A new campaign has been discovered using a previously unrecognized Linux malware, FontOnLake. It provides remote access of the infected device to its operators.

Making the headlines

The malware family, discovered by ESET, comes with modules that are upgraded regularly with a wide range of abilities.
  • The malware appears to boast sneaky nature and advanced designs.
  • The first sample of this malware was uploaded to VirusTotal in May of last year, implying its first use in intrusions.
  • Looking at the C&C servers and the source countries from where the malware samples were uploaded, researchers suspect that this malware has been used to target Linux users in Southeast Asia.

FontOnLake was tracked by Avast and Lacework Labs with a different name, HCRootkit.

Technical details and detection evasion

FontOnLake is always used along with a rootkit to evade detection.
  • The malware has three components - trojanized versions of genuine Linux utilities, rootkits, and user-mode backdoors. All these communicate with each other using virtual files.
  • These C++-based implants are created to monitor systems, covertly run commands on networks, and steal account credentials.
  • In order to collect data, it uses modified genuine binaries to load other components.
  • Moreover, its binaries are used in Linux systems and also serve as a persistence mechanism.
  • The attacker relies on different, unique C2 servers with alternating non-standard ports to avoid leaving any tracks.


FontOnLake is a well-designed and feature-rich malware, readied by skilled and sophisticated cybercriminals. Security teams are suggested to proactively prepare their defenses against this threat.

Cyware Publisher