Backdoor:Linux/Multiverze!rfn

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:Linux/Multiverze!rfn

Backdoor:Linux/Multiverze!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:Linux/Multiverze!rfn

Classification:

Type:Backdoor

Platform:Linux

Family:Multiverze

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Multiverze

Summary:

This threat is a backdoor from the Multiverze family that provides an attacker with remote control over a compromised system. Despite the 'Linux' platform classification, technical evidence such as Windows Registry Run keys and DLL references strongly indicates it targets the Windows OS, where it establishes persistence and contacts command-and-control servers.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - www.gpmce.net (PEHSTR_EXT)
 - www.booble.com (PEHSTR_EXT)
 - MSVBVM60.DLL (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - \n(<M (NID)
 - 1em\M (NID)
 - 2~oS\^ (SNID)
 - ^%+n~/ (SNID)
 - M/DFGL (SNID)
 - v4.`L+ (SNID)
 - \-a'f (SNID)
 - 82W9\yH (SNID)
 - i.L98& (SNID)
 - &/%#2 (SNID)
 - $B/OF (SNID)
 - l\I~@S\ (SNID)
 - /,Fs@~J8 (SNID)
 - \\5J' (SNID)
 - Qc3\x]fZ (SNID)
 - ~U5B-{/% (SNID)
 - :A /3 (SNID)
 - \)/*A (SNID)
 - YK"\} (SNID)
 - iDH.0 (SNID)
 - %a.VD (SNID)
 - HgCY\N (SNID)
 - .(K'u,% (SNID)
 - -$.l= (SNID)
 - qa>6ngd. (SNID)
 - vG.].4X (SNID)
 - }O$]/ (SNID)
 - ~,jN.v (SNID)
 - ;1\C4d (SNID)
 - 5{\%) (SNID)
 - `ksW. (SNID)
 - q`+H7H/ (SNID)
 - lp\M~ (SNID)
 - ;*\v{"7F7 (SNID)
 - 'H\z{ (SNID)
 - FkXA.:F+ (SNID)
 - EW/j-^ (SNID)
 - (t1dx. (SNID)
 - g/^IE (SNID)
 - /6[mt (SNID)
 - hk.j' (SNID)
 - mW\\q% (SNID)
 - 0YZ\. (SNID)
 - m.p<p (SNID)
 - PN.o$0 (SNID)
 - ,UP/' (SNID)
 - [/C`mH (SNID)
 - ?.O6T (SNID)
 - {@gW. (SNID)
 - TB"\Y (SNID)
 - |mO\V (SNID)
 - VcSX\ (SNID)
 - qz7P/! (SNID)
 - /Fgb$ (SNID)
 - jSo (SNID)
 - #-zW\ (SNID)
 - V\p'6 (SNID)
 - &._X" (SNID)
 - -6\1~||j7( (SNID)
 - -Ke/- (SNID)
 - .%Viq (SNID)
 - j/VXH_Y[ (SNID)
 - 8p^.O (SNID)
 - T`/+' (SNID)
 - XX<+m\ (SNID)
 - 7/w`5 (SNID)
 - \d:a0 (SNID)
 - 7B/DO (SNID)
 - >4/kL (SNID)
 - 'go/, (SNID)
 - IW\1# (SNID)
 - Xi\#E (SNID)
 - .OL5i\o (SNID)
 - N~.8g (SNID)
 - &a3$/= (SNID)
 - 5Qoi\U` (SNID)
 - =&j/3[ (SNID)
 - T6.:) (SNID)
 - RZZ.EM (SNID)
 - 8UTw\t1 (SNID)
 - W:\ty (SNID)
 - y1g/a (NID)
 - .JuUv (SNID)
 - KP9i. (SNID)
 - jSmHrat (SNID)
 - +)t/S (SNID)
 - R9'>/ (SNID)
 - /'SYR (SNID)
 - /" E. (SNID)
 -  Wy\t (SNID)
 - o/L}j (SNID)
 - ,.{pS7~ (SNID)
 - ;ZYJs~6 (SNID)
 - ;gL.:C (SNID)
 - "~ 1/ (SNID)
 - &/y D# (SNID)
 - d\^yy (SNID)
 - E?.cb (SNID)
 - 1-\\ULe (SNID)
 - 2/BFE (SNID)
 - I}/M7PH (SNID)
 - ZkO/_ (SNID)
 - K:.Wj2 (SNID)
 - Y_/Hr (SNID)
 - AjS (SNID)
 -  .\K; (SNID)
 - iu)@/ (SNID)
 - v;].QA{ (SNID)
 - G.q)d (SNID)
 - 4ggj\ (SNID)
 - \/<9M (SNID)
 - MxE2. (SNID)
 - V,@U/ (SNID)
 - \s=Tkz (SNID)
 - 9Oy/;EM (SNID)
 - l.gH3 (SNID)
 - \u|[{l (SNID)
 - o'H/X (SNID)
 - wCxj\ (SNID)
 - w52/Q (SNID)
 - w0N3(\ (SNID)
 - $o9.A (SNID)
 - \u:}N (SNID)
 - cYLY/ (SNID)
 - +E^lS;/ (SNID)
 - \&L'Sz (SNID)
 - DZ\%F (SNID)
 - '`gQ . (SNID)
 - /$2pW (SNID)
 - Xu._2 (SNID)
 - j.|z[ (SNID)
 - "'8\q# (SNID)
 - )ITG.7 (SNID)
 - TEZ4(6;/ (SNID)
 - G8\hY~`Y (SNID)
 - .d3lL> (SNID)
 - \/n}Usn(A (SNID)
 - 1Js (SNID)
 - "8C(/ (SNID)
 - MvU.V (SNID)
 - %JS (SNID)
 - hW.3, (SNID)
 - bK_7.& (SNID)
 - N,.96 (SNID)
 - k*Js$ (SNID)
 - .z _R (SNID)
 - 8+%/' (SNID)
 - 3w;/$ (SNID)
 - st.=#71 (SNID)
 - GOo/R] (SNID)
 - 1/',js (SNID)
 - /50hj (SNID)
 - y/Vxf (SNID)
 - ^jPFF. (SNID)
 - sb`\U (SNID)
 - t1r.[l (SNID)
 - Fci.N (SNID)
 - / /M) (SNID)
 - \AA=E (SNID)
 - Gg{/Q (SNID)
 - ]?/e*&t (SNID)
 - N/+RzG (SNID)
 - Tz3ch_. (SNID)
 - \q[VD (SNID)
 - Xvi9\ (SNID)
 - T/K%f (SNID)
 - s)Z/!z (SNID)
 - WF*/k (SNID)
 - e\HIn (SNID)
 - fqsv/ (SNID)
 - \\X*b (SNID)
 - _A%/e (SNID)
 - S;.>x (SNID)
 - Z!\I^ (SNID)
 - !PO.o (SNID)
 - \'KBjE (SNID)
 - N/KFv (SNID)
 - /mma; (SNID)
 - !X\Sn (SNID)
 - \C=g($ (SNID)
 - A\w/y` (SNID)
 - .{\wco (SNID)
 - 2h/TW (SNID)
 - "f`]WfR/c (SNID)
 - 0unFE.QL (SNID)
 - dlm\D (SNID)
 - <k/Z[ (SNID)
 - X,/MQ (SNID)
 - " .'< (SNID)
 - Kxk/^ (SNID)
 - kw\2E> (SNID)
 - /,KIb (SNID)
 - @d h/ (SNID)
 - n/i<2- (SNID)
 - GNy\# (SNID)
 - g.dLM (NID)
 - RCOM (NID)
 - <T.QM (NID)
 - OP|/I (SNID)
 - jsk (SNID)
 - vK.O] (SNID)
 - HS/b4 (SNID)
 - jsa (SNID)
 - /H[8&S (SNID)
 - va.0< (SNID)
 - !ugo\n (SNID)
 - \dtfa (NID)
 - DC\YLv (SNID)
 - 3n/?R (SNID)
 - -i"\~ (SNID)
 - qE/R}cg (SNID)
 - ]Y9G\ (SNID)
 - /G),[ (SNID)
 - \8*z! (SNID)
 - Ic3/x (SNID)
 - /#$h: (SNID)
 - :n0c/ (SNID)
 - jOnE. (SNID)
 - lz\@% (SNID)
 - h[.<$0c (SNID)
 - MgS0/\ (SNID)
 - un\EZ (SNID)
 - *.&-M (NID)
 - JSh (NID)
 - ye/:{ (SNID)
 - /cF(^ (SNID)
 - 9q/Ui (SNID)
 - .</RI (SNID)
 - 7.|}_-= (SNID)
 - 5wzb2/ (SNID)
 - Ka/]$ (SNID)
 - {.[Gw (SNID)
 - \vla= (SNID)
 - n. ^) (SNID)
 - 1&m.\$ (SNID)
 - v)/pA2 (SNID)
 - 8</:?e" (SNID)
 - \NkpIlC (SNID)
 - 'a[_. (SNID)
 - -j.J# (SNID)
 - \v&h,R (SNID)
 - <I\jn! (SNID)
 - Cr/oj# (SNID)
 - ;J\~F (SNID)
 - /O|)#p] (SNID)
 - \8.08 (SNID)
 - }[\jri (SNID)
 - j/dLI (SNID)
 - y?.p] (SNID)
 - r2/[E (SNID)
 - H\idS (SNID)
 - Rko.# (SNID)
 - >~.qd^ (SNID)
 - 0.vF< (SNID)
 - $\;qM (NID)
 - *.$Kw (SNID)
 - w/!x]Y (SNID)
 - 4.N5p (SNID)
 - ZbE\p (SNID)
 - 4esO-..p (SNID)
 - $/j+ g (SNID)
 - \{vOI (SNID)
 - scR (SNID)
 - ;2;/ac (SNID)
 - /Smi? (SNID)
 - \cH7,~ (SNID)
 - .]k.E> (SNID)
 - .p|hr> (SNID)
 - 0F.=^ (SNID)
 - jv.ij (SNID)
 - \3'%X (SNID)
 - \tTfj Z (SNID)
 - :P\8M (SNID)
 - ru/hn (SNID)
 - +t\86 (SNID)
 - 4B*J. (SNID)
 - {j\?N (SNID)
 - ..7IC (SNID)
 - Z\v:9T (SNID)
 - $hZ7Be/ (SNID)
 - z.0_\ (SNID)
 - /mt)&h (SNID)
 - \^k(B<3 (SNID)
 - @>=\AX (SNID)
 - YTv{'9. (SNID)
 - {JX&\ (SNID)
 - H/$;\( (SNID)
 - <4\7A6 (SNID)
 - /-mc_ (SNID)
 - zv_[/lH (SNID)
 - Ja8Lw.G@72 (SNID)
 - /+Cv) (SNID)
 - \f0zj (SNID)
 - 0r/6 V (SNID)
 - +P`uwLC.] (SNID)
 - vbS (SNID)
 - q3J/\ (SNID)
 - \%>G] (SNID)
 - %b+'.p& (SNID)
 - TeZNH.9 (SNID)
 - 0\\8@ (SNID)
 - wf1J\ (SNID)
 - 4d[q\ (SNID)
 - ; \@r (SNID)
 - \AJI;M (SNID)
 - ,h-/H (SNID)
 - #K@/2 (SNID)
 - /lp1Z@ (SNID)
 - Wc\;F (SNID)
 - T.?qfy (SNID)
 - -QAjJ/ (SNID)
 - 7\arKy (SNID)
 - Cb.-\ (SNID)
 - \8y<1 (SNID)
 - #e5/c4 (SNID)
 - 4~/!c (SNID)
 - w0{U|l/ (SNID)
 - Z~\bx@f (SNID)
 - D\FvxG (SNID)
 - Uy`\~ (SNID)
 - F\Y6`6 (SNID)
 - /4`@nS (SNID)
 - =/jW] (SNID)
 - \`.i9 (SNID)
 - tgy\C (SNID)
 - .yL"> (SNID)
 - R{t@. (SNID)
 - BXVo. (SNID)
 - /@_~; (SNID)
 - PE/b)]x2T (SNID)
 - .A[G< (SNID)
 - <BH/U (SNID)
 - +.XrV (SNID)
 - %?.,WY (SNID)
 - )/VE&?$ (SNID)
 - $$ 68/ (SNID)
 - .lz*$ZJ_B (SNID)
 - 4/(=-= (SNID)
 - ^N\kM (SNID)
 - ;\A(e@ (SNID)
 - \MLz8 (SNID)
 - Fz\YpiS% (SNID)
 - \'NI. (SNID)
 - >]._} (SNID)
 - nJs (SNID)
 - OAb3\ (SNID)
 - bkDP_\n (SNID)
 - =.P</ (SNID)
 - '.`n+p (SNID)
 - MM<.^ (SNID)
 - /_CFM (SNID)
 - \Xz^k (SNID)
 - #)].z (SNID)
 - \/~"j (SNID)
 - X m~. (SNID)
 - 2j>\M (NID)
 - \4;a: (SNID)
 - :.d{[} (SNID)
 - <*rZ\ (SNID)
 - ]Eb\| (SNID)
 - ;b/Xl (SNID)
 - /R&_h (SNID)
 - 0.;\c< (SNID)
 - .]$q.f (SNID)
 - fKt.!l (SNID)
 - EFP|b1,k.| (SNID)
 - /o~cS (SNID)
 - L/<{}f$ (SNID)
 - \)MKW (SNID)
 - I$._j:/ (SNID)
 - Gon.o (SNID)
 - :WBk. (SNID)
 - /F~8avl (SNID)
 - *.Y5I (SNID)
 - \Il`uk (SNID)
 - lrq8@.kb (SNID)
 - RYyL\b (SNID)
 - \~Xv  (SNID)
 - )\j|t (SNID)
 - &,TU. (SNID)
 - Vy(/# (SNID)
 - 6$\12/ (SNID)
 - JSn (SNID)
 - n5X?[Rw. (SNID)
 - 5.C>Y (SNID)
 - }/S41 (SNID)
 - "Y"S. (SNID)
 - m>m/S (SNID)
 - (V9/: (SNID)
 - V-..g (SNID)
 - js: (SNID)
 - ym",\\ (SNID)
 - dO;v\ (SNID)
 - \uZ!d (SNID)
 - u/Z,n (SNID)
 - Y\pUH (SNID)
 - 3f\$# (SNID)
 - .}rx  (SNID)
 - udqV. (SNID)
 - ${Q&. (SNID)
 - 4f\8l(4>a (SNID)
 - .k+:W% (SNID)
 - z7/!Q (SNID)
 - IV/*V:V (SNID)
 - J1"/  (SNID)
 - 4mg.) (SNID)
 - [\*{y (SNID)
 - \7l5(" (SNID)
 - Lc\wlm (SNID)
 - Sf\,Uo (SNID)
 - MS/B374 (SNID)
 - q7/r&X4 (SNID)
 - A&|#V. (SNID)
 - JcU\Rw (SNID)
 - ;r!=F/` Tx (SNID)
 - @\9F5 (SNID)
 - r</k= (SNID)
 - " w'-. (SNID)
 - =?[R. (SNID)
 - bcF)\ (SNID)
 - QFC\ H"* (SNID)
 - /f0oZ (SNID)
 - T\Eva (SNID)
 - %].0L (SNID)
 - js-N (SNID)
 - KlO/&R (SNID)
 - K_o\^ (SNID)
 - 79w.l (SNID)
 - axR/] (SNID)
 - "beO\v'ss (SNID)
 - .i+?5 (SNID)
 - )Qa_/ (SNID)
 - 0~!5/ (SNID)
 - :%Ui.C; (SNID)
 - :.eX%X (SNID)
 - `ve\Rc (SNID)
 - Xw.(n (SNID)
 - xN6Zs/ (SNID)
 - y/ule (SNID)
 - 5|B\e. (SNID)
 - M.$YT\ (SNID)
 - \a)rW (SNID)
 - fL.&C (SNID)
 - Lc/]M[ (SNID)
 - |W]\c (SNID)
 - /<)g9y (SNID)
 - 2%7.p#:.O& (SNID)
 - y/:{IT (SNID)
 - /kzCf% (SNID)
 - 4.N_< (SNID)
 - ;$z;n. (SNID)
 - /Qm>?L (SNID)
 - ve7>/n& (SNID)
 - f11Y.4 (SNID)
 - ujSS0aC (SNID)
 - BE\1~ (SNID)
 - .-LPNa (SNID)
 - \2km~ (SNID)
 - /NBWHO?| (SNID)
 - oV\]* (SNID)
 - JSV (SNID)
 - .DN,mG (SNID)
 - +.mg% (SNID)
 - H}<W/ (SNID)
 - dIjs (SNID)
 - &qkE. (SNID)
 - (c!\: (SNID)
 - T2\~' (SNID)
 - /fF1f  (SNID)
 - Y7Exe$8- (SNID)
 - <I){/7 (SNID)
 - /-/,HP`) (SNID)
 - v0.1< (SNID)
 - +vy.6{ (SNID)
 - Y\@1&BT (SNID)
 - @GI.y (SNID)
 - "h".KY (SNID)
 - dMJ./ (SNID)
 - yn(7. (SNID)
 - q#cqI/ (SNID)
 - m\"RH (SNID)
 - /o^@S (SNID)
 - PV%r\ (SNID)
 - ,\tV? (SNID)
 - n%\ # (SNID)
 - .W7c) (SNID)
 - *+S.W],g (SNID)
 - hV\=b (SNID)
 - /*^)W: (SNID)
 - 4%4!qb/) (SNID)
 - d\\+-Wl (SNID)
 - /A[F9 (SNID)
 - 54u.3 (SNID)
 - G\6fbLhS: (SNID)
 - 62S/U (SNID)
 - J~Wf.0 (SNID)
 - .%SP-M (SNID)
 - >JS (SNID)
 - UU\Wj (SNID)
 - /Vjr_j (SNID)
 - YG2\n (SNID)
 - ]/xDT (SNID)
 - \pDvw (SNID)
 - yE\)L (SNID)
 - "51\9 (SNID)
 - $^?bwy. (SNID)
 - F"E.L (SNID)
 - X/d.Z (SNID)
 - z\jJEeg (SNID)
 - \.,Cr (SNID)
 - '/xk% (SNID)
 - (.WI_ (SNID)
 - *:UU.BV_N (SNID)
 - [s#/N (SNID)
 - 7d\yz (SNID)
 - ";js0 (SNID)
 - gg.Z z (SNID)
 - 1k|WS8t. (SNID)
 - /l<=#" (SNID)
 - #Pr'. (SNID)
 - uJ2`\H (SNID)
 - DuuW+. (SNID)
 - l(\@L (SNID)
 - {_vQ. (SNID)
 - /G#kp (SNID)
 - )IJQ/ (SNID)
 - ;/_Vn (SNID)
 - "\gbJFL (SNID)
 - /BG3M<+ (SNID)
 - <I/A! (SNID)
 - 3Jr\;2 (SNID)
 - ;js (SNID)
 - fKDg.F (SNID)
 - "A\Zz` (SNID)
 - /4d5p (SNID)
 - KJs (SNID)
 - -w._Mmk (SNID)
 - 15&z. (SNID)
 - -f/d0KS" (SNID)
 - k)N/9 (SNID)
 - [/N0, (SNID)
 - ]\#AU, (SNID)
 - UxLc\ (SNID)
 - 1;S?{/ (SNID)
 - +CZ/NT (SNID)
 - >\?$i (SNID)
 - }jS (SNID)
 - JS/ (SNID)
 - 7 !// (SNID)
 - _Y44&/ (SNID)
 - A:@?\@ (SNID)
 - .""P, (SNID)
 - .(<gaA (SNID)
 - +c/\uhr (SNID)
 - A/<FkX (SNID)
 - \S^|= (SNID)
 - d.KQ_c (SNID)
 - cJsg (SNID)
 - Ct/z@ D (SNID)
 - Br.[Ny (SNID)
 - k7?.# (SNID)
 - Uje \ (SNID)
 - <a/urh (SNID)
 - x/7~N} (SNID)
 - xJs2 (SNID)
 - \4_,T< (SNID)
 - <21/Q (SNID)
 - -.3Zgr (SNID)
 - RJ0/8 (SNID)
 - PW.HL (SNID)
 - wX.XH (SNID)
 - }\IQ* (SNID)
 - p5/ea (SNID)
 -  }p{\4Q (SNID)
 - .F6LN (SNID)
 - t.}QN (SNID)
 - {;W6. (SNID)
 - }Js;) (SNID)
 - =*A.)sz3 (SNID)
 - bq:.u (SNID)
 - a\f:NY (SNID)
 - K\BP5 (SNID)
 - n?vF. (SNID)
 - *!h/N (SNID)
 - JS. (SNID)
 - tgW/vV (SNID)
 - \~JcI (SNID)
 - nLjs (SNID)
 - /KaO'Z (SNID)
 - \.$w~` (SNID)
 - .~B_$Bl (SNID)
 - 4/+7i (SNID)
 - 0Z[/Lam (SNID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: systems-etcd

9d513a419bf129a42017b29eb7d084451a4f34be0828f6871439ec79f7f9b5fb

07/12/2025

→VirusTotal ↓Download Sample

Filename: nginx2

6dd649ff95665ceb7d9ac1a3e601f2936338d8d8b928cb25f0254509e09409b0

06/12/2025

→VirusTotal ↓Download Sample

Filename: test

f0d3d5668a4df347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf

06/12/2025

→VirusTotal ↓Download Sample

Filename: test

bab972378f51e64b6bde99a79c87e109b7015ca3145d51fb3f419ae18e57b965

06/12/2025

→VirusTotal ↓Download Sample

Filename: crond

240afa3a6457f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b

04/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Isolate the compromised system from the network immediately. Re-image the system from a known-good backup to ensure complete removal. Investigate the initial access vector and reset all credentials associated with the compromised system.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 04/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:Linux/Multiverze!rfn - Windows Defender Threat Analysis