The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SysUpdate Linux Variant

Mar 14, 2023 3:30:50 PM / by The Hivemind


Verticals Targeted: Gambling

Executive Summary

Trend Micro recently reported on a new Linux variant of Emissary Panda’s SysUpdate. SysUpdate is one of Emissary Panda’s custom tools. 

Key Takeaways

  • Emissary Panda is using a new Linux variant of SysUpdate.
  • The variant was seen in the wild as early as October 2022. 
  • The Linux variant operates similarly to the original Windows variant. 
  • Some of the malicious files were signed with a stolen certificate associated with Permyakov Ivan Yurievich IP, which distributes VMProtect.

What is the SysUpdate Linux Variant?

Trend Micro recently reported on a new Linux variant of Emissary Panda’s SysUpdate SysUpdate is one of Emissary Panda’s custom tools. The earliest known sample of the Linux variant was seen in the wild in October 2022. The Linux variant of SysUpdate is an ELF written in C++ and leverages the Asio library. The infection vector is currently unknown, but Trend Micro analysts assessed a chat application may have been used as a lure. Emissary Panda has used a similar tactic in the past. One of the targets compromised by this malware was a gambling company based in the Philippines. 

SysUpdate has several features including a service manager, a process manager, a file manager, screenshot grabbing, drive information retrieval, and command execution. The Linux variant uses a complex loading logic to help evade security measures. The code was also changed to make reverse engineering more difficult. SysUpdate collects and sends data to the C2, including a randomly generated GUID, hostname, username, current PID, kernel version and machine architecture, current file path, and the local IP address and port used to send the request. It also sends a Boolean value, with 0 being the value if it was launched with exactly one parameter and 1 being the value otherwise. 

Trend Micro noted some of the malicious files were signed with a stolen certificate associated with  Permyakov Ivan Yurievich IP, which distributes VMProtect. Multiple threat actors have abused this software in the past to obfuscate malware. 

Who is Emissary Panda?

Emissary Panda, also known as APT27, GreedyTaotie, Red Phoenix, Iron Tiger, Lucky Mouse, and Bronze Union, is a China nexus APT group that focuses on espionage campaigns targeting foreign embassies. They attempt to obtain data on the defense, technology, and government verticals.  


PolySwarm has multiple samples of the SysUpdate Linux variant.


You can use the following CLI command to search for all SysUpdate samples in our portal:
$ polyswarm link list -f SysUpdate


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports



Topics: Threat Bulletin, Ransomware, Linux, RAT, Trojan, SysUpdate, Iron Tiger, Emissary Panda, APT27

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts