The sub-techniques beta is now live! Read the release blog post for more info.


HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.[1]

ID: S0394
Platforms: Linux
Version: 1.0
Created: 24 June 2019
Last Modified: 06 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1156 .bash_profile and .bashrc

HiddenWasp installs reboot persistence by adding itself to /etc/rc.local.[1]

Enterprise T1136 Create Account

HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.[1]

Enterprise T1024 Custom Cryptographic Protocol

HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

HiddenWasp uses a cipher to implement a decoding function.[1]

Enterprise T1027 Obfuscated Files or Information

HiddenWasp encrypts its configuration and payload.[1]

Enterprise T1055 Process Injection

HiddenWasp adds itself to the LD_PRELOAD path and sets a series of environment variables.[1]

Enterprise T1105 Remote File Copy

HiddenWasp downloads a tar compressed archive from a download server to the system.[1]

Enterprise T1014 Rootkit

HiddenWasp uses a rootkit to hook and implement functions on the system.[1]

Enterprise T1064 Scripting

HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.[1]

Enterprise T1095 Standard Non-Application Layer Protocol

HiddenWasp communicates with a simple network protocol over TCP.[1]

Enterprise T1065 Uncommonly Used Port

HiddenWasp uses port 61061 to communicate with the C2 server.[1]