eBook

Modern Threat Hunting

Modern Threat Hunting

10 Practical Steps to Outsmart Adversaries

10 Practical Steps to Outsmart Adversaries

A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform

Get the Free eBook

Get the Free eBook

KTLV Backdoor

KTLV Backdoor

KTLV Backdoor

KTLVdoor is a cross-platform backdoor malware written in Golang for Windows and Linux systems. It is highly obfuscated and disguised as legitimate system utilities such as sshd, java, sqlite, bash, and edr-agent. Once dropped, KTLVdoor allows attackers to execute commands, manipulate files and port scan remotely, with full control of the compromised system.

Key Insights

Key Insights

Obfuscation and Evasion Techniques

KTLVdoor uses advanced obfuscation to evade detection.  Its code is heavily obfuscated, with embedded strings not readable, symbols stripped, and function and package names renamed to random Base64-like strings.  This complexity hinders malware analysis and prolongs the time for security researchers to reverse engineer its functionality.

Command-and-Control Infrastructure

The malware uses a robust command-and-control (C2) infrastructure with over 50 servers hosted by Alibaba, China.  This big network allows for real-time command execution and data exfiltration.

Functionalities

Besides command execution, KTLVdoor has a set of functionalities: file manipulation, system and network info retrieval, proxy, file download/upload, and port scan.  These allow attackers to have full control of the infected machine to conduct full reconnaissance and deploy additional payloads as needed.

Known Variants

Known Variants

As of now, no specific variants of KTLVdoor have been publically known. The malware’s recent emergence and obfuscation may delay the discovery of different versions.

As of now, no specific variants of KTLVdoor have been publically known. The malware’s recent emergence and obfuscation may delay the discovery of different versions.

Mitigation Strategies

Mitigation Strategies

  • Enforce application whitelisting to block execution of untrusted binaries disguised as system utilities (such as sshd, java, bash, sqlite, edr-agent).

  • Monitor for internal port‑scanning and unusual file operations originating from Linux or Windows hosts using network monitoring and EDR alerts.

  • Integrate C2 indicators into network/blocklists: block or sinkhole outbound HTTP/DNS/TCP connections tied to known Alibaba‑hosted command‑and‑control servers. 

  • Conduct regular threat hunting using behavioral rules (e.g., obfuscated Golang binaries, stripped symbols, XOR‑encoded strings) and scan systems for KTLVdoor IoCs via updated EDR/EDR platforms


Targeted Industries or Sectors

Targeted Industries or Sectors

KTLVdoor has been targeting a Chinese trading company. But the threat actor behind KTLVdoor, Earth Lusca, has been targeting organizations in telecommunications, technology and government sectors across Asia.

KTLVdoor has been targeting a Chinese trading company. But the threat actor behind KTLVdoor, Earth Lusca, has been targeting organizations in telecommunications, technology and government sectors across Asia.

Associated Threat Actors

Associated Threat Actors

The Chinese-speaking threat group Earth Lusca is the primary actor deploying KTLVdoor. Active since at least 2019, Earth Lusca has been targeting organizations across Asia, Australia, Europe and North America. KTLVdoor is a new tool for their cyber-espionage campaign.Implement endpoint protection, detect and block. Monitor network to find unusual traffic. Educate your employees about phishing emails and verification of attachments and links. Update your systems and software to patch vulnerabilities.

The Chinese-speaking threat group Earth Lusca is the primary actor deploying KTLVdoor. Active since at least 2019, Earth Lusca has been targeting organizations across Asia, Australia, Europe and North America. KTLVdoor is a new tool for their cyber-espionage campaign.Implement endpoint protection, detect and block. Monitor network to find unusual traffic. Educate your employees about phishing emails and verification of attachments and links. Update your systems and software to patch vulnerabilities.

References

    Related Posts:

    Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
    Feb 18, 2025

    Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

    Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
    Feb 18, 2025

    Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

    Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
    Feb 18, 2025

    Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

    Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
    Oct 24, 2024

    Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

    Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
    Oct 24, 2024

    Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

    Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users
    Oct 24, 2024

    Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users

    ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
    Sep 3, 2024

    ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

    ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
    Sep 3, 2024

    ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

    ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit
    Sep 3, 2024

    ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit