Researchers at LevelBlue have identified a new variant of the SysUpdate malware aimed at Linux systems during a digital forensics and incident response engagement. The malware disguises itself as a legitimate system service and employs advanced encryption for command-and-control communications. By reverse-engineering it, the team created tools to decrypt its traffic more quickly.
During a digital forensics and incident response (DFIR) engagement, researchers at LevelBlue discovered a new variant of the SysUpdate malware specifically targeting Linux systems. This finding was reported on February 19, 2026. The malware sample presents as a packed ELF64 binary written in C++, dynamically linked without section headers, and protected by an unknown obfuscated packer.
To mimic a legitimate system service, the malware executes the Linux 'id' command and displays user details when launched without specific arguments. Its network activity includes encrypted command-and-control (C2) communications over multiple protocols. Analysis linked this variant to the original SysUpdate, previously tied to the APT27 group, also known as Iron Tiger.
The LevelBlue team employed tools such as Binary Ninja for decompilation, GDB for debugging, and the Unicorn Engine with Rust bindings for emulation. Static analysis revealed cryptographic constants and dense bitwise operations, with key functions including 'generate_key'—which performs 64 iterations via 'generate_key_internal'—'xor_and_UNK_1' for encryption and decryption using XOR with keys on 8-byte aligned buffers, and 'i_am_clearly_encryption_UNK' featuring S-box-like data and constants like 0xf0f0f0f.
To counter the C2 encryption, researchers emulated the malware's routines using the Unicorn Engine, mapping original memory segments including stack at 0x7ffffffde000, unknown data at 0x4fd000, heap at 0x1393000, and code segments. They used a plaintext key of “!2#4Wx62” to generate a 132-byte key saved as 'gend_key.bin'. The decryption emulator handled encrypted inputs from traffic, such as 168-byte payloads, successfully decrypting C2 data by executing routines like 'xor_and_UNK_1' with a decrypt flag.
LevelBlue noted that this approach enables rapid decryption in live incidents without complete reverse engineering, effectively using the adversary's code against itself. The evolution of SysUpdate to Linux underscores cross-platform threats from groups like Iron Tiger. Organizations are advised to watch for anomalous ELF binaries that imitate services and unusual encrypted network flows.
