Translation of Drovorub:

“Drovo” means firewood or wood and “Rub” means to fell or to chop

So, Drovorub means woodcutter or to split wood.

Drovorub: a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server.

A message from NSA and FBI:  We’re sharing this information with our customers and the public to counter the capabilities of the GRU GTsSS, an organization which continues to threaten the United States and its allies. We continuously seek to counter their ability to exploit our Nation’s critical networks and systems.


When deployed on a victim machine, the Drovorub client provides the capability for direct communications with a bad actor controlled C2 infrastructure, file download and upload capabilities, execution of arbitrary commands as “root”, and port forwarding of network traffic to other hosts on the network or externally through DNS. The kernel module rootkit uses a variety of means to hide itself and the implant on infected devices, and persists through reboot of an infected machine unless (UEFI secure boot is enabled in “Full” or “Thorough” mode).


  • Drovorub-client – Implant
  • Drovorub-kernel module – Rootkit
  • Drovorub-agent – Port Forwarding and File Transfer Tool
  • Drovorub-server – Command and Control (C2) Server

Read the full technical details here.  

The FBI states they believe no other threat actors are using this malware. This malware was discovered by a variety of means and methods, including but not limited to FBI cybersecurity operations, foreign signals intelligence, U.S. Government partners, industry engagement, and global foreign partners.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack. has more information on why we do what we do or email [email protected] to speak with a cybersecurity engineer.

24/7 Breach Response: 833.997.7327