PeerTime
Intelligence Profile
According to Cisco Talos, PeerTime is an ELF-based backdoor compiled for multiple architectures including common embedded and server platforms, with one version written in C/C++ and a newer version written in Rust. It is deployed via shell scripts and an auxiliary "instrumentor" component that can detect container runtimes and launch the loader in these environments, with the instrumentor containing debug strings in Simplified Chinese that point to Chinese-speaking developers. PeerTime’s loader decrypts and decompresses the main payload in memory, can rename its process to appear benign, and uses the BitTorrent protocol to discover command-and-control information, exchange data with peers, and download and execute additional payloads. The malware uses standard Unix utilities to copy and place downloaded files, enabling flexible post-compromise tool delivery across diverse Linux and embedded systems.
Threat Analysis
PeerTime is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.