S1219 REPTILE
REPTILE is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.1
| Item | Value |
|---|---|
| ID | S1219 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 June 2025 |
| Last Modified | 09 June 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.006 | Kernel Modules and Extensions | The REPTILE rootkit is implemented as a loadable kernel module (LKM).1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | REPTILE can deploy components automatically with shell scripts.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.004 | Launch Daemon | The REPTILE launcher can daemonize a process.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | The REPTILE launcher component can decrypt kernel module code from a file and load it into memory.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | REPTILE can use TLS over raw TCP for secure C2.12 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.017 | Udev Rules | |
| REPTILE has used udev for persistence.1 | |||
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | REPTILE has the ability to communicate with the kernel-mode component to hide files.1 |
| enterprise | T1095 | Non-Application Layer Protocol | REPTILE can communicate using TLS over raw TCP.12 |
| enterprise | T1014 | Rootkit | REPTILE has the ability to hook kernel functions and modify functions data to achieve rootkit functionality such as hiding processes and network connections.1 |
| enterprise | T1205 | Traffic Signaling | The REPTILE reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation.12 |
| enterprise | T1205.001 | Port Knocking | REPTILE has the ability to control compromised endpoints via port knocking.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1048 | UNC3886 | 13 |
References
-
Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. ↩↩↩
-
Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. ↩