Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

Xnote

Xnote is a Linux backdoor first discovered in 2015 and observed in the wild since then. It has been deployed in multiple intrusion sets, including by the adversarial collective Earth Berberoka (aka GamblingPuppet) in attacks targeting online gambling sites. Palo Alto Networks Unit 42 also reported Xnote being used in some intrusions attributed to the cluster CL-UNK-1068 (assessed as a Chinese threat actor), where it was occasionally installed on Linux servers as part of post-compromise tooling to maintain access alongside modified Fast Reverse Proxy (FRP) builds used for command-and-control and network-control bypass. Separately, reporting described Xnote being deployed by the Southeast Asia-based actor UTG-Q-015 against Linux systems in AI research environments, following exploitation of CVE-2023-48022 and misconfigured ComfyUI components, where Xnote was used as a lightweight backdoor. In the CL-UNK-1068 context, the Xnote variant is described as providing DDoS capabilities and other commands. No specific Xnote indicators of compromise (e.g., hashes, C2 domains/IPs) are provided in the supplied content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
CL-UNK-1068

Further, to maintain command-and-control (C2) access and bypass network controls, the actor also deploys modified builds of Fast Reverse Proxy (FRP) and occasionally installs the Xnote Linux backdoor.

via dark readingdarkreading.com
Earth Berberoka

“...Xnote is a Linux backdoor that's been detected in the wild since 2015 and has been deployed by ... Earth Berberoka (aka GamblingPuppet) ...”

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Lateral Movement

1 technique
T1021Remote ServicesEvidence1

“Xnote… 10CShellTask Reverse shell”

Command and Control

1 technique
T1572Protocol TunnelingEvidence1

“Xnote… 12CPortMapTask Establish port forwarding on the machine”

Impact

1 technique
T1498Network Denial of ServiceEvidence1

“Xnote… primarily provides distributed denial-of-service (DDoS) attack capabilities… CC… NTP… SYN Flood… UDP Flood…”

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Mar 9, 2026
Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure

Linux backdoor used to provide unauthorized remote access on compromised Linux systems.

Read more
dark readingNews
Mar 9, 2026
Chinese Cyber Threat Lurks In Critical Asian Sectors for Years

Linux backdoor used to maintain persistent remote access and support command-and-control on compromised Linux hosts.

Read more
palo alto networks unit 42 blogNews
Mar 6, 2026
An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Linux backdoor (first reported 2015) used here primarily for DDoS capabilities plus file operations, reverse shell, port forwarding, and reverse proxy/tunneling tasks.

Read more
wiz cloud threatsNews
May 19, 2025
UTG-Q-015 Exploits 0-Days for Espionage in Asia

Lightweight backdoor used for persistent access and C2 on compromised Linux systems, particularly in AI research environments.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.