Backdoor:Linux/Multiverze!rfn - Windows Defender Threat Analysis

This threat is a backdoor from the Multiverze family that provides an attacker with remote control over a compromised system. Despite the 'Linux' platform classification, technical evidence such as Windows Registry Run keys and DLL references strongly indicates it targets the Windows OS, where it establishes persistence and contacts command-and-control servers.

Relevant strings associated with this threat:
 - www.gpmce.net (PEHSTR_EXT)
 - www.booble.com (PEHSTR_EXT)
 - MSVBVM60.DLL (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - \n(<M (NID)
 - 1em\M (NID)
 - 2~oS\^ (SNID)
 - ^%+n~/ (SNID)
 - M/DFGL (SNID)
 - v4.`L+ (SNID)
 - \-a'f (SNID)
 - 82W9\yH (SNID)
 - i.L98& (SNID)
 - &/%#2 (SNID)
 - $B/OF (SNID)
 - l\I~@S\ (SNID)
 - /,Fs@~J8 (SNID)
 - \\5J' (SNID)
 - Qc3\x]fZ (SNID)
 - ~U5B-{/% (SNID)
 - :A /3 (SNID)
 - \)/*A (SNID)
 - YK"\} (SNID)
 - iDH.0 (SNID)
 - %a.VD (SNID)
 - HgCY\N (SNID)
 - .(K'u,% (SNID)
 - -$.l= (SNID)
 - qa>6ngd. (SNID)
 - vG.].4X (SNID)
 - }O$]/ (SNID)
 - ~,jN.v (SNID)
 - ;1\C4d (SNID)
 - 5{\%) (SNID)
 - `ksW. (SNID)
 - q`+H7H/ (SNID)
 - lp\M~ (SNID)
 - ;*\v{"7F7 (SNID)
 - 'H\z{ (SNID)
 - FkXA.:F+ (SNID)
 - EW/j-^ (SNID)
 - (t1dx. (SNID)
 - g/^IE (SNID)
 - /6[mt (SNID)
 - hk.j' (SNID)
 - mW\\q% (SNID)
 - 0YZ\. (SNID)
 - m.p<p (SNID)
 - PN.o$0 (SNID)
 - ,UP/' (SNID)
 - [/C`mH (SNID)
 - ?.O6T (SNID)
 - {@gW. (SNID)
 - TB"\Y (SNID)
 - |mO\V (SNID)
 - VcSX\ (SNID)
 - qz7P/! (SNID)
 - /Fgb$ (SNID)
 - jSo (SNID)
 - #-zW\ (SNID)
 - V\p'6 (SNID)
 - &._X" (SNID)
 - -6\1~||j7( (SNID)
 - -Ke/- (SNID)
 - .%Viq (SNID)
 - j/VXH_Y[ (SNID)
 - 8p^.O (SNID)
 - T`/+' (SNID)
 - XX<+m\ (SNID)
 - 7/w`5 (SNID)
 - \d:a0 (SNID)
 - 7B/DO (SNID)
 - >4/kL (SNID)
 - 'go/, (SNID)
 - IW\1# (SNID)
 - Xi\#E (SNID)
 - .OL5i\o (SNID)
 - N~.8g (SNID)
 - &a3$/= (SNID)
 - 5Qoi\U` (SNID)
 - =&j/3[ (SNID)
 - T6.:) (SNID)
 - RZZ.EM (SNID)
 - 8UTw\t1 (SNID)
 - W:\ty (SNID)
 - y1g/a (NID)
 - .JuUv (SNID)
 - KP9i. (SNID)
 - jSmHrat (SNID)
 - +)t/S (SNID)
 - R9'>/ (SNID)
 - /'SYR (SNID)
 - /" E. (SNID)
 -  Wy\t (SNID)
 - o/L}j (SNID)
 - ,.{pS7~ (SNID)
 - ;ZYJs~6 (SNID)
 - ;gL.:C (SNID)
 - "~ 1/ (SNID)
 - &/y D# (SNID)
 - d\^yy (SNID)
 - E?.cb (SNID)
 - 1-\\ULe (SNID)
 - 2/BFE (SNID)
 - I}/M7PH (SNID)
 - ZkO/_ (SNID)
 - K:.Wj2 (SNID)
 - Y_/Hr (SNID)
 - AjS (SNID)
 -  .\K; (SNID)
 - iu)@/ (SNID)
 - v;].QA{ (SNID)
 - G.q)d (SNID)
 - 4ggj\ (SNID)
 - \/<9M (SNID)
 - MxE2. (SNID)
 - V,@U/ (SNID)
 - \s=Tkz (SNID)
 - 9Oy/;EM (SNID)
 - l.gH3 (SNID)
 - \u|[{l (SNID)
 - o'H/X (SNID)
 - wCxj\ (SNID)
 - w52/Q (SNID)
 - w0N3(\ (SNID)
 - $o9.A (SNID)
 - \u:}N (SNID)
 - cYLY/ (SNID)
 - +E^lS;/ (SNID)
 - \&L'Sz (SNID)
 - DZ\%F (SNID)
 - '`gQ . (SNID)
 - /$2pW (SNID)
 - Xu._2 (SNID)
 - j.|z[ (SNID)
 - "'8\q# (SNID)
 - )ITG.7 (SNID)
 - TEZ4(6;/ (SNID)
 - G8\hY~`Y (SNID)
 - .d3lL> (SNID)
 - \/n}Usn(A (SNID)
 - 1Js (SNID)
 - "8C(/ (SNID)
 - MvU.V (SNID)
 - %JS (SNID)
 - hW.3, (SNID)
 - bK_7.& (SNID)
 - N,.96 (SNID)
 - k*Js$ (SNID)
 - .z _R (SNID)
 - 8+%/' (SNID)
 - 3w;/$ (SNID)
 - st.=#71 (SNID)
 - GOo/R] (SNID)
 - 1/',js (SNID)
 - /50hj (SNID)
 - y/Vxf (SNID)
 - ^jPFF. (SNID)
 - sb`\U (SNID)
 - t1r.[l (SNID)
 - Fci.N (SNID)
 - / /M) (SNID)
 - \AA=E (SNID)
 - Gg{/Q (SNID)
 - ]?/e*&t (SNID)
 - N/+RzG (SNID)
 - Tz3ch_. (SNID)
 - \q[VD (SNID)
 - Xvi9\ (SNID)
 - T/K%f (SNID)
 - s)Z/!z (SNID)
 - WF*/k (SNID)
 - e\HIn (SNID)
 - fqsv/ (SNID)
 - \\X*b (SNID)
 - _A%/e (SNID)
 - S;.>x (SNID)
 - Z!\I^ (SNID)
 - !PO.o (SNID)
 - \'KBjE (SNID)
 - N/KFv (SNID)
 - /mma; (SNID)
 - !X\Sn (SNID)
 - \C=g($ (SNID)
 - A\w/y` (SNID)
 - .{\wco (SNID)
 - 2h/TW (SNID)
 - "f`]WfR/c (SNID)
 - 0unFE.QL (SNID)
 - dlm\D (SNID)
 - <k/Z[ (SNID)
 - X,/MQ (SNID)
 - " .'< (SNID)
 - Kxk/^ (SNID)
 - kw\2E> (SNID)
 - /,KIb (SNID)
 - @d h/ (SNID)
 - n/i<2- (SNID)
 - GNy\# (SNID)
 - g.dLM (NID)
 - RCOM (NID)
 - <T.QM (NID)
 - OP|/I (SNID)
 - jsk (SNID)
 - vK.O] (SNID)
 - HS/b4 (SNID)
 - jsa (SNID)
 - /H[8&S (SNID)
 - va.0< (SNID)
 - !ugo\n (SNID)
 - \dtfa (NID)
 - DC\YLv (SNID)
 - 3n/?R (SNID)
 - -i"\~ (SNID)
 - qE/R}cg (SNID)
 - ]Y9G\ (SNID)
 - /G),[ (SNID)
 - \8*z! (SNID)
 - Ic3/x (SNID)
 - /#$h: (SNID)
 - :n0c/ (SNID)
 - jOnE. (SNID)
 - lz\@% (SNID)
 - h[.<$0c (SNID)
 - MgS0/\ (SNID)
 - un\EZ (SNID)
 - *.&-M (NID)
 - JSh (NID)
 - ye/:{ (SNID)
 - /cF(^ (SNID)
 - 9q/Ui (SNID)
 - .</RI (SNID)
 - 7.|}_-= (SNID)
 - 5wzb2/ (SNID)
 - Ka/]$ (SNID)
 - {.[Gw (SNID)
 - \vla= (SNID)
 - n. ^) (SNID)
 - 1&m.\$ (SNID)
 - v)/pA2 (SNID)
 - 8</:?e" (SNID)
 - \NkpIlC (SNID)
 - 'a[_. (SNID)
 - -j.J# (SNID)
 - \v&h,R (SNID)
 - <I\jn! (SNID)
 - Cr/oj# (SNID)
 - ;J\~F (SNID)
 - /O|)#p] (SNID)
 - \8.08 (SNID)
 - }[\jri (SNID)
 - j/dLI (SNID)
 - y?.p] (SNID)
 - r2/[E (SNID)
 - H\idS (SNID)
 - Rko.# (SNID)
 - >~.qd^ (SNID)
 - 0.vF< (SNID)
 - $\;qM (NID)
 - *.$Kw (SNID)
 - w/!x]Y (SNID)
 - 4.N5p (SNID)
 - ZbE\p (SNID)
 - 4esO-..p (SNID)
 - $/j+ g (SNID)
 - \{vOI (SNID)
 - scR (SNID)
 - ;2;/ac (SNID)
 - /Smi? (SNID)
 - \cH7,~ (SNID)
 - .]k.E> (SNID)
 - .p|hr> (SNID)
 - 0F.=^ (SNID)
 - jv.ij (SNID)
 - \3'%X (SNID)
 - \tTfj Z (SNID)
 - :P\8M (SNID)
 - ru/hn (SNID)
 - +t\86 (SNID)
 - 4B*J. (SNID)
 - {j\?N (SNID)
 - ..7IC (SNID)
 - Z\v:9T (SNID)
 - $hZ7Be/ (SNID)
 - z.0_\ (SNID)
 - /mt)&h (SNID)
 - \^k(B<3 (SNID)
 - @>=\AX (SNID)
 - YTv{'9. (SNID)
 - {JX&\ (SNID)
 - H/$;\( (SNID)
 - <4\7A6 (SNID)
 - /-mc_ (SNID)
 - zv_[/lH (SNID)
 - Ja8Lw.G@72 (SNID)
 - /+Cv) (SNID)
 - \f0zj (SNID)
 - 0r/6 V (SNID)
 - +P`uwLC.] (SNID)
 - vbS (SNID)
 - q3J/\ (SNID)
 - \%>G] (SNID)
 - %b+'.p& (SNID)
 - TeZNH.9 (SNID)
 - 0\\8@ (SNID)
 - wf1J\ (SNID)
 - 4d[q\ (SNID)
 - ; \@r (SNID)
 - \AJI;M (SNID)
 - ,h-/H (SNID)
 - #K@/2 (SNID)
 - /lp1Z@ (SNID)
 - Wc\;F (SNID)
 - T.?qfy (SNID)
 - -QAjJ/ (SNID)
 - 7\arKy (SNID)
 - Cb.-\ (SNID)
 - \8y<1 (SNID)
 - #e5/c4 (SNID)
 - 4~/!c (SNID)
 - w0{U|l/ (SNID)
 - Z~\bx@f (SNID)
 - D\FvxG (SNID)
 - Uy`\~ (SNID)
 - F\Y6`6 (SNID)
 - /4`@nS (SNID)
 - =/jW] (SNID)
 - \`.i9 (SNID)
 - tgy\C (SNID)
 - .yL"> (SNID)
 - R{t@. (SNID)
 - BXVo. (SNID)
 - /@_~; (SNID)
 - PE/b)]x2T (SNID)
 - .A[G< (SNID)
 - <BH/U (SNID)
 - +.XrV (SNID)
 - %?.,WY (SNID)
 - )/VE&?$ (SNID)
 - $$ 68/ (SNID)
 - .lz*$ZJ_B (SNID)
 - 4/(=-= (SNID)
 - ^N\kM (SNID)
 - ;\A(e@ (SNID)
 - \MLz8 (SNID)
 - Fz\YpiS% (SNID)
 - \'NI. (SNID)
 - >]._} (SNID)
 - nJs (SNID)
 - OAb3\ (SNID)
 - bkDP_\n (SNID)
 - =.P</ (SNID)
 - '.`n+p (SNID)
 - MM<.^ (SNID)
 - /_CFM (SNID)
 - \Xz^k (SNID)
 - #)].z (SNID)
 - \/~"j (SNID)
 - X m~. (SNID)
 - 2j>\M (NID)
 - \4;a: (SNID)
 - :.d{[} (SNID)
 - <*rZ\ (SNID)
 - ]Eb\| (SNID)
 - ;b/Xl (SNID)
 - /R&_h (SNID)
 - 0.;\c< (SNID)
 - .]$q.f (SNID)
 - fKt.!l (SNID)
 - EFP|b1,k.| (SNID)
 - /o~cS (SNID)
 - L/<{}f$ (SNID)
 - \)MKW (SNID)
 - I$._j:/ (SNID)
 - Gon.o (SNID)
 - :WBk. (SNID)
 - /F~8avl (SNID)
 - *.Y5I (SNID)
 - \Il`uk (SNID)
 - lrq8@.kb (SNID)
 - RYyL\b (SNID)
 - \~Xv  (SNID)
 - )\j|t (SNID)
 - &,TU. (SNID)
 - Vy(/# (SNID)
 - 6$\12/ (SNID)
 - JSn (SNID)
 - n5X?[Rw. (SNID)
 - 5.C>Y (SNID)
 - }/S41 (SNID)
 - "Y"S. (SNID)
 - m>m/S (SNID)
 - (V9/: (SNID)
 - V-..g (SNID)
 - js: (SNID)
 - ym",\\ (SNID)
 - dO;v\ (SNID)
 - \uZ!d (SNID)
 - u/Z,n (SNID)
 - Y\pUH (SNID)
 - 3f\$# (SNID)
 - .}rx  (SNID)
 - udqV. (SNID)
 - ${Q&. (SNID)
 - 4f\8l(4>a (SNID)
 - .k+:W% (SNID)
 - z7/!Q (SNID)
 - IV/*V:V (SNID)
 - J1"/  (SNID)
 - 4mg.) (SNID)
 - [\*{y (SNID)
 - \7l5(" (SNID)
 - Lc\wlm (SNID)
 - Sf\,Uo (SNID)
 - MS/B374 (SNID)
 - q7/r&X4 (SNID)
 - A&|#V. (SNID)
 - JcU\Rw (SNID)
 - ;r!=F/` Tx (SNID)
 - @\9F5 (SNID)
 - r</k= (SNID)
 - " w'-. (SNID)
 - =?[R. (SNID)
 - bcF)\ (SNID)
 - QFC\ H"* (SNID)
 - /f0oZ (SNID)
 - T\Eva (SNID)
 - %].0L (SNID)
 - js-N (SNID)
 - KlO/&R (SNID)
 - K_o\^ (SNID)
 - 79w.l (SNID)
 - axR/] (SNID)
 - "beO\v'ss (SNID)
 - .i+?5 (SNID)
 - )Qa_/ (SNID)
 - 0~!5/ (SNID)
 - :%Ui.C; (SNID)
 - :.eX%X (SNID)
 - `ve\Rc (SNID)
 - Xw.(n (SNID)
 - xN6Zs/ (SNID)
 - y/ule (SNID)
 - 5|B\e. (SNID)
 - M.$YT\ (SNID)
 - \a)rW (SNID)
 - fL.&C (SNID)
 - Lc/]M[ (SNID)
 - |W]\c (SNID)
 - /<)g9y (SNID)
 - 2%7.p#:.O& (SNID)
 - y/:{IT (SNID)
 - /kzCf% (SNID)
 - 4.N_< (SNID)
 - ;$z;n. (SNID)
 - /Qm>?L (SNID)
 - ve7>/n& (SNID)
 - f11Y.4 (SNID)
 - ujSS0aC (SNID)
 - BE\1~ (SNID)
 - .-LPNa (SNID)
 - \2km~ (SNID)
 - /NBWHO?| (SNID)
 - oV\]* (SNID)
 - JSV (SNID)
 - .DN,mG (SNID)
 - +.mg% (SNID)
 - H}<W/ (SNID)
 - dIjs (SNID)
 - &qkE. (SNID)
 - (c!\: (SNID)
 - T2\~' (SNID)
 - /fF1f  (SNID)
 - Y7Exe$8- (SNID)
 - <I){/7 (SNID)
 - /-/,HP`) (SNID)
 - v0.1< (SNID)
 - +vy.6{ (SNID)
 - Y\@1&BT (SNID)
 - @GI.y (SNID)
 - "h".KY (SNID)
 - dMJ./ (SNID)
 - yn(7. (SNID)
 - q#cqI/ (SNID)
 - m\"RH (SNID)
 - /o^@S (SNID)
 - PV%r\ (SNID)
 - ,\tV? (SNID)
 - n%\ # (SNID)
 - .W7c) (SNID)
 - *+S.W],g (SNID)
 - hV\=b (SNID)
 - /*^)W: (SNID)
 - 4%4!qb/) (SNID)
 - d\\+-Wl (SNID)
 - /A[F9 (SNID)
 - 54u.3 (SNID)
 - G\6fbLhS: (SNID)
 - 62S/U (SNID)
 - J~Wf.0 (SNID)
 - .%SP-M (SNID)
 - >JS (SNID)
 - UU\Wj (SNID)
 - /Vjr_j (SNID)
 - YG2\n (SNID)
 - ]/xDT (SNID)
 - \pDvw (SNID)
 - yE\)L (SNID)
 - "51\9 (SNID)
 - $^?bwy. (SNID)
 - F"E.L (SNID)
 - X/d.Z (SNID)
 - z\jJEeg (SNID)
 - \.,Cr (SNID)
 - '/xk% (SNID)
 - (.WI_ (SNID)
 - *:UU.BV_N (SNID)
 - [s#/N (SNID)
 - 7d\yz (SNID)
 - ";js0 (SNID)
 - gg.Z z (SNID)
 - 1k|WS8t. (SNID)
 - /l<=#" (SNID)
 - #Pr'. (SNID)
 - uJ2`\H (SNID)
 - DuuW+. (SNID)
 - l(\@L (SNID)
 - {_vQ. (SNID)
 - /G#kp (SNID)
 - )IJQ/ (SNID)
 - ;/_Vn (SNID)
 - "\gbJFL (SNID)
 - /BG3M<+ (SNID)
 - <I/A! (SNID)
 - 3Jr\;2 (SNID)
 - ;js (SNID)
 - fKDg.F (SNID)
 - "A\Zz` (SNID)
 - /4d5p (SNID)
 - KJs (SNID)
 - -w._Mmk (SNID)
 - 15&z. (SNID)
 - -f/d0KS" (SNID)
 - k)N/9 (SNID)
 - [/N0, (SNID)
 - ]\#AU, (SNID)
 - UxLc\ (SNID)
 - 1;S?{/ (SNID)
 - +CZ/NT (SNID)
 - >\?$i (SNID)
 - }jS (SNID)
 - JS/ (SNID)
 - 7 !// (SNID)
 - _Y44&/ (SNID)
 - A:@?\@ (SNID)
 - .""P, (SNID)
 - .(<gaA (SNID)
 - +c/\uhr (SNID)
 - A/<FkX (SNID)
 - \S^|= (SNID)
 - d.KQ_c (SNID)
 - cJsg (SNID)
 - Ct/z@ D (SNID)
 - Br.[Ny (SNID)
 - k7?.# (SNID)
 - Uje \ (SNID)
 - <a/urh (SNID)
 - x/7~N} (SNID)
 - xJs2 (SNID)
 - \4_,T< (SNID)
 - <21/Q (SNID)
 - -.3Zgr (SNID)
 - RJ0/8 (SNID)
 - PW.HL (SNID)
 - wX.XH (SNID)
 - }\IQ* (SNID)
 - p5/ea (SNID)
 -  }p{\4Q (SNID)
 - .F6LN (SNID)
 - t.}QN (SNID)
 - {;W6. (SNID)
 - }Js;) (SNID)
 - =*A.)sz3 (SNID)
 - bq:.u (SNID)
 - a\f:NY (SNID)
 - K\BP5 (SNID)
 - n?vF. (SNID)
 - *!h/N (SNID)
 - JS. (SNID)
 - tgW/vV (SNID)
 - \~JcI (SNID)
 - nLjs (SNID)
 - /KaO'Z (SNID)
 - \.$w~` (SNID)
 - .~B_$Bl (SNID)
 - 4/+7i (SNID)
 - 0Z[/Lam (SNID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Isolate the compromised system from the network immediately. Re-image the system from a known-good backup to ensure complete removal. Investigate the initial access vector and reset all credentials associated with the compromised system.