Tag: linux

43 Attack Reports | 0 Vulnerabilities

Attack reports

Dero miner spreads inside containerized Linux environments

A new Dero mining campaign is infecting containerized Linux environments through exposed Docker APIs. The attack uses two Golang malware components: 'nginx' for propagation and 'cloud' for mining. The 'nginx' malware scans for vulnerable Docker hosts, creates malicious containers, and compromises e…
linux
persistence
cloud
docker
cryptocurrency mining
container security
nginx
2025-05-21
dero
golang malware
port scanning
Published: May 21, 2025
Downloadable IOCs: 3

Dero miner zombies biting through Docker APIs to build a cryptojacking horde

A new Dero mining campaign exploits insecurely published Docker APIs to spread through containerized Linux environments. The attack uses two Golang malware implants: 'nginx' for propagation and 'cloud' for cryptocurrency mining. The 'nginx' malware scans for vulnerable Docker APIs, creates maliciou…
linux
cloud
exploitation
docker
cryptocurrency mining
nginx
2025-05-21
dero
containerized environments
golang malware
Published: May 21, 2025
Downloadable IOCs: 3

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Sarcoma Ransomware, first detected in October 2024, has rapidly become a major cybersecurity threat, targeting high-value companies across industries. It uses advanced tactics like zero-day exploits and RMM tools for network discovery and credential theft. The group has impacted organizations in va…
linux
windows
encryption
chacha20
2025-05-20
hypervisor
sarcoma ransomware
rsa
network propagation
Published: May 20, 2025
Downloadable IOCs: 2

Actionable threat hunting with Threat Intelligence (I) - Hunting malicious desktop files

This analysis explores the detection of malicious .desktop files used by threat actors to infect Linux systems. It explains the structure of these files and how they are manipulated to obfuscate malicious content. The report details the execution process of these files, which often involve opening …
linux
obfuscation
pdf
threat hunting
google drive
2025-05-16
xfce
desktop files
kde
google threat intelligence
gnome
Published: May 16, 2025
Downloadable IOCs: 3

wget to Wipeout: Malicious Go Modules Fetch Destructive Payload

Socket's research team discovered a supply-chain attack targeting Go developers through three malicious modules: prototransform, go-mcp, and tlsproxy. These modules used obfuscation techniques to deliver a disk-wiping payload, exploiting the open nature of Go's ecosystem. The attack leveraged names…
linux
obfuscation
data destruction
2025-05-02
supply-chain attack
disk-wiper
go modules
namespace confusion
Published: May 2, 2025
Downloadable IOCs: 2

Outlaw cybergang attacking targets worldwide

A recent incident response case in Brazil revealed a Perl-based crypto mining botnet called Outlaw, also known as Dota, targeting Linux environments. The threat actor exploits weak SSH credentials, downloads malicious scripts, and deploys an XMRig miner for Monero cryptocurrency. The botnet include…
linux
backdoor
evasion
xmrig
persistence
botnet
irc
ssh
crypto mining
outlaw
2025-04-29
dota
Published: April 29, 2025
Downloadable IOCs: 0

Unmasking the new XorDDoS controller and infrastructure

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS cont…
linux
ddos
xorddos
brute-force
2025-04-17
Published: April 17, 2025
Downloadable IOCs: 0

UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell

Chinese state-sponsored threat actor UNC5174 has launched a new campaign using SNOWLIGHT malware and VShell, a Remote Access Trojan. The campaign targets Linux systems, employing domain squatting for phishing and social engineering. SNOWLIGHT acts as a dropper for VShell, which resides in memory as…
linux
china
sliver
vshell
2025-04-16
snowlight
Published: April 16, 2025
Downloadable IOCs: 21

HelloKitty Ransomware Resurfaced

The HelloKitty ransomware group, active since late 2020, has resurfaced with new variants in 2024 and potentially 2025. Originally forking from DeathRansom, HelloKitty targets Windows and Linux environments, appending .CRYPTED, .CRYPT, or .KITTY extensions to encrypted files. The group has used mul…
linux
ransomware
hellokitty
2025-04-15
fivehands
Published: April 15, 2025
Downloadable IOCs: 0

Typosquatted Go Packages Deliver Malware Loader Targeting Li...

A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. Th…
linux
obfuscation
typosquatting
macos
supply-chain-attack
2025-04-04
elf-malware
go-packages
f0eee999
Published: April 4, 2025
Downloadable IOCs: 0

Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified …
linux
xmrig
worm
persistence
botnet
irc
ssh
cryptocurrency mining
brute-force
2025-04-03
outlaw
stealth shellbot
blitz
Published: April 3, 2025
Downloadable IOCs: 87

Auto-Color: An Emerging and Evasive Linux Backdoor

Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a mali…
linux
backdoor
evasion
encryption
government
c2
proxy
universities
reverse shell
2025-02-25
auto-color
library implant
symbiote
Published: February 25, 2025
Downloadable IOCs: 10

You've Got Malware: FINALDRAFT Hides in Your Drafts

While investigating REF7707, Elastic Security Labs discovered a new family of previously unknown malware that leverages Outlook as a communication channel via the Microsoft Graph API. This post-exploitation kit includes a loader, a backdoor, and multiple submodules that enable advanced post-exploit…
linux
powershell
shell
lsass
mimikatz
finaldraft
ref7707
pathloader
2025-02-14
elf
microsoft graph
outlook
elf variant
ntlm hash
pe
updatetask
Published: February 14, 2025
Downloadable IOCs: 9

From South America to Southeast Asia: The Fragile Web of REF7707

While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.
linux
powershell
windows
persistence
siestagraph
certutil
scheduled task
2025-02-12
lolbas
southeast asia
finaldraft
ref7707
guidloader
pathloader
typo squatting
lolbin
remote admin
Published: February 12, 2025
Downloadable IOCs: 40

Chinese Hackers Attacking Linux Devices With New SSH Backdoor

Chinese hackers, specifically the DaggerFly espionage group, are targeting Linux devices with a sophisticated SSH backdoor called ELF/Sshdinjector.A!tr. The Lunar Peek campaign, active since mid-November 2024, primarily focuses on network appliances and IoT devices. The attack involves a dropper th…
linux
iot
c2 server
2025-02-05
ssh backdoor
network appliances
lunar peek campaign
Published: February 5, 2025
Downloadable IOCs: 3

Deep Dive Into a Linux Rootkit Malware

This analysis examines a Linux rootkit malware deployed by remote attackers on a compromised CentOS system. The malware consists of a kernel module (sysinitd.ko) and a user-space binary (sysinitd). The kernel module hijacks inbound network traffic using a Netfilter hook, creates procfs entries for …
linux
rootkit
persistence
remote access
2025-01-14
netfilter
sysinitd.ko
sysinitd
procfs
kernel module
command execution
Published: January 14, 2025
Downloadable IOCs: 3

Warning of a surge in activity associated with FICORA and Kaiten botnets

FortiGuard Labs researchers observed increased activity from two botnets in late 2024: the Mirai variant 'FICORA' and the Kaiten variant 'CAPSAICIN'. Both target vulnerabilities in D-Link devices, particularly through the HNAP interface, allowing remote command execution. The FICORA botnet download…
linux
botnet
CVE-2015-2051
CVE-2024-33112
mirai
2024-12-27
kaiten
d-link
ficora
capsaicin
CVE-2019-10891
CVE-2022-37056
Published: December 27, 2024
Linked vulnerabilities : CVE-2024-33112, CVE-2015-2051, CVE-2022-37056, CVE-2019-10891
Downloadable IOCs: 2

Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Two npm packages, @rspack/core and @rspack/cli, were compromised in a supply chain attack, allowing the publication of malicious versions containing cryptocurrency mining malware. The attack targeted specific countries and aimed to execute XMRig cryptocurrency miner on Linux hosts. The malicious ve…
linux
xmrig
npm
crypto mining
2024-12-20
rspack
Published: December 20, 2024
Downloadable IOCs: 1

cShell DDoS Bot Attack Case Targeting Linux SSH Server (screen and hping3)

A new DDoS malware strain named cShell is targeting poorly managed Linux servers through SSH services. The threat actor uses brute force attacks to gain initial access, then installs the cShell bot developed in Go language. cShell exploits Linux tools 'screen' and 'hping3' to perform various DDoS a…
linux
ddos
botnet
ssh
brute-force
2024-12-20
carm
hping3
go-language
cshell
screen
Published: December 20, 2024
Downloadable IOCs: 1

A Deep Dive into TeamTNT and Spinning YARN

TeamTNT is conducting a crypto mining campaign called Spinning YARN, targeting Docker, Redis, YARN, and Confluence. The attack involves server-side scripting vulnerabilities, obfuscated code, and malware deployment. The malware assesses the environment, disables cloud security, establishes persiste…
linux
obfuscation
xmrig
cloud security
docker
yarn
spinning yarn
confluence
2024-12-18
crypto mining
redis
platypus
Published: December 18, 2024
Downloadable IOCs: 35

Unpacking the Diicot Malware Targeting Linux Environments

A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment…
malware
linux
openssh
xmrig
persistence
cryptomining
brute-force
2024-12-17
reverse-shell
upx
Published: December 17, 2024
Downloadable IOCs: 36

First UEFI bootkit malware for Linux discovered

A groundbreaking discovery has been made in the realm of cybersecurity: the first UEFI bootkit specifically targeting Linux systems. Named 'Bootkitty,' this proof-of-concept malware marks a significant evolution in stealthy and hard-to-remove bootkit threats. Although currently limited to certain U…
malware
linux
cybersecurity
kernel
2024-11-27
uefi
bootkit
bcdropper
ubuntu
proof-of-concept
bootkitty
bcobserver
Published: November 27, 2024
Downloadable IOCs: 0

Unveiling WolfsBane: Linux counterpart to Gelsevirine

ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood …
linux
backdoor
apt
rootkit
persistence
cyberespionage
2024-11-22
wolfsbane
gelsevirine
project wood
firewood
Published: November 22, 2024
Downloadable IOCs: 41

Helldown Ransomware: an overview of this emerging threat

Helldown is a new and highly active ransomware group that has claimed 31 victims in three months. It employs custom ransomware for Windows and Linux systems, engages in double extortion, and exploits vulnerabilities in Zyxel firewalls for initial access. The group exfiltrates large volumes of data,…
linux
ransomware
windows
data exfiltration
CVE-2024-42057
double extortion
2024-11-20
helldown
emerging threat
zyxel vulnerability
vmware esx
Published: November 20, 2024
Downloadable IOCs: 0

Akira ransomware continues to evolve

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned t…
linux
ransomware
windows
rust
CVE-2024-37085
vulnerability exploitation
akira
CVE-2023-27532
esxi
CVE-2024-40766
CVE-2023-48788
double-extortion
CVE-2024-40711
CVE-2023-20269
2024-10-22
CVE-2020-3259
CVE-2023-20263
chacha8
megazord
Published: October 22, 2024
Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-40766 (CVSS 9.8), CVE-2024-40711 (CVSS 9.8), CVE-2023-27532, CVE-2023-20269, CVE-2020-3259, CVE-2023-48788, CVE-2023-20263
Downloadable IOCs: 37

THREAT ANALYSIS: Beast Ransomware

The Beast Ransomware group, active since 2022, offers a Ransomware-as-a-Service (RaaS) platform with constant updates. It supports Windows, Linux, and ESXi systems, providing affiliates with customizable binary options. Beast employs advanced encryption methods, including Elliptic-curve and ChaCha2…
linux
windows
encryption
esxi
raas
2024-10-19
geofencing
file-targeting
multithreading
beast ransomware
self-propagation
monster
Published: October 19, 2024
Downloadable IOCs: 0

New Linux Malware Targeting ATMs for Financial Fraud

A recent analysis reveals a new variant of the FASTCash malware, designed to compromise financial networks by manipulating payment transactions. Developed by threat actors potentially linked to North Korean hacking groups, this Linux version specifically targets Ubuntu 20.04 systems in ATMs. It int…
malware
linux
fraud
fastcash
2024-10-17
financial
transaction
atm
Published: October 17, 2024
Downloadable IOCs: 12

FASTCash for Linux

A newly identified variant of FASTCash "payment switch" malware specifically targets the Linux operating system, as well as Microsoft Windows, according to CISA and the Department of Homeland Security (DHS).
malware
linux
windows
code
cisa
2024-10-15
bluenoroff
fastcash
linux variant
ubuntu linux
atms
lira
linux sample
atmpos
triton
format
aix
Published: October 15, 2024
Downloadable IOCs: 12

Lynx Ransomware: A Rebranding of INC Ransomware

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extorti…
linux
ransomware
windows
encryption
data leak
raas
double extortion
2024-10-14
lynx ransomware
inc ransomware
Published: October 14, 2024
Downloadable IOCs: 44

From Perfctl to InfoStealer

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to …
malware
linux
rootkit
cryptominer
data exfiltration
stealth
perfctl
2024-10-09
trufflehog
Published: October 9, 2024
Downloadable IOCs: 3

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

A sophisticated Linux malware named 'perfctl' has been actively targeting millions of servers worldwide for the past 3-4 years. It exploits over 20,000 types of misconfigurations to compromise Linux systems. The malware employs advanced evasion techniques, including rootkits, process masquerading, …
linux
rootkit
evasion
privilege-escalation
persistence
cryptomining
CVE-2023-33246
2024-10-04
tor
CVE-2021-4043
proxy-jacking
perfctl
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-33246, CVE-2021-4034, CVE-2021-4043
Downloadable IOCs: 9

OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe

This investigation tracked infrastructure linked to the APT group Transparent Tribe, identifying 15 malicious hosts on DigitalOcean serving as command-and-control servers for the Mythic exploitation framework. The group employs Linux desktop entry files as an attack vector, targeting individuals in…
linux
india
c2
poseidon
mythic
2024-09-30
apt36
desktop entry
osint
digitalocean
jarm
Published: September 30, 2024
Downloadable IOCs: 19

Hadooken Malware Targets Weblogic Applications

Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
linux
backdoor
cryptocurrency
mallox
lateral movement
tsunami
2024-09-13
weblogic
hadooken
Published: September 13, 2024
Downloadable IOCs: 4

Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401

A critical security flaw in the Open Geospatial Consortium (OGC) GeoServer server has been exploited by cyber-attackers to gain control of vulnerable systems, according to FortiGuard Labs.
linux
mirai
urls
2024-09-10
condi
geoserver
fundamentals
Published: September 10, 2024
Downloadable IOCs: 75

Unveiling sedexp: A Stealthy Linux Malware Exploiting udev Rules

Stroz Friedberg discovered sedexp, a stealthy Linux malware that utilizes udev rules to achieve persistence and evade detection. It provides reverse shell capabilities and advanced concealment tactics. Employed by a financially motivated threat actor, sedexp hides credit card scraping code, indicat…
linux
evasion
persistence
2024-08-23
reverse shell
sedexp
concealment
Published: August 23, 2024
Downloadable IOCs: 3

Akira Ransomware Targets the LATAM Airline Industry

An in-depth analysis examined a threat actor utilizing Akira ransomware to compromise a Latin American airline. The attacker gained initial network access via SSH, exploiting a vulnerability in Veeam backup software, and subsequently exfiltrated critical data before deploying the ransomware payload…
linux
ransomware
exfiltration
akira
CVE-2023-27532
2024-07-16
ssh
backup
Published: July 16, 2024
Linked vulnerabilities : CVE-2023-27532, CVE-2023-20269, CVE-2020-3259
Downloadable IOCs: 2

Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective

This report analyzes how threat actors can exploit misconfigured Jenkins servers to execute malicious Groovy scripts, leading to activities like deploying cryptocurrency miners. Misconfigurations exposing the /script endpoint allow remote code execution, enabling attackers to run scripts that downl…
linux
cryptominer
2024-07-05
groovy language
jenkins script console
Published: July 5, 2024
Downloadable IOCs: 4

DISGOMOJI Malware Used to Target Indian Government

Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities inclu…
linux
espionage
india
discord
2024-06-18
golang
privilege escalation
disgomoji
CVE-2022-0847
Published: June 18, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2022-0847
Downloadable IOCs: 149

Kiteshield Packer is Being Abused by Linux Cyber Threat Actors

This analysis uncovers the use of Kiteshield packer by various cybercriminal groups to evade detection on Linux platforms. The researchers reverse-engineered samples from APT group Winnti, cybercrime group DarkMosquito, and a script kiddie operation, revealing Kiteshield's anti-debugging techniques…
linux
2024-05-29
gafgyt
winnti
packer
Published: May 29, 2024
Downloadable IOCs: 4

Springtail: New Linux Backdoor Added to Toolkit

Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
malware
linux
backdoor
2024-05-16
troll stealer
gobear
southkorea
northkorea
linux.gomir
Published: May 16, 2024
Downloadable IOCs: 20

Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain

The Ebury malware gang is continuing to expand, with hundreds of thousands of servers compromised and used to steal cryptocurrency and credit card data, according to a paper published by ESET Research on 14 May 2024.
linux
bitcoin
2024-05-15
2024-05-10
apache
ebury
windigo
apachemodule
Published: May 15, 2024
Downloadable IOCs: 141

New Goldoon Botnet Targeting D-Link Devices

In April 2024, FortiGuard Labs observed a new botnet exploiting a nearly decade-old D-Link vulnerability to take control of devices and incorporate them into a botnet used to launch attacks. The malware, named Goldoon, establishes persistence and connects to a C2 server to receive commands, includi…
linux
ddos
2024-05-03
iot
botnet
router
CVE-2015-2051
goldoon
Published: May 3, 2024
Linked vulnerabilities : CVE-2015-2051
Downloadable IOCs: 24

Linux Trojan - Xorddos with Filename eyshcjdmzg

This analysis examines a recurring Linux trojan called Xorddos, which is a distributed denial-of-service (DDoS) malware. It provides details on various file hashes associated with the malware, as well as indicators of compromise (IOCs) such as IP addresses, domains, and email addresses. The analysi…
linux
phishing
trojan
ddos
xorddos
eyshcjdmzg
Published: May 1, 2024
Downloadable IOCs: 11
Click here to see more Attack Reports