Kobalos Malware Threat Intel Advisory

March 6, 2021
min read
Malware Advisory
Credential Stealer, Backdoor
Kobalos Malware
Affected Industries
IT & ITES, Government services


Kobalos is a sophisticated Linux malware that has a small, yet complex codebase. In January 2021, ESET Researchers discovered this malware actively targeting high-performing computers across multiple organizations. Although the malware’s codebase is tiny it is enough to attack Linux, BSD, Solaris and probably other operating systems as well.



Kobalos was detected targeting supercomputer clusters in Poland, Canada and China. Kobalos operators deploy a different malware to hijack SSH server connections and steal credentials. Followed by which, the stolen credentials are used to penetrate the computer clusters to mobilize Kobalos. It works as a backdoor and abuses specific TCP source ports.

Kobalos allows attackers to access the file system remotely, generate terminal sessions, etc. One of the unique features of this malware is that it can turn a compromised server into a C2 server with a single command. Once the malware is dropped on a supercomputer, the code is hidden in an OpenSSH server executable and Kobalos listens to a specific TCP source port which then triggers the backdoor. The other Kobalos variants act as middlemen for traditional command-and-control (C2) server connections.

Kobalos features and ways to access them


Kobalos code is held in a single function that periodically calls itself to perform subtasks making it harder for reverse engineering. The backdoor requires a private 512-bit RSA key and a 32-byte-long password to be executed. Once validated RC4 keys are exchanged and further communication is encrypted with them.



Name/ ID
Persistence Compromise Client Software Binary (TI554), Traffic Signaling (TI205)
Defense Evasion Clear Command History (T1070.003), Timestomp (T1070.006), Software Packing (T1027.002)
Command and Control Encrypted Channel: Symmetric Cryptography (T1573.001), Encrypted Channel: Asymmetric Cryptography (T1573.002), Proxy: Multi-hop Proxy (T1090.003)



Business Impact
  1. Financial loss to the organization if its operations are interrupted
  2. Loss of brand reputation
  3. Compromised PII leads to social engineering attacks
Technical Impact

Creates a backdoor which allows access to the user’s device. Through which the attacker will be able to modify files or launch the malicious software.


Indicators of Compromise

  1. 1dd0edc5744d63a731db8c3b42efbd09d91fed78
  2. 325f24e8f5d56db43d6914d9234c08c888cdae50
  3. 479f470e83f9a5b66363fba5547fdfcf727949da
  4. 659cbdf9288137937bb71146b6f722ffcda1c5fe
  5. 6616de799b5105ee2eb83bbe25c7f4433420dff7
  6. a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
  7. affa12cc94578d63a8b178ae19f6601d5c8bb224
  8. c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
  9. e094dd02cc954b6104791925e0d1880782b046cf
  10. fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
  1. 13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a
  2. 29e2f15a4a6275f43d86cf613c2934171aa5be187da7fdaa99a006245890de1f
  3. 4d610283c93904d984a42269aef65c2cab89f4a127d9c229a700e6aaf9d7000e
  4. 6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a
  5. 73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58
  6. 75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45
  7. 9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74
  8. d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983
  9. dd1b3cd0042d4c090bc72099f30e4b76d5f2772f9f9f95176f2c59bc2ac30aa8
  10. f8c931767bc0ab951b72ab691163e6d1fc3c50e4ceee5277858d3e77a0c02e92



  1. Use updated antivirus software that detects and stops malware infections
  2. Apply critical patches to the system and application
  3. Use strong passwords and enable 2FA over logins
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly 
No items found.