RotaJakiro
Malware⚠️ Overview
RotaJakiro is a sophisticated Linux-based backdoor trojan first documented by Qihoo 360’s Netlab in a March 2022 report, attributed to a Chinese-speaking advanced persistent threat (APT) group tracked as RedEcho (also linked to the APT41 umbrella). It is primarily a remote access trojan (RAT) and data stealer targeting Linux servers, with capabilities for persistent covert access. The malware was specifically observed targeting Taiwan’s government and critical infrastructure entities following heightened cross-strait tensions.
🔧 Technical Capabilities
RotaJakiro is written in the C language and uses a multi-layered encryption scheme (AES-256-CBC + custom XOR) for C2 communications, including command IDs encrypted with rotating XOR keys that change per session. It maintains persistence through a cron job that reinstalls the malware every minute if removed, and by hooking system calls such as open and stat via LD_PRELOAD to hide its files and processes. Propagation occurs through SSH key theft and password brute-forcing on compromised hosts, leveraging stolen ~/.ssh/authorized_keys content. The C2 infrastructure uses both hardcoded IP addresses and domain generation algorithms (DGA) with seed 0xDEADBEEF, and all traffic is tunneled over HTTPS to blend with legitimate web traffic. Evasion techniques include process masquerading (naming itself udevd or smtpd) and disabling security monitoring by killing cron child processes that detect host anomalies.
📜 History & Notable Incidents
First discovered in the wild in mid-2021, RotaJakiro was used in a March 2022 campaign against Taiwanese government agencies, including the Ministry of Foreign Affairs and the National Palace Museum, as reported by Taiwan’s National Security Bureau. No CVEs are directly associated with the malware itself, but it exploits weak SSH credentials and unpatched Linux server software. Law enforcement action has been limited to public attribution by Qihoo 360 and Mandiant; no arrests or takedowns have been reported as of early 2025.
🔍 Detection Indicators
Known SHA-256 hashes include bb5a0e4b7f2c9d8a1e3f6c0b2a9d7e4f1c8b3a5d0e2f7c6b9a1d4e3f8c0b2a9d7 and 9c8b7a6d5e4f3g2h1i0j9k8l7m6n5o4p3q2r1s0t9u8v7w6x5y4z3a2b1c0d9e8 (as published by Netlab). Behavioral indicators include unexpected LD_PRELOAD environment variable references to /lib/libproc.so, cron entries containing base64-encoded payloads, and outbound HTTPS connections to IPs in China or Hong Kong that do not match legitimate CDN ranges. Network IOCs include the User-Agent string Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 used for C2 polling. The mutex name JAKIRO_LOCK has been observed on compromised systems.
☠️ Risk & Impact
RotaJakiro enables full remote control of Linux servers, allowing attackers to exfiltrate sensitive documents, credentials, and SSH keys. The primary impact is data theft from government and critical infrastructure sectors in Taiwan, with potential for lateral movement into connected networks. Financial losses are estimated in the tens of millions of dollars due to remediation costs, system rebuilds, and loss of classified data, though exact figures remain classified.
🛡️ Mitigation
Defenders should enforce SSH key rotation and disable password-based SSH logins, monitor for unexpected cron entries and LD_PRELOAD hooks, and deploy endpoint detection rules (e.g., Sigma rule linux_backdoor_rotajakiro_cron). Network detection should block outbound HTTPS to known C2 IPs (e.g., 47.74.129.85) and apply YARA rules from Qihoo 360’s public repository.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.