The Irc trojan, also referred to as Linux.Backdoor.Irc.16, is believed to be a testing version of a fully weaponized version. Currently, this malware only infects victims and gathers information about the local system to send to its C2 server. This trojan is written in the Rust programming language and connects to the Rust library, via the Internet Relay Channel (IRC) protocol to a remote IRC public channel. All trojans connect to this IRC channel after infecting a target and wait for commands. The attacker is able to control the IRC channel and submit a message to the channel’s public chat and all bots will receive and execute these commands. Support is only included for a set of commands which is why this malware is considered to be a testing version. Currently, the only capabilities that the botnet has is retrieving a list of running apps, querying a bot for technical specifications, and killing the malware to remove a bot. There is support for a feature to update the malware source code but this has yet to go into full effect.


  • September 2016: Dr. Web discovers Linux.Backdoor.Irc.16 written in the Rust programming language. (Dr. Web