OrBit (Re)turns: Tracking an open-source Linux rootkit across four years of forks and deployments

**Executive Summary:** This report analyzes OrBit, a Linux LD_PRELOAD rootkit that is a forked and selectively weaponized build of the open-source Medusa project, detailing two parallel lineages (full Lineage A and lite Lineage B), capability changes (PAM credential harvesting, SSH backdoor, extensive libc hooks, auditd evasion, service-side PAM impersonation), deployment and delivery evolution (droppers, two-stage infector, cron-based C2), ties to multiple operators (including UNC3886 and BLOCKADE SPIDER), and provides a comprehensive IOC table covering samples from 2022–2026.