There is certainly malware for Linux including PHP backdoors, rootkits and exploit code. The strategic importance of servers running Linux makes them an attractive target for attackers. Linux computers are more likely to be left unprotected, so that such a compromise might well go unnoticed. The Winnti APT group (aka APT41 or Barium) grew their operations, developed tons of new tools and went for much more complex targets. We believe that this evolved toolset might have been in development since at least 2016.”]
Source: https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/