1. Home
  2. Software
  3. MEDUSA

MEDUSA

MEDUSA is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.[1]

ID: S1220
Type: MALWARE
Platforms: Linux
Version: 1.0
Created: 09 June 2025
Last Modified: 09 June 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

MEDUSA can execute code through dynamic linker hijacking of the LD_PRELOAD library.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

MEDUSA can XOR encrypt configuration strings.[1]
Enterprise T1563 .001 Remote Service Session Hijacking: SSH Hijacking

MEDUSA can be configured to capture SSH credentials via SSH hijacking.[1]
Enterprise T1014 Rootkit

MEDUSA is a rootkit with command execution and credential logging capabilities.[1]

Groups That Use This Software

ID Name References
G1048 UNC3886

[1][2]

Campaigns

ID Name Description
C0056 RedPenguin

MEDUSA was used for command execution and persistence during RedPenguin.[2]

References

  1. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  1. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.