The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SideWalk Linux Variant

Oct 3, 2022 3:59:17 PM / by PolySwarm Tech Team


Related Families: Specter RAT, SideWalk (Windows)
Verticals Targeted: Education

Executive Summary

ESET recently reported on a SideWalk Linux variant. SideWalk is a backdoor used by the SparklingGoblin threat actor group.

Key Takeaways

  • ESET discovered a Linux variant of the SideWalk backdoor.
  • SideWalk is used by the SparklingGoblin threat actor group.
  • The Linux and Windows variants of SideWalk share multiple similarities.
What is SideWalk?

ESET researchers discovered a Linux variant of the SideWalk backdoor. SideWalk is a custom malware used by the SparklingGoblin threat actor group. The variant analyzed was used in an attack on a Hong Kong university. SparklingGoblin reportedly targeted the university as early as May 2020. Continued targeting led to a SideWalk variant on the network in February 2021. ESET notes it originally referred to the sample as StageClient. They also noted the Specter RAT Linux backdoor is a variant of SideWalk Linux.

SideWalk uses Google Docs as a dead-drop resolve and uses Cloudflare for C2. ESET was not able to determine the initial infection vector but speculates it may be via exploitation of connected devices or a WordPress server.
The SideWalk Linux variant shares multiple similarities with the Windows SideWalk variant, including the following:
  • Both variants use ChaCha20 encryption, with an initial counter value of 0x0B. The configuration is decrypted using ChaCha20.
  • Both variants use multiple threads to execute a specific task. ESET notes that in both variants, five threads are simultaneously executed, and each has a specific task. 
  • In both variants, prior to description, a data integrity check is performed. An MD5 hash is computed on the ChaCha20 nonce concatenated to the encrypted configuration data. If the hash does not match a predefined value, the malware exits. 
  • Both variants share an identical dead-drop resolver payload.
  • Both variants use the same artifacts for victim fingerprinting, and the information is fetched in the same order. 
  • Both variants use an identical encryption key and the same POST requests for communication with the C2. 
  • Both variants share the same commands, with the exception of four commands that differ in the Linux variant. 

A major difference in the implementation of the Linux variant is the modules are built-in and cannot be fetched from the C2, as is possible in the Windows variant. The Linux version also does not implement as many defense evasion techniques as the Windows version.

Who is SparklingGoblin?

SparklingGoblin is thought to be a Chinese nexus threat actor group. The group’s TTPs partially overlap with APT41 (Wicked Panda). The group typically targets academic entities located in East and Southeast Asia, although they have expanded their scope to other verticals and regions. SparklingGoblin TTPs include but are not limited to Motnug and ChaCha20 based loaders, Crosswalk, SideWalk, PlugX, ShadowPad, and Cobalt Strike. ESET notes SparklingGoblin is currently the only threat actor known to use SideWalk.


PolySwarm has multiple samples of the SideWalk Linux variant.









You can use the following CLI command to search for all SideWalk samples in our portal:

$ polyswarm link list -f SideWalk

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Linux, Backdoor, SparklingGoblin, SideWalk

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts