Threat Watch

Kobalos Backdoor Steals SSH Credentials

Researchers at ESET have discovered a targeted backdoor for Linux and UNIX systems they are calling Kobalos. Though not widespread, the actors behind the malware are infecting targets with high-performance computers (HPC) and servers in academic and research environments. How the actor gained access is not currently known. ESET noted that in some of the infections, infected hosts ran “old, unsupported or unpatched operating systems and software.”

After months of analysis, the exact intent of Kobalos is still uncertain. Commands appeared generic and no further payload was delivered. The malware is a trojanized OpenSSH client, replacing /usr/bin/ssh file on UNIX systems with a malicious version that records usernames, passwords, the hostname and saves them to an encrypted file. Because students and researchers from multiple universities may have access to supercomputer clusters, ESET believes this credential theft may be one of the ways in which the currently malware spreads.


Kobalos is a small, complex backdoor designed to stay hidden and collect SSH credentials. While the vector of infection is currently unknown, ESET made a point to mention outdated and operating systems and software. Important infrastructure should be kept up to date with security fixes and follow a regular patch schedule. Access to resources such as HPC clusters should also be restricted and monitored. Network administrators can create firewall rules to ensure only specific hosts or network segments can connect to the clusters via SSH, and implement two-factor authentication for SSH access. If remote access is necessary, administrators can allow access from a VPN instead of exposing the cluster to the Internet directly. Logs from these clusters (such as user authentication and command history) can also be collected to alert on suspicious activity.