ClickCease DinodasRAT Malware: A Multi-Platform Backdoor Targeting Linux

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

DinodasRAT Malware: A Multi-Platform Backdoor Targeting Linux

Rohan Timalsina

April 15, 2024 - TuxCare expert team

DinodasRAT, a C++-based malware, has emerged as a serious threat to Linux users. Initially discovered targeting Windows systems, researchers have recently reported a Linux variant of this multi-platform backdoor actively deployed in cyberattacks. This article explores the capabilities of DinodasRAT (also known as XDealer) and the dangers it poses to Linux servers.

Recent findings from Kaspersky shed light on the spread of DinodasRAT, with targets spanning regions including China, Taiwan, Turkey, and Uzbekistan. This malware allows attackers to extract a wide range of sensitive data from compromised hosts, making it a formidable adversary in the realm of cyber espionage.


Linux Variant Observed in Attacks


Kaspersky identified the first Linux version of DinodasRAT (V10) in October 2023. However, further research suggests the first known variant (V7) appeared in July 2021. Check Point later discovered a more advanced version (V11) in November 2023. This variant primarily targets Red Hat-based distributions and Ubuntu Linux.

A report by Trend Micro linked a Chinese APT (Advanced Persistent Threat) group, “Earth Krahang,” to the use of DinodasRAT. The group reportedly employed XDealer to breach government systems running on both Windows and Linux platforms.


Functionality and Impact


DinodasRAT establishes persistence on infected systems with the help of SystemV or SystemD startup scripts and communicates with remote servers to receive commands. It boasts a range of malicious capabilities, including:

  • File manipulation
  • Updating C2 server addresses
  • Enumerating and terminating running processes
  • Executing shell commands
  • Downloading new versions of itself
  • Self-uninstallation

DinodasRAT also employs various techniques to evade detection by debugging and monitoring tools and encrypt communication with the C2 server using the Tiny Encryption Algorithm (TEA). Kaspersky emphasizes that its primary function is to grant attackers complete control over compromised Linux servers. This enables them to exfiltrate data and conduct espionage activities.


Protecting Yourself


The lower security protocols employed on Linux systems make them vulnerable entry points for attackers. By following the security best practices, you can significantly reduce the risk of falling victim to DinodasRAT and other Linux-targeting malware. These include keeping your Linux systems up-to-date with the latest security patches, regularly monitoring system activity for unusual behavior, and implementing robust security solutions to detect and prevent malicious activities.




The emergence of a Linux variant of DinodasRAT highlights the growing focus of cybercriminals on targeting Linux servers. As threat actors continue to find new tactics, organizations require a modern patching approach for Linux security. One of the effective strategies is live patching.

TuxCare’s KernelCare Enterprise offers live patching services for all major Linux distributions, including Ubuntu, Debian, RHEL, CentOS, Rocky Linux, AlmaLinux, Oracle Linux, CloudLinux, and more. It enables you to deploy security updates automatically without needing to reboot the system.

Send patching-related questions to a TuxCare security expert to learn more about Linux live patching strategy.


The sources for this article include a story from TheHackerNews.

DinodasRAT Malware: A Multi-Platform Backdoor Targeting Linux
Article Name
DinodasRAT Malware: A Multi-Platform Backdoor Targeting Linux
Discover the threat of DinodasRAT malware targeting Linux systems. Learn about its Linux variant, capabilities, and mitigation strategies.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter