DinodasRAT, also known as XDealer, has been identified as a multi-platform backdoor written in C++ that enables malicious actors to surveil and harvest sensitive data from a target’s computer. The RAT was initially used in attacks against government entities in Guyana and was documented by ESET researchers as Operation Jacana. In a recent development, a new Linux version of DinodasRAT, labeled as V10, has been discovered, suggesting that it may have been operational since 2022. This new variant is an addition to the previously known Linux variant V7, which dates back to 2021.

The DinodasRAT Linux implant primarily targets Red Hat-based distributions and Ubuntu Linux. Upon execution, it creates a hidden file in the same directory as the executable, serving as a mutex to ensure the implant runs only one instance. The backdoor maintains persistence and is launched in various ways, including direct execution without arguments, establishing persistence on the infected system using SystemV or SystemD startup scripts, and executing itself again with the parent process ID as an argument.

This approach not only allows DinodasRAT to verify its correct execution but also makes it challenging to detect with debugging and monitoring tools. The backdoor’s ability to maintain persistence and evade detection poses a significant threat to the security of Linux-based systems.