Badhide2s
Badhide2s is a Linux userland rootkit, also identified as libutilkeybd.so, described as part of the modular RingH23 server-side malware framework attributed in the reporting to the Funnull cybercriminal group (also known as Fangneng CDN). It is based on LD_PRELOAD technology and achieves stealth by writing itself to /etc/ld.so.preload. The rootkit is reported to hide malicious files, processes, and network connections from common system utilities such as ps, ls, and netstat. In the described campaign, Badhide2s was deployed alongside other RingH23 components including an SSH-propagated downloader, a backdoor, a malicious Nginx module, and udev-based persistence, following compromises of GoEdge CDN infrastructure and poisoning of the maccms.la update channel. The broader operation reportedly targeted CDN nodes and streaming/movie-related websites to support malicious JavaScript injection and traffic redirection to illegal sites. A known associated file name mentioned in the reporting is libutilkeybd.so, and the key persistence/stealth indicator is modification of /etc/ld.so.preload.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The Badhide2s userland rootkit completes the picture by writing itself into /etc/ld.so.preload to conceal all malicious files..."
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
"Funnull pursued two separate infection routes. In the first, attackers compromised a GoEdge CDN management node... forcing all connected edge nodes to download and execute the RingH23 toolkit. In the second path, the group poisoned the official update channel of maccms.la... to deliver a malicious PHP backdoor."
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Userland rootkit that persists via /etc/ld.so.preload and hides malicious files/processes/network connections from common utilities (ps/ls/netstat); can be disabled/revealed by setting environment variable RING04H={hash}.
LD_PRELOAD-based userland rootkit that persists via /etc/ld.so.preload, hides files/processes/network connections by hooking common utilities output, and injects the malicious Nginx module by hooking __libc_start_main to alter Nginx startup parameters. Includes an environment-variable kill-switch to disable hiding when set appropriately.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.