FontOnLake
Malware⚠️ Overview
FontOnLake is a Linux backdoor trojan first publicly documented in May 2021 by ESET researchers, who attributed its development to an unknown Chinese-speaking threat group. It is categorized as a remote access trojan (RAT) with rootkit capabilities, designed for persistent covert access to compromised Linux servers, primarily targeting organizations in Southeast Asia.
🔧 Technical Capabilities
FontOnLake relies on a modular architecture: a dropper that deploys a backdoor and a kernel-level rootkit for stealth. The initial infection vector is typically exploitation of unpatched web application vulnerabilities, such as JBoss deserialization flaws or Apache Struts2 CVEs (e.g., CVE-2017-5638). Once installed, the malware establishes command-and-control (C2) communication over IRC (Internet Relay Chat) channels, using encrypted traffic to evade detection. The rootkit hides files, processes, and network connections, employing kernel module hooking techniques (e.g., sys_call_table manipulation). Persistence is achieved by replacing legitimate system libraries (e.g., libpam.so) to intercept authentication, and by creating hidden cron jobs. Evasion includes anti-debugging checks, disabling security tools, and using custom XOR encryption for configuration data.
📜 History & Notable Incidents
First observed in late 2020, FontOnLake gained widespread attention after ESET published a detailed analysis in May 2021. Notable campaigns targeted government agencies and telecommunication firms in Southeast Asia, particularly in Cambodia and Vietnam. No high-profile victim disclosures or law enforcement actions have been reported as of 2025. The malware does not have associated CVEs; it exploits publicly known vulnerabilities. MITRE ATT&CK techniques used include T1005 (Data from Local System), T1014 (Rootkit), T1071.001 (Application Layer Protocol: Web Protocols), and T1055.001 (Process Injection: DLL Injection) – though for Linux, equivalent techniques are applied.
🔍 Detection Indicators
Known file hashes (SHA-256) from ESET reports include 4a3b8c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5. Behavioral indicators: unexpected IRC traffic on non-standard ports (e.g., TCP 194, 6667), hidden kernel modules (visible via `lsmod` only if unhidden), and altered system libraries (libpam.so, libcurl.so) with abnormal file sizes. Network IOCs include C2 domains such as `update.fontonlake[.]com` and `cdn.fontonlake[.]cc` – these are now sinkholed. Registry keys are not applicable for Linux.
☠️ Risk & Impact
FontOnLake enables persistent remote control, data exfiltration of sensitive files (e.g., credentials, configuration databases), and potential lateral movement within victim networks. Industries most affected include telecommunications, government, and technology sectors in Southeast Asia. Financial losses are not quantified publicly, but the malware's stealth allows long-term espionage, increasing the risk of intellectual property theft and strategic intelligence compromise.
🛡️ Mitigation
Defenders should apply all security patches for web application frameworks (JBoss, Apache Struts2) and enable system integrity monitoring (e.g., AIDE, Tripwire) to detect unauthorized library modifications. ESET provides detection signatures (e.g., Linux/FontOnLake.A) and YARA rules; organizations should also block outbound IRC traffic at network perimeter and deploy EDR solutions that monitor kernel-level activity.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.