B1txor20 is assembling its army of bot on Linux machines. It is exploiting the Log4j
vulnerable systems to gain access and maintain foothold. Netlab 360 named it B1txor20 based on its propagation using the file name "b1t", the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes. It appears to be in active development. It has the ability to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies. B1txor20 uses DNS Tunnel to establish command and control channel, support direct connection and relay, while using ZLIB compression, RC4 encryption, BASE64 encoding to protect the traffic of the backdoor Trojan.