XZ backdoor: Hook analysis


In their first article on the XZ backdoor, Kaspersky researchers analyzed its code from initial infection to the function hooking it performs. As they mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation.

In this article, the research team will focus on the backdoor’s behaviour inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. To better understand what’s going on, they recommend you to read Baeldung’s article about SSH authentication methods and JFrog’s article about privilege separation in SSH.

Read more…
Source: Kaspersky


Sign up for our Newsletter


Related:

  • Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

    November 14, 2025

    Palo Alto Unit 42 researchers have identified two interconnected malware campaigns active throughout 2025, using large-scale brand impersonation to deliver Gh0st remote access Trojan (RAT) variants to Chinese-speaking users. From the first campaign to the second, the adversary advanced from simple droppers to complex, multi-stage infection chains that misuse legitimate, signed software to bypass modern defenses. ...

  • Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

    November 13, 2025

    In the wake of a targeted doxxing campaign last month that exposed the alleged core members of Lumma Stealer (which Trend Micro tracks as Water Kurita), the underground infostealer landscape experienced a significant upheaval. As detailed in Trend Research’s previous report, this exposure led to a marked decline in Lumma Stealer’s activity, with many of its ...

  • SesameOp: Novel backdoor uses OpenAI Assistants API for command and control

    November 3, 2025

    Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as ...

  • Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

    October 29, 2025

    Palo Alto Unit 42 researchers have discovered a new Windows-based malware family they’ve named Airstalk, which is available in both PowerShell and .NET variants. Unit 42 assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. The researchers have created the threat activity cluster CL-STA-1009 to identify ...

  • Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C

    October 27, 2025

    Trend Research is continuously tracking the aggressive malware campaign it identified as Water Saci, which uses WhatsApp as its primary infection vector. In our previous blog, the Water Saci campaign, with its malware identified as SORVEPOTEL, automatically distributes the same malicious ZIP file to all contacts and groups associated with the victim’s compromised account for ...

  • Mem3nt0 mori – The Hacking Team is back!

    October 27, 2025

    n March 2025, Kaspersky detected a wave of infections that occurred when users clicked on personalized phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough. The malicious links were personalized and extremely short-lived to avoid detection. ...