1. Home
  2. Software
  3. REPTILE

REPTILE

REPTILE is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.[1]

ID: S1219
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 09 June 2025
Last Modified: 09 June 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

The REPTILE rootkit is implemented as a loadable kernel module (LKM).[1]
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

REPTILE can deploy components automatically with shell scripts.[1]
Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

The REPTILE launcher can daemonize a process.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

The REPTILE launcher component can decrypt kernel module code from a file and load it into memory.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

REPTILE can use TLS over raw TCP for secure C2.[1][2]
Enterprise T1546 .017 Event Triggered Execution: Udev Rules

REPTILE has used udev for persistence.[1]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

REPTILE has the ability to communicate with the kernel-mode component to hide files.[1]
Enterprise T1095 Non-Application Layer Protocol

REPTILE can communicate using TLS over raw TCP.[1][2]
Enterprise T1014 Rootkit

REPTILE has the ability to hook kernel functions and modify functions data to achieve rootkit functionality such as hiding processes and network connections.[1]
Enterprise T1205 Traffic Signaling

The REPTILE reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation.[1][2]
.001 Port Knocking

REPTILE has the ability to control compromised endpoints via port knocking.[1]

Groups That Use This Software

ID Name References
G1048 UNC3886

[1][3]

Campaigns

ID Name Description
C0056 RedPenguin

REPTILE was used for command execution and persistence during RedPenguin.[3]

References

  1. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  2. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
  1. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.