EvilGnome Linux Backdoor

EvilGnome is a backdoor targeting vulnerable Linux systems. Despite having similarities with malware employed by the Gamaredon Group

Gamaredon Group is an alleged Russian threat group. It has been active since at least 2013, and has targeted individuals likely involved with the Ukrainian government. Gamaredon Group infects victims using malicious attachments, delivered via spear phishing techniques.

EvilGnome appears to be distributed as a self-extracting archive script disguised as a GNOME Linux graphical shell extension. When downloaded, it decompresses and launches modules to maintain persistence and collect information.

Once installed, EvilGnome will connect to a command and control (C2) server over TCP port 3346 using Secure Shell and await further commands. By default, EvilGnome has five function modules:

  • ShooterFile – reads and transfers newly created files
  • ShooterImage – captures screenshots
  • ShooterKey – unimplemented, but likely to be a key logging module
  • ShooterPing – receives new commands from the C2 server
  • ShooterSound – captures microphone audio
VirusTotal – Looking at the SHA-256 Hash 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869
Detected as malicious

Indicators of Compromise

IP Addresses

  • 185.158.115[.]154
  • 185.158.115[.]44
  • 195.62.52[.]101


  • clsass.ddns[.]net
  • gamework.ddns[.]net
  • kotl[.]space
  • rnbo-ua.ddns[.]net
  • workan.ddns[.]net


  • gnome-shell-ext – the spy agent executable
  • gnome-shell-ext.sh – checks if gnome-shell-ext is already running and if not, executes it

SHA246 File Hashes

  • 7ffab36b2fa68d0708c82f01a70c8d10614ca742d838b69007f5104337a4b869
  • 82b69954410c83315dfe769eed4b6cfc7d11f0f62e26ff546542e35dcd7106b7
  • a21acbe7ee77c721f1adc76e7a7799c936e74348d32b4c38f3bf6357ed7e8032

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: