Termite
Termite is a malware/ransomware name used in multiple reporting contexts. Sophos X-Ops identified a Linux backdoor detected as Linux/Gognt-O, a UPX-packed ELF binary, that logs the string "Termite (v [number]) starting..." and can also function as a SOCKS proxy. This malware was observed in attacks against Sophos Firewall devices running SFOS that began with exploitation of CVE-2022-3236. In that campaign, the threat actor deployed a mix of custom and commodity Linux malware, including trojanized SFOS Java and Perl components, Linux backdoors, and Gh0st RAT variants; the broader toolset supported credential theft, covert command execution, file operations, persistence, encrypted C2, and stealthy communications.
Separately, Mandiant describes TERMITE as a password-protected, memory-only dropper containing an encrypted shellcode payload. In COLDDRAW ransomware intrusions attributed to UNC2596, TERMITE was used to deliver BEACON, a Metasploit stager, or the BUGHATCH backdoor. Those intrusions frequently began with exploitation of public-facing Microsoft Exchange vulnerabilities, followed by webshell deployment or backdoors, credential abuse and theft, internal reconnaissance, lateral movement via RDP/SMB/PsExec, data exfiltration, and eventual COLDDRAW ransomware deployment.
Termite is also referenced as a ransomware family/group in multiple incident and detection contexts. Reporting cited ClickFix campaigns that led to hands-on-keyboard intrusions deploying Termite ransomware, including links to CastleRAT attacks. Termite ransomware was also reported in the November 2024 Blue Yonder incident that caused downstream impact to Starbucks, and Genea was reported as having experienced a ransomware attack by the Termite group. Splunk analytic stories associate Termite with common ransomware behaviors such as ransom note creation, suspicious ransomware-related file extensions, high-frequency process termination, and stopping backup or security services. High-confidence indicators directly mentioned in the content include the startup log string "Termite (v [number]) starting..." for the Linux/Gognt-O sample and the TERMITE in-memory dropper characterization as password-protected and memory-only.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"TERMITE is a password-protected memory-only dropper which contains an encrypted shellcode payload."
Threat hunters disclosed multiple ClickFix campaigns, including one leading to a hands-on-keyboard attack that deployed the Termite ransomware.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Stealth
1 technique
Stealth
Command and Control
3 techniques
Command and Control
The malware is a typical backdoor with the added functionality of being able to serve as a SOCKS proxy, which would allow it to intercept the contents of some kinds of web traffic.
Impact
1 technique
Impact
The following analytic detects modifications to files with extensions commonly associated with ransomware... This activity is significant because it suggests an attacker is attempting to encrypt or alter files... If this is a true ransomware attack, there will be a large number of files created with these extensions.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware referenced as having impacted Blue Yonder, with downstream effects on Starbucks.
"Termite ransomware breaches linked to ClickFix CastleRAT attacks"
Ransomware deployed following ClickFix-driven social engineering and hands-on-keyboard intrusion activity.
Ransomware deployed following a ClickFix-driven intrusion culminating in hands-on-keyboard activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.