Daniel Roberson

LOKI2

0001-01-01

LOKI2 is a backdoor that targets Unix-like systems such as Linux that uses the ICMP protocol as a covert channel.

LOKI2 was documented and released in Phrack Magazine issues 49 and 51, respectively. LOKI2’s source code is credited to route and alhambra.

This malware leverages the fact that network security solutions at the time largely ignored ICMP traffic, focusing only performing inspections on TCP and UDP packets.

LOKI2 was modified and used by the Turla group. This modified strain is known as Penguin Turla.

http://phrack.org/issues/49/6.html http://phrack.org/issues/51/6.html

LOKI2

0001-01-01

Links to this note

Recent Posts

Linux Persistence: Modular Software

2025-04-17 DFIR CTF persistence linux persistence apache asterisk

Linux Persistence: Web Shells

2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP

Linux Persistence: Rootkits

2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit