Multiverze
Multiverze is described in the provided content as a Linux trojan used by the threat actor TeamPCP. It is characterized as an automated threat that primarily targets Linux servers exposing accessible SSH services, using SSH as its main attack vector to obtain shells on compromised systems. The content also shows Microsoft Defender for Endpoint detection coverage for a related macOS classification under Trojan:MacOS/Multiverze!rfn, indicating the name is used by defenders as malware nomenclature. High-confidence details in the provided material are limited to this characterization; no additional verified information on payload functionality, persistence, specific industries targeted, or indicators of compromise for Multiverze itself is directly provided beyond its association with TeamPCP and SSH-exposed Linux servers.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TeamPCP had made use of Multiverze — A Linux Trojan which is an automated threat that affects Linux servers running accessible SSH services as its main attack vector for Shells
Microsoft Defender for Endpoint – Trojan:MacOS/Multiverze!rfn (Blocking)
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
The SSH worm component ... Brute-force with embedded dictionary ... The embedded credential dictionary is predictable but effective: root, admin, password, 123456, 1234, master, raspberry, qwerty, portfolio, administrator
Prior public reporting on RedTail comes primarily from Akamai's 2024 research and two SANS Internet Storm Center diaries. Those reports described a capable but relatively straightforward cryptominer that exploited Log4j, PAN-OS, and ThinkPHP vulnerabilities to deploy XMRig.
Execution
1 technique
Execution
Persistence
4 techniques
Persistence
The SSH worm component ... Brute-force with embedded dictionary ... The embedded credential dictionary is predictable but effective: root, admin, password, 123456, 1234, master, raspberry, qwerty, portfolio, administrator
Layer 3 -- SSH authorized_keys (remote access persistence): The attacker's SSH public key is written to authorized_keys files, providing key-based access
Layer 1 -- systemd (boot persistence): A systemd service unit with WantedBy=multi-user.target ensures the malware starts on every boot.
RedTail's binary includes CGo bindings to the complete PAM API ... It is a full PAM module that can intercept and override the authentication process itself. Once installed, the malware can accept a hardcoded password for any user account on the system.
Privilege Escalation
3 techniques
Privilege Escalation
The SSH worm component ... Brute-force with embedded dictionary ... The embedded credential dictionary is predictable but effective: root, admin, password, 123456, 1234, master, raspberry, qwerty, portfolio, administrator
Stealth
5 techniques
Stealth
Defense Evasion Software Packing T1027.002 UPX packing in later variants
After successful authentication, the binary deploys itself to the new target via SFTP, masquerading as sshd -- the legitimate SSH daemon process name.
First, the "clean" script -- a pre-deployment step that kills competing miners before RedTail installs itself.
Defense Impairment
1 technique
Defense Impairment
RedTail's binary includes CGo bindings to the complete PAM API ... It is a full PAM module that can intercept and override the authentication process itself. Once installed, the malware can accept a hardcoded password for any user account on the system.
Credential Access
2 techniques
Credential Access
The SSH worm component ... Brute-force with embedded dictionary ... The embedded credential dictionary is predictable but effective
RedTail's binary includes CGo bindings to the complete PAM API ... It is a full PAM module that can intercept and override the authentication process itself. Once installed, the malware can accept a hardcoded password for any user account on the system.
Discovery
2 techniques
Discovery
Lateral Movement
2 techniques
Lateral Movement
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux trojan used by TeamPCP that targets servers with exposed SSH services and serves as an automated attack vector in their shell-based operations.
A macOS malware detection associated with the native binary second-stage payload /Library/Caches/com.apple.act.mond delivered in the Axios npm supply-chain attack.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.