The sub-techniques beta is now live! Read the release blog post for more info.


Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.[1]

ID: S0410
Platforms: Linux
Version: 1.0
Created: 12 September 2019
Last Modified: 14 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Fysbis has the ability to create and execute commands in a remote shell for CLI.[1]

Enterprise T1043 Commonly Used Port

Fysbis has used port 80 for C2. [1]

Enterprise T1132 Data Encoding

Fysbis can use Base64 to encode its C2 traffic.[2]

Enterprise T1083 File and Directory Discovery

Fysbis has the ability to search for files. [2]

Enterprise T1107 File Deletion

Fysbis has the ability to delete files.[2]

Enterprise T1056 Input Capture

Fysbis can perform keylogging. [1]

Enterprise T1036 Masquerading

Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[2]

Enterprise T1027 Obfuscated Files or Information

Fysbis has been encrypted using XOR and RC4. [2]

Enterprise T1057 Process Discovery

Fysbis can collect information about running processes. [2]

Enterprise T1082 System Information Discovery

Fysbis has used the command ls /etc | egrep -e"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release" to determine which Linux OS version is running.[1]

Enterprise T1501 Systemd Service

Fysbis has established persistence using a systemd service. [2]

Groups That Use This Software

ID Name References
G0007 APT28 [1]