[stepupmakeup]

What's the point of these kinds of articles? Most Linux malware (including this one) are not sophisticated at all, built off of pre-existing rootkit code samples off Github and quite sloppy with leaving files and traces (".Xl1", modifying bashrc, really?). And there's a weird fixation on China here, is it just more anti-China propaganda?

[jamesmotherway]

Threat actors don't create malware to impress people; they do it to accomplish their goals. Apparently, this sample was sufficient for them.

Security companies attribute activity based on their observations. ESET- a Slovakian company- is no exception.

[stepupmakeup]

I was under the impression that persistent, but SILENT access was China's goal. Dropping files in home and /tmp/ seems like the total opposite of that and any competent sysadmin would detect these anomalies manually real quick with a simple "ls -a", even possibly by accident.

[jchmbrln]

From the article:

> The WolfsBane Hider rootkit hooks many basic standard C library functions such as open, stat, readdir, and access. While these hooked functions invoke the original ones, they filter out any results related to the WolfsBane malware.

I took this to mean some things like a simple “ls -a” might now leave out those suspicious results.

[NegativeK]

Chinese threat actors are not one homogeneous group. Just like every other country out there.