Skip to content

Hide Navigation Hide TOC

PitHook (0ed35278-4a85-4ec7-9b54-3bcf51f46fba)

PitHook, linked to UNC5325, is a backdoor that intercepts the accept and accept4 functions in the web process by altering the PLT. Upon detecting a buffer matching a predetermined magic byte sequence, it duplicates the socket and initiates communication with the Unix domain socket /data/runtime/cockpit/wd.fd.[Mandiant Cutting Edge Part 3 February 2024]

Cluster A Galaxy A Cluster B Galaxy B Level
PitHook (0ed35278-4a85-4ec7-9b54-3bcf51f46fba) Tidal Software UNC5325 (be7243cb-6031-4e2a-97d9-3522c002becd) Tidal Groups 1