S1220 MEDUSA
MEDUSA is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.1
| Item | Value |
|---|---|
| ID | S1220 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 June 2025 |
| Last Modified | 09 June 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.006 | Dynamic Linker Hijacking | MEDUSA can execute code through dynamic linker hijacking of the LD_PRELOAD library.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | MEDUSA can XOR encrypt configuration strings.1 |
| enterprise | T1563 | Remote Service Session Hijacking | - |
| enterprise | T1563.001 | SSH Hijacking | MEDUSA can be configured to capture SSH credentials via SSH hijacking.1 |
| enterprise | T1014 | Rootkit | MEDUSA is a rootkit with command execution and credential logging capabilities.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1048 | UNC3886 | 12 |
References
-
Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. ↩↩↩↩↩↩
-
Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. ↩