UNC2891 also used Linux bind mounts to hide its backdoor processes, which, at the time, had not been documented in public threat reports, Group-IB said.

The technique is now recognized by MITRE’s ATT&CK framework as T1564.013.

Holy crap. They discovered, and successfully implemented a novel technique. That’s impressive af