Analysis of Pupy RAT Used in Attacks Against Linux Systems


Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. For example, it is known to have been used by APT35 (said to have ties to Iran) [1] and was also used in Operation Earth Berberoka [2] which targeted online gambling websites. Recently, a malware strain named Decoy Dog was discovered, which is an updated version of Pupy RAT. Decoy Dog was used in attacks against corporate networks in Russia and Eastern Europe. [3]

This post will provide a basic overview of Pupy RAT and cover attack cases identified during the analysis process. Major examples include attacks against Linux systems in South Korea and the Pupy RAT malware versions that have been distributed for several years to Asian countries.

Read more…