user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Linux/Gafgyt.AH!MTB
Backdoor:Linux/Gafgyt.AH!MTB - Windows Defender threat signature analysis

Backdoor:Linux/Gafgyt.AH!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Linux/Gafgyt.AH!MTB
Classification:
Type:Backdoor
Platform:Linux
Family:Gafgyt
Detection Type:Concrete
Known malware family with identified signatures
Variant:AH
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Gafgyt

Summary:

This is a concrete detection of Backdoor:Linux/Gafgyt.AH, a specific variant of the Gafgyt botnet family targeting Linux systems. It operates as a backdoor, providing remote access and typically engaging in Distributed Denial-of-Service (DDoS) attacks, often spoofing game server queries.

Severity:
Critical
VDM Static Detection:
No specific strings found for this threat
YARA Rule:
rule Backdoor_Linux_Gafgyt_AH_2147767059_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Gafgyt.AH!MTB"
        threat_id = "2147767059"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Gafgyt"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "SendHTTPHex" ascii //weight: 1
        $x_1_2 = "SendSTDHEX" ascii //weight: 1
        $x_1_3 = "TSource Engine Query + /x54/x53/x6f/x75/x72/x63/x65/x20/x45/x6e/x67/x69/x6e/x65/x20/x51/x75/x65/x72/x79" ascii //weight: 1
        $x_2_4 = "vseattack" ascii //weight: 2
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: a-r.m-6.SNOOPY
9a7685936133d1ea6c276d2f6f184fe7e9661c86059ab57cf40801e70d69b20f
21/01/2026
VirusTotalDownload Sample
Filename: sparc.SNOOPY
b85dde645aa24f32c9c8d53c5ccdf609f0b2b3184c1be6c6618c44f5b57cbe45
14/12/2025
VirusTotalDownload Sample
Filename: i586.SNOOPY
715ac6f5b5a8250946bf87e56399197362a788fcb597ca9d4a44470cc90fe727
14/12/2025
VirusTotalDownload Sample
Filename: arm4.SNOOPY
1c11a929b503369a730627051735c755b97ddb92bdf5acf28b3dd59432c7cf5b
14/12/2025
VirusTotalDownload Sample
Filename: sh4.SNOOPY
8b5eb05d5b7af4be4861dffe68a76e255d5ad8c1f6aa0fcd156c789d6ee7a21c
14/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected Linux system to prevent further compromise or participation in botnet activities. Terminate all associated malicious processes, remove the malware files, and rigorously patch all system vulnerabilities. Change all administrative and user credentials, strengthen network perimeter controls, and monitor for any signs of reinfection.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 14/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$