Backdoor for Windows, macOS, and Linux went undetected until now

Researchers have uncovered a never-before-seen back door written from scratch for systems running Windows, macOS, or Linux.

The researchers from Intezer said they found a back door on the Linux-based Webserver of a leading educational institution. The researchers found SysJoker versions for both Windows and macOS. They think the cross- platform malware was unleashed in the second half of last year.

The discovery is significant for a number of reasons. Most malicious software is written for a specific operating system, which is something of a rarity. The people who created and used the backdoor were part of an advanced threat actor that invested a lot of resources. It is unusual for previously unseen Linux malware to be found in a real-world attack.


SysJoker provides advanced backdoor capabilities, according to analyses of the Windows and Macs versions by Intezer and Patrick Wardle. The Executable files for both the Windows and macOS versions had a different name. The file may have been a type script app spread after being sneaked into the npm jаvascript repository. Intezer said that SysJoker was a system update.

Wardle said the.ts extension may indicate the file is a video transport stream content. The file was signed with an ad-hoc signature.

The Linux and macOS versions of SysJoker were completely undetected on the VirusTotal malware search engine as of Tuesday. The control-server domain is generated by decoding a string from a text file. The server changed three times during the time the researchers were analyzing it.

Intezer believes that SysJoker is after specific targets, most likely with the goal of espionage together with the movement of people, which could lead to a ransomware attack.