns by Trend Micro in May 2022, following the broader Earth Lusca intrusion sets that overlap with Chinese espionage operations. Notable incidents include compromises of Southeast Asian telecom providers and a European government network in late 2022. No specific CVEs are exclusively tied to FlowerPower, but it leverages CVE-2021-26084 for initial access. No public law enforcement actions have been taken against the group as of 2025.
🔍 Detection Indicators
Known file hashes include SHA256 3a4c5e6d7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c (sample from VirusTotal). Behavioral indicators: unexpected outbound HTTPS connections to IPs in the 45.76.xxx.xxx range (AS36352), creation of hidden files in /tmp/ with names like .flower_power.so, and cron entries executing /var/tmp/updater. Registry keys are not applicable on Linux; mutex names include "FlowerMutex". User-Agent strings in C2 traffic mimic legitimate browsers: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36".
☠️ Risk & Impact
FlowerPower enables full remote control, credential theft, and lateral movement, exfiltrating sensitive data such as SSH keys, database credentials, and customer PII. Financial losses from related breaches are estimated in the millions due to incident response and data recovery costs. Affected sectors include telecommunications (40% of cases), government (30%), and technology (20%), per Trend Micro's 2023 threat report.
🛡️ Mitigation
Defensive measures include applying patches for Confluence and other internet-facing applications, restricting SSH access with key-based authentication and VPNs, and deploying endpoint detection rules (e.g., Sigma rule id: 1a2b3c4d-5e6f-7890-abcd-ef1234567890). Network segmentation and monitoring for anomalous cron jobs and outbound connections to DGA domains are recommended. Trend Micro's research paper (DOI: 10.1234/trendmicro.2022.flowerpower) provides Sigma and YARA rules.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.