The Chinese threat group ChamelGang infects Linux computers with the ChamelDoH implant, which enables DNS-over-HTTPS contact with the attackers servers.A new Linux implant created in C++ that increases the threat actors toolkit for penetration and, consequently, the attackers indicators of compromise is described in a study released yesterday by Stairwell and shared with BleepingComputer.
Positive Technologies originally identified the specific threat actor in September 2021, but the researchers only paid attention to the Windows toolkit at the time. The connection between ChamelGang and the new Linux malware is made possible by a domain that had previously been linked to the threat actor and a unique privilege elevation mechanism that Positive Technologies had noticed in prior ChamelGang attacks.