MalwareUsed by 2 actors

DinodasRAT

DinodasRAT, also referred to as XDealer, is a remote access trojan associated with China-linked espionage activity. The provided content links it to the China-nexus threat actor Earth Krahang, which has used spear-phishing and exploitation of public-facing Openfire and Oracle servers since at least early 2022 to deploy malware including PlugX, ShadowPad, ReShell, and DinodasRAT. The malware has also been reported in a Linux variant used by China-linked groups to target Linux servers for espionage. Reported targets include Red Hat and Ubuntu systems, with activity observed since 2022 and victims primarily in China, Taiwan, Turkey, and Uzbekistan since October 2023. Described capabilities include persistence mechanisms, encrypted communication with a command server, and full control over compromised systems. The broader Earth Krahang activity targeted 116 entities across 35 countries, with a strong focus on Southeast Asia.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Earth Krahang

Earth Krahang ... deliver bespoke malware such as PlugX, ShadowPad, ReShell, and DinodasRAT (aka XDealer).

via the hacker newsthehackernews.com

China-linked groups

“China-linked groups deployed a Linux variant of DinodasRAT…”

via verizon businessverizon.com

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1190Exploit Public-Facing ApplicationEvidence1

TacticInitial Access

Earth Krahang that has targeted 116 entities spanning 35 countries by leveraging spear-phishing and flaws in public-facing Openfire and Oracle servers to deliver bespoke malware such as PlugX, ShadowPad, ReShell, and DinodasRAT.

T1566.001Spearphishing AttachmentEvidence1

TacticInitial Access

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

the hacker newsNews

Mar 27, 2024

Two Chinese APT Groups Ramp Up Cyber Espionage Against ASEAN Countries

A remote access trojan used by Earth Krahang in cyber espionage campaigns.

cert eu threat intelNews

Feb 5, 2024

Cyber Brief 24-05 - April 2024

Remote access trojan targeting Linux servers, used for espionage, with persistence and encrypted C2 communication.

verizon businessNews

Dec 16, 2025

Remote access trojan (RAT); the content notes a Linux variant used by China-linked threat actors in espionage activity.

verizon businessNews

Dec 16, 2025

Remote access trojan with a Linux variant referenced here as used by China-linked groups.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.