Iron Tiger is an advanced persistent threat (APT) group that has been focused primarily on cyberespionage for more than a decade. In 2022, we noticed that they updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.
We found the oldest sample of this updated version in July 2022. At the time, we attributed the sample to Iron Tiger but had not yet identified the final payload. It was only after finding multiple similar payloads in late October 2022 that we looked further and found similarities with the SysUpdate malware family that had also been updated in 2021. As with the previous version, Iron Tiger had made the loading logic complex, probably in an attempt to evade security solutions.