The Chinese threat group 'ChamelGang' infects Linux devices with a previously unknown implant named 'ChamelDoH,' allowing DNS-over-HTTPS communications with attackers' servers.
The particular threat actor was first documented back in September 2021 by Positive Technologies; however, the researchers only focused on the Windows toolkit.
A report published yesterday by Stairwell and shared with BleepingComputer describes a new Linux implant written in C++ that expands the threat actor's intrusion arsenal and, by extension, the attackers' indicators of compromise.
The link between ChamelGang and the new Linux malware is based on a domain previously associated with the threat actor and a custom privilege elevation tool observed by Positive Technologies in past ChamelGang campaigns.
