From Wikispooks
Jump to navigation Jump to search

Concept.png Fysbis
A simple yet effective Linux Trojan.

Fysbis has been described as a "simple yet effective Linux Trojan".[1]


Fysbis is a [malware]] family that targets Linux machines, on which it sets up a backdoor that allows the malware's author to spy on victims and carry out further attacks. First signs of Fysbis appeared in November 2014. Technically, Fysbis can open a remote shell on the infected machine, can run commands on the attacker's behalf, log keyboard input, and find, read, save, execute or delete files.

Researchers speculate that this is not your run-of-the-mill malware that infects computers for the criminals' monetary gain (adware, banking operations, Bitcoin mining), but a much more sophisticated threat, which is only used in cyber-espionage campaigns.[2]

Official narrative

According to Palo Alto researchers[3], this malware family was developed by none other than the infamous APT 28 cyber-espionage group, also known under the names of Sofacy or Sednit. Because many of the group's targets are also aligned with Kremlin's interests, and also because there are lots of Russian words in the source code of APT 28's hacking tools, many security researchers believe the organization may be linked to the Russian government, or at least cooperating with it.[2]

Problems with official narrative

The same features, like "lots of Russian words in the source code" are identical to what Wikileaks revealed in Vault 7 was a standard software tool for Western intelligence agencies to shift blame for its own attacks. Also the timing is slightly conspicuous, as it came at the start of an massive escalation of propaganda in Cold War 2.0 during 2014.