Dubbed Moriya, the rootkit provides the threat actor with the ability to intercept network traffic and hide commands sent to the infected machines, thus allowing the attackers to stay hidden within the compromised networks for months.

The rootkit is part of the toolkit used by TunnelSnake, an unknown actor that deploys backdoors onto public servers belonging to the targeted entities. Multiple other tools that show cover overlaps with the rootkit were also found.