E: we have a duplicate: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group E: we have a duplicate: https://twitter.com/Unit42_Intel/status/1653760405792014336

linux-malware

Rolling 7 day view of updates from this repo

Submissions?

Press/academia

• https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ (#19) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
• https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (#638) - Resource Development, Impact, attack:T1486:Data Encrypted for Impact, https://github.com/timb-machine/linux-malware/issues/644, uses:CrossCompiled, LockBit, Linux, Internal specialist services
• https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf (#23) - various SSH, Bonadan, Kessel, Chandrila
• https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ (#35)
• https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 (#622) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux
• https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
• https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html (#34)
• https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ (#22) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
• https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (#101) - Defense Evasion, Command and Control, Exfiltration, Impact, attack:T1486:Data Encrypted for Impact, XMRig, Hello Kitty, https://github.com/timb-machine/linux-malware/issues/546, REvil, DarkSide, BlackMatter, Defray777, ViceSociety, Erebus, GonnaCry, eChoraix, Sysrv, TeamTNT, Mexalz, Omelette, WatchDog, Kinsing, Cobalt Strike, Vermillion Strike, Merlin, https://github.com/timb-machine/linux-malware/issues/545, https://github.com/timb-machine/linux-malware/issues/547, RedXOR, https://github.com/timb-machine/linux-malware/issues/548, ACBackdoor, https://github.com/timb-machine/linux-malware/issues/549, ELF_Plead, Linux, VMware, Internal enterprise services, Internal specialist services
• https://en.wikipedia.org/wiki/Mirai_(malware) (#18) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai
• https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf (#448)
• https://malpedia.caad.fkie.fraunhofer.de/ (#29)
• https://ieeexplore.ieee.org/document/8418602 (#25)
• https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ (#33)
• https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations (#32)
• https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf (#24) - various SSH, Bonadan, Kessel, Chandrila
• https://reyammer.io/publications/2018_oakland_linuxmalware.pdf (#28)
• https://wikileaks.org/vault7/ (#31)
• http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf (#27)
• https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 (#26)
• https://rp.os3.nl/ (#30)
• https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html (#37)
• https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf (#21) - WINNTI
• https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf (#417) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux
• https://securelist.com/top-10-unattributed-apt-mysteries/107676/ (#552) - Metador, Plexing Eagle, wltm, Linux, Solaris, Telecomms
• https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ (#40)
• https://en.wikipedia.org/wiki/Linux_malware (#17) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide
• https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer
• https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives (#41) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
• https://www.group-ib.com/resources/threat-research/oldgremlin.html (#573) - Impact, OldGremlin, Linux
• https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf (#20) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux

In the wild

Breach reports

• https://twitter.com/1ZRR4H/status/1560662815400407040 (#507) - Initial Access, Peer2Profit, Linux
• https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm (#42) - GoDaddy
• http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (#766) - Initial Access, https://github.com/timb-machine/linux-malware/issues/765, Linux
• https://github.com/mttaggart/I-S00N (#799) - Persistence, Reptile, APT41, Linux, AIX, Solaris, HP-UX
• https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ (#446) - Initial Access, Linux
• https://www.freedownloadmanager.org/blog/?p=664 (#765) - Initial Access, https://github.com/timb-machine/linux-malware/issues/766, Linux
• https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services

Supply chain attacks

• https://lwn.net/Articles/371110/ (#291) - e107 CMS
• https://www.webmin.com/exploit.html (#43) - Webmin
• https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos (#290) - Homebrew
• https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor (#44) - ProFTPd
• https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack (#48) - PHP
• https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html (#49) - VsFTPd
• https://github.com/canonical-websites/snapcraft.io/issues/651 (#296) - Snapcraft
• https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ (#45) - UnrealIRCd
• https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html (#523) - https://github.com/timb-machine/linux-malware/issues/525, wltm, Linux
• https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 (#46) - Horde Webmail
• https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html (#295) - OpenX
• https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (#294) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm
• https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ (#543) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux
• https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ (#47) - PHPMyAdmin
• https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux
• https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb (#293) - event-stream
• https://news.ycombinator.com/item?id=17501379 (#525) - Linux
• https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ (#289) - "Octopus Scanner" (Netbeans) attack
• https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (#787) - Initial Access, Discovery, Command and Control, uses:npm, attack:T1195.001:Compromise Software Dependencies and Development Tools, attack:T1082:System Information Discovery, Linux
• http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html (#292) - MyBB

Malware reports

• https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html (#383)
• https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ (#679) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
• https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf (#100) - Cyclops Blink
• https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, attack:T1070.006:Timestomp, attack:T1070.004:File Deletion, BPFDoor, /malware/binaries/BPFDoor, wltm, Linux
• https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (#784) - Command and Control, Exfiltration, uses:PHP, attack:T1090:Proxy, attack:T1071.001:Web Protocols, SystemBC, Linux
• https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (#442) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, https://github.com/timb-machine/linux-malware/issues/544, Linux, VMware, Internal enterprise services, Internal specialist services
• https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (#544) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Emperor Dragonfly, Linux, VMware
• https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html (#58) - Mirai (by malwaremustdie.org)
• https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ (#680) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services
• https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ (#395) - uses:Go, Chaos (sebd), /malware/binaries/Chaos
• https://twitter.com/tolisec/status/1507854421618839564 (#116) - Impact, KinSing
• https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (#546) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux
• https://zhuanlan.zhihu.com/p/348960748 (#403) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel
• https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html (#614) - Command and Control, Persistence, SysUpdate, IronTiger
• https://twitter.com/IntezerLabs/status/1338480158249013250 (#301) - Promotei
• https://imgur.com/a/5vPEc (#74) - ChinaZ (by malwaremustdie.org)
• https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ (#478) - https://github.com/timb-machine/linux-malware/issues/480, Rekoobe, TSH, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux
• https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux, Solaris
• https://imgur.com/a/H7YuWuj (#356) - SystemTen (by malwaremustdie.org)
• https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux
• https://twitter.com/xnand_/status/1676336329985077249 (#710) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/724, Linux
• https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ (#340) - Kaiji (by malwaremustdie.org)
• https://securelist.com/the-penquin-turla-2/67962/ (#593) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
• https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, https://github.com/timb-machine/linux-malware/issues/129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux
• https://news.drweb.com/show/?i=14646&lng=en&c=23 (#602) - Initial Access, Command and Control, WordPressExploit, Linux
• https://twitter.com/malwaremustd1e/status/1265321238383099904 (#317) - Gafgyt (by malwaremustdie.org)
• https://www.cisa.gov/news-events/analysis-reports/ar23-209b (#730) - Command and Control, https://github.com/timb-machine/linux-malware/issues/729, SEASPY, wltm, Linux
• https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ (#360) - Rhombus (by malwaremustdie.org)
• https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability (#337) - Impact, Persistence, Impact, KinSing
• https://ultimacybr.co.uk/2023-10-04-Sysrv/ (#767) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux
• https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788) - Initial Access, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, attack:T1498:Network Denial of Service, attack:T1027:Obfuscated Files or Information, Mirai, TBOT, Linux, IOT
• https://blog.talosintelligence.com/2018/06/vpnfilter-update.html (#54) - VPNFilter
• https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux
• https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ (#376) - HPC
• https://sansec.io/research/cronrat (#399) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux
• https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/ (#474) - Linux, FreeBSD
• https://imgur.com/a/lAQ1tMQ (#78) - HelloBot (by malwaremustdie.org)
• https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github (#97) - Botenago
• https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, /malware/binaries/Chaos, Linux
• https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ (#566) - Impact, XMRig, Sysrv, wltm, Linux
• https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ (#120) - CAKETAP, UNC2891, Solaris
• https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, https://github.com/timb-machine/linux-malware/issues/510, Shikitega, /malware/binaries/Shikitega, XMRig, Linux
• https://imgur.com/a/MuHSZtC (#81) - Mandibule (by malwaremustdie.org)
• https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ (#526) - Metador, wltm, Linux
• https://imgur.com/a/57uOiTu (#80) - DDoSMan (by malwaremustdie.org)
• https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, /malware/binaries/BPFDoor, Linux
• https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (#588) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux
• https://imgur.com/a/4YxuSfV (#79) - Cayosin (by malwaremustdie.org)
• http://it.rising.com.cn/fanglesuo/19851.html (#96) - SFile
• https://atdotde.blogspot.com/2020/05/high-performance-hackers.html (#377) - HPC
• https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign (#727) - Initial Access, Command and Control, Impact, XMRig, Linux
• https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html (#398) - Polaris
• https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services
• https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt (#320) - Gafgyt
• https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html (#55) - CoinMiner
• https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ (#459) - Persistence, Defense Evasion, Linux
• https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html (#336) - PLEAD
• https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (#789) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, https://github.com/timb-machine/linux-malware/issues/170, Earth Lusca, Linux
• https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer
• https://www.cisa.gov/news-events/analysis-reports/ar23-209a (#731) - Persistence, https://github.com/timb-machine/linux-malware/issues/729, SUBMARINE, wltm, Linux
• https://twitter.com/malwaremustd1e/status/1251758225919115264 (#361) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
• https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html (#63) - https://github.com/timb-machine/linux-malware/issues/134, SLAPSTICK, LightBasin, UNC1945, Solaris
• https://twitter.com/billyleonard/status/1458531997576572929 (#480) - Rekoobe, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux
• https://asec.ahnlab.com/en/45182/ (#603) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux
• https://twitter.com/malwaremustd1e/status/1264417940742389762 (#316) - Gafgyt (by malwaremustdie.org)
• https://twitter.com/IntezerLabs/status/1272915284148531200 (#341) - Lazarus
• https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ (#357) - SystemTen (by malwaremustdie.org)
• https://asec.ahnlab.com/en/54647/ (#707) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, Tsunami, Kaiten, 0x333shadow Log Cleaner, https://github.com/timb-machine/linux-malware/issues/706, ChinaZ, Linux
• https://imgur.com/a/vS7xV (#75) - CarpeDiem (by malwaremustdie.org)
• https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ (#479) - Rekoobe, APT31, Linux
• https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#496) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (#750) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux
• https://cujo.com/iot-malware-journals-prometei-linux/ (#300) - Promotei
• https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ (#117) - AcidRain
• https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (#547) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux
• https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ (#402) - Cloud Shovel
• https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ (#681) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
• https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w (#394) - NAMO
• https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, /malware/binaries/Shikitega, Linux
• https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html (#59) - Mirai (by malwaremustdie.org)
• https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware (#639) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux
• https://blog.polyswarm.io/lightning-framework (#506) - Lightning, /malware/binaries/Lightning, Linux
• https://twitter.com/Unit42_Intel/status/1653760405792014336 (#695) - Impact, BlackSuit, Linux
• https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf (#551) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services
• https://www.mandiant.com/resources/unc3524-eye-spy-email (#414) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment
• https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers (#382) - Mayhem
• https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services
• https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html (#366) - AirDropBot (by malwaremustdie.org)
• https://honeynet.onofri.org/scans/scan13/som/som5.txt (#389) - Luckscan, UNC1945
• https://twitter.com/IntezerLabs/status/1288487307369222145 (#331) - TrickBot
• https://asec.ahnlab.com/en/49769/ (#624) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer
• https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ (#52) - GodLua
• https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ (#327) - TeamTNT, Mimipenguin
• https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf (#370) - Kobalos, #bsd, #solaris, #aix
• https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720) - Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, attack:T1608:Stage Capabilities, attack:T1053.003:Cron, attack:T1027.002:Software Packing, attack:T1543.002:Systemd Service, attack:T1037.004:RC Scripts, attack:T1574.006:Dynamic Linker Hijacking, attack:T1036.005:Match Legitimate Name or Location, attack:T1190:Exploit Public-Facing Application, attack:T1110:Brute Force, uses:KillCompetition, XMRig, Rocke, Linux
• https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ (#91) - Muhstik
• https://twitter.com/cyb3rops/status/1523227511551033349 (#425) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
• https://vms.drweb.com/virus/?i=21004786 (#433) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ (#68) - Mumblehard
• https://imgur.com/a/a6RaZMP (#87) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
• https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (#690) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux
• https://honeynet.onofri.org/scans/scan13/som/som13.txt (#385) - Luckscan, UNC1945
• https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 (#106) - Specter, SideWalk, StageClient, wltm
• https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ (#297) - FreakOut
• https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html (#501) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing
• https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ (#444) - EnemyBot, Linux
• https://cybersecurity.att.com/blogs/labs-research/internet-of-termites (#517) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux
• https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, https://github.com/timb-machine/linux-malware/issues/460, Symbiote, Linux
• https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux
• https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis (#393) - Conti
• https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ (#110) - b1txor20
• https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405) - attack:T1205.002:Socket Filters, ebpfkit
• https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (#612) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions
• https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ (#307) - QNAPCrypt, eCh0raix
• https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ (#72) - DDoSTF (by malwaremustdie.org)
• https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ (#350) - Stantinkos
• https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, https://github.com/timb-machine/linux-malware/issues/171, Diamorphine, https://github.com/timb-machine/linux-malware/issues/217, ZiggyStarTux, https://github.com/timb-machine/linux-malware/issues/701, Linux, IOT, Consumer
• https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, https://github.com/timb-machine/linux-malware/issues/717, Linux, IOT
• https://twitter.com/IntezerLabs/status/1291355808811409408 (#346) - Carbanak
• https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux
• https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ (#311) - HelloKitty
• https://www.cadosecurity.com/redis-p2pinfect/ (#741) - Initial Access, Linux
• https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, /malware/binaries/OrBit, Linux
• https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, https://github.com/timb-machine/linux-malware/issues/134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux
• https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ (#65) - Qemu, https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945
• https://twitter.com/malwrhunterteam/status/1415403132230803460 (#310) - HelloKitty
• https://lab52.io/blog/looking-for-penquins-in-the-wild/ (#594) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
• https://twitter.com/sethkinghi/status/1397814848549900288 (#717) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT
• https://twitter.com/IntezerLabs/status/1300403461809491969 (#347) - Dalcs
• https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (#644) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, /malware/binaries/Multios.Ransomware.Lockbit, Linux
• https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ (#351) - PGMiner
• https://imgur.com/a/N3BgY (#73) - ChinaZ, GoARM (by malwaremustdie.org)
• https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html (#490) - uses:Go, Manjusaka, Linux
• https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf (#613)
• https://www.signalblur.io/through-the-looking-glass (#756) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services
• https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ (#306) - QNAPCrypt, eCh0raix
• https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (#111) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap
• https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ (#404) - Hildegard, TeamTNT
• https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits (#392) - Botenago
• https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux
• https://twitter.com/malwrhunterteam/status/1559636227485319168 (#500) - Impact, REvil, wltm, Linux
• https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware (#107) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
• https://s.tencent.com/research/report/1177.html (#384)
• https://twitter.com/billyleonard/status/1417910729005490177 (#69) - https://github.com/timb-machine/linux-malware/issues/329, https://github.com/timb-machine/linux-malware/issues/131, Zirconium, APT31
• https://imgur.com/a/y5BRx (#86) - r57shell (by malwaremustdie.org)
• https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites (#598) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services
• https://blog.polyswarm.io/deadbolt-ransomware (#577) - Impact, Deadbolt, Linux, Consumer
• https://twitter.com/CraigHRowland/status/1523266585133457408 (#424) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
• https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm
• https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ (#371) - Ebury
• https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html (#721) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux
• https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ (#408) - Linux
• https://vms.drweb.com/virus/?i=15389228 (#326) - ?
• https://blog.talosintelligence.com/2018/05/VPNFilter.html (#53) - VPNFilter
• https://twitter.com/IntezerLabs/status/1326880812344676352 (#330) - AgeLocker
• https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux
• https://imgur.com/a/Ak9zICq (#367) - Neko (by malwaremustdie.org)
• http://www.thedarkside.nl/honeypot/microbul.html (#388)
• https://imgur.com/a/LpTN7 (#85) - Elknot (by malwaremustdie.org)
• https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ (#348) - Rakos
• https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
• https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version (#309) - REvil
• https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ (#759) - Impact, Octo Tempest, BlackCat, Linux, VMware
• https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ (#470) - Lightning, /malware/binaries/Lightning, Linux
• https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ (#372) - Kessel
• https://asec.ahnlab.com/en/55229/ (#722) - Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
• https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ (#325) - RedXOR
• https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials (#50) - TeamTNT
• https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf (#333) - Cloud Snooper
• https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ (#299) - IPStorm, /malware/binaries/Unix.Trojan.Ipstorm
• https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ (#671) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms
• https://twitter.com/malwaremustd1e/status/1380637310346096641 (#364) - Ngioweb (by malwaremustdie.org)
• https://unit42.paloaltonetworks.com/blackcat-ransomware/ (#108) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
• https://pastebin.com/Z3sXqDCA (#89) - Mozi (by malwaremustdie.org)
• https://twitter.com/timb_machine/status/1450595881732947968 (#66) - https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945, Solaris
• https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ (#313) - FritzFrog
• https://www.akamai.com/blog/security-research/dhpcd-cryptominer-hid-four-years (#578) - Impact, dhcpcd, Linux, IOT
• https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (#714) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT
• https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ (#344) - NGrok
• https://cert.gov.ua/article/4501891 (#651) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial
• https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md (#352) - ITTS
• https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (#702) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT
• https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf (#493) - Persistence, Command and Control, uses:Go, IPStorm, /malware/binaries/Unix.Trojan.Ipstorm, Linux
• https://imgur.com/a/8mFGk (#70) - httpsd (by malwaremustdie.org)
• https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors (#305) - Tycoon
• https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (#407) - Impact, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services
• https://www.mandiant.com/resources/unc2891-overview (#112) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, https://github.com/timb-machine/linux-malware/issues/134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking
• https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542) - Defense Evasion, Discovery, Collection, Exfiltration, vertical:Telecomms, attack:T1040:Network Sniffing, uses:Non-persistentStorage, attack:T1070.004:File Deletion, MESSAGETAP, /malware/binaries/MESSAGETAP, APT41, Linux, Telecomms, Internal specialist services
• https://cujo.com/threat-alert-krane-malware/ (#391) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm
• https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ (#329) - Zirconium, APT31
• https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ (#503)
• https://twitter.com/ESETresearch/status/1410864752948043778 (#104) - Specter, SideWalk, StageClient
• https://twitter.com/jhencinski/status/1451592508157345793 (#387) - Impact, XMRig
• https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware
• https://twitter.com/ESETresearch/status/1415542456360263682 (#368) - ?, #FreeBSD
• http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc (#386) - sc (similar code to luckscan)
• https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux
• https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ (#369) - Kobalos, #linux, #bsd, #solaris, #aix
• https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ (#410) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing
• https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ (#105) - Specter, SideWalk, StageClient
• https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus
• https://www.group-ib.com/blog/krasue-rat/ (#797) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:AbnormalSignal, attack:T1071:Application Layer Protocol, uses:RTSP, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205:Traffic Signaling, Krasue, Diamorphine, https://github.com/timb-machine/linux-malware/issues/217, Suterusu, https://github.com/timb-machine/linux-malware/issues/491, Rooty, https://github.com/timb-machine/linux-malware/issues/440, Linux
• https://twitter.com/bkMSFT/status/1417823714922610689 (#328) - https://github.com/timb-machine/linux-malware/issues/329, Zirconium, APT31
• https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:k8s, attack:T1140:Deobfuscate/Decode Files or Information, uses:Python, attack:T1611:Escape to Host, attack:T1562.008:Disable or Modify Cloud Logs, attack:T1027.004:Compile After Delivery, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, uses:ProcessTreeSpoofing, attack:T1190:Exploit Public-Facing Application, attack:T1595.002:Vulnerability Scanning, uses:ModifyServerShell, delivery:Redis, uses:Redis, XMRig, Diamorphine, libprocesshider, Pnscan, Zgrab, Masscan, Kiss-A-Dog, TeamTNT, Linux, Cloud hosted services
• https://twitter.com/ESETresearch/status/1454100591261667329?s=20 (#390) - Hive
• https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux (#685) - Impact, RTM Locker, Linux
• https://twitter.com/malwrhunterteam/status/1467264298237972484 (#406) - Cerber
• http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm (#113) - NOPEN
• https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html (#304) - DarkRadation
• https://twitter.com/avastthreatlabs/status/1430527767855058949 (#492) - HCRootkit, https://github.com/timb-machine/linux-malware/issues/491, Linux
• https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ (#71) - SS, Shark (by malwaremustdie.org)
• https://twitter.com/CraigHRowland/status/1422009387686645761 (#353) - ITTS
• https://cyberplace.social/@GossiTheDog/110516069484635011 (#703) - Resource Development, BPFDoor, /malware/binaries/BPFDoor, Linux
• https://unit42.paloaltonetworks.com/alloy-taurus/ (#646) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux
• https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#580) - Command and Control, Torii, Linux
• https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux
• https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf (#345) - WellMail (APT29)
• https://asec.ahnlab.com/en/51908/ (#650) - Impact, Defense Evasion, uses:ProcessTreeSpoofingBindMountProc, https://github.com/timb-machine/linux-malware/issues/550, KONO DIO DA, XMRig, Linux
• https://netadr.github.io/blog/a-quick-glimpse-sbz/ (#596) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris
• https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, Hidden Cobra, AIX, Banking
• https://pastebin.com/iKyaqLTd (#88) - Exaramel, BlackEnergy, #ICS (by malwaremustdie.org)
• https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF (#67) - Drovorub
• https://www.varonis.com/blog/alphv-blackcat-ransomware (#109) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
• https://twitter.com/malwaremustd1e/status/1379028201075187716 (#365) - DGAbot (by malwaremustdie.org)
• https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html (#332) - NOTROBIN
• https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ (#298) - RandomEXX
• https://twitter.com/_larry0/status/1143532888538984448 (#51) - Silex
• https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf (#518) - DarkNexus, Linux
• https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ (#324) - WatchDog
• https://blog.polyswarm.io/darkangels-linux-ransomware (#666) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux
• https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (#373) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux
• https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux
• https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ (#92)
• https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ (#471) - HiddenWasp, Linux
• https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ (#308) - KillDisk
• https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#758) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware
• https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html (#563) - Command and Control, uses:Go, Alchemist, /malware/binaries/Alchimist, https://github.com/timb-machine/linux-malware/issues/564, Sysrv?, Linux
• http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf (#349) - Moose
• https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery (#488) - Initial Access, Lateral Movement, Impact, RapperBot, /malware/binaries/RapperBot, Linux
• https://imgur.com/a/DWKK5 (#84) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux
• https://twitter.com/ankit_anubhav/status/1490574137370103808 (#483) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/482, Linux
• https://imgur.com/a/qqgfFXf (#60) - Mirai (by malwaremustdie.org)
• https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ (#315) - Gafgyt
• https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ (#342) - Doki
• https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF (#657) - Command and Control, SNAKE, Linux
• https://twitter.com/CraigHRowland/status/1422267857988063232 (#354) - ITTS
• https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf (#641) - FontOnLake, Linux
• https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD
• https://imgur.com/a/eBF7Mqe (#76) - Haiduc (by malwaremustdie.org) (by malwaremustdie.org)
• https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (#753) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware
• https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ (#303) - DarkRadiation
• https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d (#616) - Command and Control, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481
• https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ (#401) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/530, lib__mdma
• https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ (#114) - HabitsRAT
• https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon
• https://www.lab539.com/blog/linux-malware-detection-with-limacharlie (#728) - Reconnaissance, Initial Access, Execution, Persistence, Linux
• https://blogs.jpcert.or.jp/en/2023/05/gobrat.html (#682) - Command and Control, uses:Go, GobRAT, Linux, Telecomms
• https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ (#378) - #cobaltstrike, VermilionStrike
• https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ (#513) - Collection, Impact, Linux
• https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790) - Initial Access, Execution, Discovery, Lateral Movement, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1059.004:Unix Shell, attack:T1072:Software Deployment Tools, attack:T1083:File and Directory Discovery, attack:T1082:System Information Discovery, attack:T1485:Data Destruction, BiBi-Linux, Linux
• https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development (#505) - Impact, DarkAngels, wltm, Linux
• https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (#786) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux
• https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ (#339) - Kaiji
• https://sysdig.com/blog/ssh-snake/ (#801) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, https://github.com/timb-machine/linux-malware/issues/791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
• https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (#102) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services
• https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ (#381) - FontOnLake
• https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ (#319) - Gafgyt
• https://imgur.com/a/qI5Fvm4 (#83) - STD (by malwaremustdie.org)
• https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, https://github.com/timb-machine/linux-malware/issues/134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment
• https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability (#572) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux
• https://twitter.com/malwaremustd1e/status/1235595880041873408 (#358) - Hajimi (by malwaremustdie.org)
• https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95) - Command and Control, Defense Evasion, Persistence, Discovery, attack:T1102:Web Service, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, attack:T1573:Encrypted Traffic, attack:T1053.003:Cron, attack:T1033:System Owner/User Discovery, attack:T1016:System Network Configuration Discovery, attack:T1070.004:File Deletion, uses:RedirectionToNull, delivery:NPM, SysJoker, wltm, Linux
• https://www.akamai.com/blog/security/new-p2p-botnet-panchan (#476) - Pan-chan, https://github.com/timb-machine/linux-malware/issues/477, Linux
• https://twitter.com/captainGeech42/status/1657121312425365524 (#661) - Persistence, Defense Evasion, SystemBC, https://github.com/timb-machine/linux-malware/issues/662, Linux
• https://twitter.com/malwrhunterteam/status/1422972905541996546 (#374) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware
• https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/711, Linux
• https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ (#548) - Command and Control, Exfiltration, https://github.com/timb-machine/linux-malware/issues/325, RedXOR, Linux
• https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 (#118) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
• https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ (#636) - Initial Access, Linux
• https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ (#323) - EvilGnome
• https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ (#56) - LemonDuck
• https://blog.exatrack.com/melofee/ (#620) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux
• https://twitter.com/ESETresearch/status/1382054011264700416 (#335) - TSCookie, #freebsd
• https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan (#732) - Persistence, Defense Evasion, Command and Control, Linux, Hosting
• https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html (#698) - Impact, BlackSuit, Linux
• https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 (#362) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
• https://asec.ahnlab.com/en/55785/ (#733) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.001:Port Knocking, Reptile, TINYSHELL, Rekoobe, Linux
• https://twitter.com/malwaremustd1e/status/1267068856645775360 (#363) - DarkNexus (by malwaremustdie.org)
• https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d (#508) - Peer2Profit, Linux
• https://asec.ahnlab.com/en/50316/ (#621) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux
• https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html (#334) - TSCookie
• https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html (#57) - Mirai (by malwaremustdie.org)
• https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html (#637) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services
• https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ (#322) - Turian
• https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ (#549) - ACBackdoor, wltm, Linux
• https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial
• https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (#660) - Initial Access, attack:T1480:Execution Guardrails, attack:T1562.006:Indicator Blocking, uses:Non-persistentStorage, BOLDMOVE, wltm, Linux, Collaboration across enterprise boundaries
• https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar (#375) - PRISM
• https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris
• https://sansec.io/research/nginrat (#94) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm
• https://github.com/akamai/akamai-security-research/tree/main/malware/panchan (#477) - Pan-chan, /malware/binaries/pan-chan, Linux
• https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ (#565) - Initial Access, Lateral Movement, Impact, https://github.com/timb-machine/linux-malware/issues/566, Sysrv, wltm, Linux, Internal enterprise services
• https://asec.ahnlab.com/ko/55070/ (#709) - Command and Control, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
• https://twitter.com/malwaremustd1e/status/1237080802581565440 (#359) - Mozi (by malwaremustdie.org)
• https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, /malware/binaries/Chaos, Linux
• https://imgur.com/a/CtHlmBE (#82) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
• https://imgur.com/a/2zRCt (#318) - Gafgyt (by malwaremustdie.org)
• https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html (#380) - Persistence, Defense Evasion, Impact, KinSing
• https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf (#338) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux
• https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
• https://sansec.io/research/ecommerce-malware-linux-avp (#396) - linux_avp, Comma
• https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors (#729) - Persistence, Command and Control, SEASPY, https://github.com/timb-machine/linux-malware/issues/730, SUBMARINE, https://github.com/timb-machine/linux-malware/issues/731, Linux
• https://threatfabric.com/blogs/vultur-v-for-vnc.html (#379) - Vultur, Brunhilda, #Android
• https://imp0rtp3.wordpress.com/2021/11/25/sowat/ (#400) - Command and Control, https://github.com/timb-machine/linux-malware/issues/140, https://github.com/timb-machine/linux-malware/issues/131, SoWaT, APT31, Zirconium
• https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces (#115) - Impact, KinSing
• https://blog.talosintelligence.com/lazarus-collectionrat/ (#752) - Command and Control, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, DeimosC2, https://github.com/timb-machine/linux-malware/issues/751, HiddenCobra, Lazarus, APT38, Linux
• https://igor-blue.github.io/2021/03/24/apt1.html (#302)
• https://themittenmac.com/tinyshell-under-the-microscope/ (#617) - TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481
• https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ (#98) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm
• https://imgur.com/a/SSKmu (#77) - Rebirth, Vulcan (by malwaremustdie.org)
• https://pastebin.com/raw/mEape37E (#355) - SystemTen (by malwaremustdie.org)
• https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ (#640) - Initial Access, Command and Control, Impact, Sysrv, Linux
• https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT
• https://sysdig.com/blog/cloud-defense-in-depth/ (#713) - Initial Access, Lateral Movement, KinSing, Linux
• https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ (#343) - NGrok
• https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (#656) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services
• https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ (#314) - Gafgyt
• https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT
• https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ (#601) - Persistence, Privilege Escalation, OrBit, /malware/binaries/OrBit, Linux
• https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 (#482) - Log4J, /malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86, Linux
• https://imgur.com/a/53f29O9 (#61) - Mirai (by malwaremustdie.org)

Malware samples

Malware binaries

• https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection (#141) - Linikatz
• https://github.com/Caprico1/kinsing (#454) - Persistence, Impact, KinSing, Linux
• https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d/ (#751) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, /malware/binaries/Unix.Backdoor.DeimosC2, Linux
• https://samples.vx-underground.org/samples/Families/VermilionStrike/ (#136) - CobaltStrike, VermilionStrike, /malware/binaries/VermilionStrike
• https://tria.ge/s?q=tag%3alinux (#121)
• https://github.com/eset/malware-ioc/tree/master/kobalos (#137) - Kobalos
• https://github.com/darrenmartyn/malware_samples (#530) - Execution, Persistence, Defense Evasion, Discovery, uses:ProcessTreeSpoofing, uses:RedirectionToNull, attack:T1546.004:Unix Shell, attack:T1574.006:Dynamic Linker Hijacking, attack:T1057:Process Discovery, attack:T1036.005:Match Legitimate Name or Location, lib__mdma, Linux
• https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (#662) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, https://github.com/timb-machine/linux-malware/issues/661, SystemBC, /malware/binaries/SystemBC, Linux
• https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/419, https://github.com/timb-machine/linux-malware/issues/424, https://github.com/timb-machine/linux-malware/issues/425, https://github.com/timb-machine/linux-malware/issues/426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, /malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64, Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux
• https://bazaar.abuse.ch/sample/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ (#140) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
• https://samples.vx-underground.org/APTs/2021/2021.10.11/ (#409) - FontOnLake, /malware/binaries/FontOnLake, Linux
• https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection (#126) - wltm
• https://github.com/AngelGuyu/spirit (#757) - Persistence, Defense Evasion, Spirit, Gwisin, Linux
• https://github.com/tstromberg/malware-menagerie (#795) - Impact, attack:T1496:Resource Hijacking, QubitStrike, StripedFly, Linux
• https://bazaar.abuse.ch/browse/signature/Mirai/ (#127) - Mirai, /malware/binaries/Unix.Exploit.Mirai, /malware/binaries/Unix.Dropper.Mirai, /malware/binaries/Unix.Trojan.Mirai
• https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection (#131) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
• https://github.com/blackorbird/APT_REPORT (#124)
• https://github.com/eset/malware-ioc/tree/master/rakos (#132) - Rakos
• https://bazaar.abuse.ch/browse/signature/Gafgyt/ (#128) - Gafgyt, /malware/binaries/Unix.Trojan.Gafgyt
• https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, /malware/binaries/Unix.Trojan.Xorddos, /malware/binaries/Unix.Malware.Xorddos, Linux
• https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 (#133) - WellMail, wltm, APT29
• https://twitter.com/nunohaien/status/1261281420791742464 (#125)
• https://github.com/x0rz/EQGRP (#138)
• https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, /malware/binaries/Symbiote, Symbiote, Linux
• https://bazaar.abuse.ch/browse/tag/elf/ (#122)
• https://samples.vx-underground.org/APTs/2020/2020.11.02/ (#134) - /malware/binaries/UNC1945, LightBasin, UNC1945, Solaris
• https://samples.vx-underground.org/samples/Families/Fastcash/ (#135) - Impact, FastCash, /malware/binaries/FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services, Enclave deployment
• https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/421, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, /malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Solaris
• https://github.com/MalwareSamples/Linux-Malware-Samples (#123)
• https://github.com/hardenedvault/bootkit-samples (#103)
• https://bazaar.abuse.ch/browse/tag/blackcat/ (#512) - Impact, https://github.com/timb-machine/linux-malware/issues/118, https://github.com/timb-machine/linux-malware/issues/109, https://github.com/timb-machine/linux-malware/issues/108, https://github.com/timb-machine/linux-malware/issues/107, https://github.com/timb-machine/linux-malware/issues/41, BlackCat, /malware/binaries/BlackCat, Linux
• https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ (#139) - Polaris, /malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64

Malware source

• https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (#706) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX
• https://github.com/chokepoint/Jynx2 (#531) - Persistence, Defense Evasion, Linux
• https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/724, Linux
• https://pastebin.com/kmmJuuQP (#802) - Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, uses:ProcessTreeSpoofing, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux
• https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c (#147) - pscan (similar code to luckscan)
• https://github.com/isdrupter/ziggystartux (#701) - Impact, Linux
• https://github.com/HeapAllocate/sterben (#150) - sterben
• https://github.com/gianlucaborello/libprocesshider (#776) - Defense Evasion, uses:ProcessTreeSpoofing, attack:T1574.006:Dynamic Linker Hijacking, libprocesshider, Linux
• https://github.com/chenkaie/junkcode/blob/master/xhide.c (#775) - Defense Evasion, uses:ProcessTreeSpoofing, XHide, Linux
• https://github.com/NexusBots/Umbreon-Rootkit (#149) - Umbreon Rootkit
• https://pastebin.com/jkndLHQf (#145) - FinFisher
• http://www.afn.org/~afn28925/wipe.c (#153) - UNC2891
• https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (#152) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, UNC2891
• https://gitlab.com/rav7teif/linux.wifatch (#144) - Initial Access, Persistence, Command and Control, Lateral Movement, Linux.Wifatch
• https://github.com/0x27/sebd-0.2 (#148) - sebd 0.2 source code (a fix of 0.1)
• https://pastebin.com/raw/kmmJuuQP (#426) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
• https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux (#143)
• https://github.com/arialdomartini/morris-worm (#694) - Initial Access, Execution, Discovery, Lateral Movement
• https://github.com/shadow1ng/fscan (#564) - Initial Access, Lateral Movement, uses:Go, Alchimist, fscan, /malware/binaries/Alchimist/UPX/fscan, Linux
• https://github.com/Kabot/mig-logcleaner-resurrected (#154) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, MIG Logcleaner, UNC2891, Linux, Solaris, BSD
• https://github.com/0x27/linux.mirai (#142) - Mirai

Malware PoCs

• https://github.com/EvelynSubarrow/BismuthScorpion (#182)
• https://github.com/SafeBreach-Labs/backdoros (#213)
• https://github.com/yaoyumeng/adore-ng (#458) - Persistence, Defense Evasion, Linux
• https://github.com/guitmz/go-liora (#663) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux
• https://github.com/vfsfitvnm/intruducer (#209)
• https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 (#198)
• https://github.com/mufeedvh/moonwalk (#208)
• https://github.com/timb-machine-mirrors/ripmeep-memory-injector (#160)
• https://github.com/elfmaster/skeksi_virus (#224)
• https://github.com/ONsec-Lab/scripts/tree/master/pam_steal (#195)
• https://www.guitmz.com/linux-nasty-elf-virus/ (#642) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux
• https://github.com/EvelynSubarrow/IridiumScorpion (#183)
• https://github.com/elfmaster/kprobe_rootkit (#223)
• https://github.com/R3tr074/brokepkg (#777) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:ProcessTreeSpoofing, uses:AbnormalSignal, uses:TamperCredStruct, uses:HiddenPort, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1573:Encrypted Channel, attack:T1205:Traffic Signaling, BrokePkg, Linux
• https://github.com/elfmaster/dt_infect (#219)
• https://github.com/f0rb1dd3n/Reptile (#171)
• https://github.com/alexander-pick/apinject (#608) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux
• https://github.com/io-tl/degu-lib (#413) - Linux
• https://github.com/croemheld/lkm-rootkit (#628) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux
• https://github.com/sad0p/d0zer (#782) - Execution, Persistence, uses:Go, attack:T1625:Hijack Execution Flow, attack:T1204:Malicious File, Linux
• https://github.com/Gui774ume/ebpfkit (#151) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux
• https://github.com/reveng007/reveng_rtkit (#669) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux
• https://github.com/mncoppola/suterusu (#491) - Persistence, Defense Evasion, wltm, Linux
• https://github.com/fbkcs/msf-elf-in-memory-execution (#203)
• https://github.com/stealth/devpops (#192) - DevPops by stealth (not really malicious, has guard rails)
• https://github.com/nnsee/fileless-elf-exec (#193) - Defense Evasion, attack:T1620:Reflective Code Loading
• https://github.com/wunderwuzzi23/Offensive-BPF (#469) - Credential Access, attack:T1205.002:Socket Filters, Linux
• https://github.com/tarcisio-marinho/GonnaCry (#486) - Impact, Linux
• https://github.com/X-C3LL/memdlopen-lib (#605) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux
• https://github.com/codewhitesec/daphne (#740) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
• https://github.com/compilepeace/KAAL_BHAIRAV (#202)
• https://github.com/h3xduck/Umbra (#668) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1095:Non-Application Layer Protocol, attack:T1486:Data Encrypted for Impact, attacK:T1548:Abuse Elevation Control Mechanism, Linux
• https://github.com/schrodyn/bad_UDP (#453) - Linux
• https://github.com/timb-machine-mirrors/sar5430-coolkid (#629) - Persistence, Defense Evasion, Linux
• https://github.com/SilentVoid13/Silent_Packer (#783) - Defense Evasion, attack:T1027.002:Software Packing, Linux
• https://github.com/h3xduck/TripleCross (#465) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux
• https://github.com/ixty/mandibule (#170)
• https://github.com/blendin/3snake (#189)
• https://github.com/guitmz/midrashim (#664) - Persistence, attack:T1577:Compromise Application Executable, Linux
• https://github.com/arget13/DDexec (#222)
• https://github.com/citronneur/pamspy (#466) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux
• https://github.com/toffan/binfmt_misc (#431) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
• https://github.com/timb-machine-mirrors/phath0m-JadedWraith (#165)
• https://github.com/QuokkaLight/rkduck (#667) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux
• https://github.com/kris-nova/boopkit (#221)
• https://github.com/codewhitesec/apollon (#734) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
• https://github.com/mav8557/Father (#606) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux
• https://packetstormsecurity.com/files/22121/cd00r.c.html (#597) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux
• https://github.com/0x1CA3/parasite (#201) - wltm
• https://github.com/m0nad/Diamorphine (#217) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Diamorphine, Linux
• https://github.com/jtripper/parasite (#169)
• https://github.com/noptrix/fbkit (#684) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205.002:Socket Filters, attack:T1548.001:Setuid and Setgid, FreeBSD
• https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (#739) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, https://github.com/timb-machine/linux-malware/issues/734, https://github.com/timb-machine/linux-malware/issues/740, Linux
• https://github.com/liamg/memit (#200)
• https://github.com/airman604/jdbc-backdoor (#607) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services
• https://github.com/chokepoint/azazel (#191)
• https://github.com/Eterna1/puszek-rootkit (#670) - Persistence, Defense Evasion, Credential Access, Discovery, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1040:Network Sniffing, Linux
• https://github.com/elfmaster/saruman (#220)
• https://hckng.org/articles/perljam-elf64-virus.html (#735) - Persistence, attack:T1554:Compromise Client Software Binary, attack:T1505:Server Software Component, uses:Perl, Linux, AIX, Solaris, HP-UX
• https://github.com/nurupo/rootkit (#172)
• https://github.com/roddux/santa (#207)
• https://github.com/aviat/passe-partout (#704) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX
• https://github.com/elfmaster/linker_preloading_virus (#211)
• https://github.com/therealdreg/enyelkm (#456) - Persistence, Defense Evasion, Linux
• https://github.com/jermeyyy/rooty (#440) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/439, attack:T1547.006:Kernel Modules and Extensions, XorDDoS, Linux, Consumer, Cloud hosted services, Device application sandboxing
• https://github.com/m1m1x/memdlopen (#175) - Defense Evasion, attack:T1620:Reflective Code Loading
• https://github.com/rek7/fireELF (#159)
• https://github.com/mempodippy/vlany (#174)
• https://github.com/trustedsec/ELFLoader (#416) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
• https://packetstormsecurity.com/files/author/3859/ (#553) - Persistence, Defense Evasion, uses:DTrace, SInAR, /malware/pocs/SInAR, Archim, Solaris, Internal specialist services, Device application sandboxing
• https://github.com/MegaManSec/SSH-Snake (#791) - Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
• https://github.com/zephrax/linux-pam-backdoor (#181) - Credential Access, Persistence, Defense Evasion, attack:T1556.003:Pluggable Authentication Modules, Linux
• https://github.com/gaffe23/linux-inject (#210)

Offensive research

Not necessarily malicious code (see Linikatz and unix-privesc-check =)) but interesting capabilities...

Offensive tools

• https://github.com/ciscocxsecurity/unix-privesc-check (#157) - Privilege Escalation
• https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/ (#585) - Execution, Persistence, Linux, Cloud hosted services
• https://github.com/pathtofile/bad-bpf (#205) - uses:BPF
• https://github.com/netifera/netifera (#194)
• https://github.com/creaktive/tsh (#481) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux
• https://github.com/Frissi0n/GTFONow (#771) - Privilege Escalation, attack:T1548:Abuse Elevation Control Mechanism, Linux
• https://github.com/zMarch/Orc (#161)
• https://github.com/stealth/injectso (#589) - Defense Evasion, Linux
• https://github.com/ropnop/windapsearch (#177)
• https://github.com/alichtman/malware-techniques (#199)
• https://github.com/ropnop/kerbrute (#176)
• https://github.com/NetSPI/sshkey-grab (#619) - Credential Access, attack:T1552.004:Private Keys, attack:T1003.007:Proc Filesystem, attack:T1055.009:Proc Memory, Linux, Enhanced identity governance
• https://github.com/guitmz/memrun (#592) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, Linux
• https://github.com/pmorjan/kmod (#654) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux
• https://github.com/IvanGlinkin/AutoSUID (#204)
• https://github.com/milabs/khook (#212)
• https://github.com/dsnezhkov/zombieant (#793) - Defense Evasion, attack:T1562:Impair Defenses, Linux
• https://github.com/CiscoCXSecurity/linikatz (#156) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, https://github.com/timb-machine/linux-malware/issues/141
• https://github.com/NixOS/patchelf (#443) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux, Device application sandboxing
• https://github.com/eeriedusk/nysm (#761) - Persistence, Linux
• https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ (#188)
• https://github.com/controlplaneio/truffleproc (#537) - Privilege Escalation, Credential Access, Linux
• https://github.com/oldboy21/LDAP-Password-Hunter (#167)
• https://github.com/namazso/linux_injector (#599) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux
• https://github.com/liamg/siphon (#576) - Discovery, Collection, Linux
• https://github.com/aojea/netkat (#464) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux
• https://github.com/akawashiro/sloader (#521) - Defense Evasion, Linux
• https://github.com/TarlogicSecurity/tickey (#184)
• https://github.com/vbpf/ebpf-samples (#215) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing
• https://github.com/io-tl/Mara (#487) - Linux
• https://github.com/DeimosC2/DeimosC2 (#652) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, /malware/binaries/Unix.Backdoor.DeimosC2, Linux
• https://github.com/Idov31/Sandman (#582) - Persistence, Command and Control, Linux
• https://github.com/huntergregal/mimipenguin (#185)
• https://github.com/liamg/traitor (#687) - Privilege Escalation, Linux
• https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz (#146) - Reconnaissance, pscan (similar code to luckscan)
• https://github.com/anko/xkbcat (#691) - Credential Access, Collection, attack:T1056.001:Keylogging, Linux, AIX, Solaris, HP-UX, Consumer, Internal enterprise services
• https://github.com/fireeye/SSSDKCMExtractor (#520) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
• https://github.com/FiloSottile/age (#166)
• https://github.com/hackerschoice/ssh-key-backdoor (#672) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX
• https://github.com/metac0rtex/SSH-Key-Brute-Forcer (#489) - Initial Access, Lateral Movement, Linux, Enclave deployment
• https://github.com/timb-machine-mirrors/adamcaudill-EquationGroupLeak/tree/master/Linux (#173)
• https://github.com/89luca89/pakkero (#718) - Defense Evasion, attack:T1027.002:Software Packing, Linux
• https://github.com/naksyn/Pyramid (#630) - Persistence, Command and Control, Linux
• https://github.com/blacklanternsecurity/KCMTicketFormatter (#519) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
• https://github.com/DavidBuchanan314/dlinject (#485) - Linux
• https://github.com/willshiao/node-bash-obfuscate (#190)
• https://github.com/mnagel/gnome-keyring-dumper (#186)
• https://github.com/sevagas/swap_digger (#515) - Credential Access, Linux
• https://github.com/DavidBuchanan314/stelf-loader (#738) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux
• https://github.com/SkyperTHC/bpf-keylogger (#781) - Credential Access, Collection, uses:eBPF, attack:T1417.001:Keylogging, Linux
• https://github.com/redcode-labs/Bashark (#168)
• https://github.com/timb-machine-mirrors/CoolerVoid-casper-fs (#216)
• https://github.com/airbus-seclab/nbutools (#689) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services
• https://github.com/DavidBuchanan314/monomorph (#534) - Defense Evasion, Linux
• https://github.com/NetDirect/nfsshell (#164)
• https://gtfobins.github.io/ (#179)
• https://github.com/t3l3machus/Villain (#591) - Command and Control, Linux
• https://github.com/JonathonReinhart/nosecmem (#180)
• https://github.com/AlessandroZ/LaZagne (#155)
• https://chromium.googlesource.com/linux-syscall-support/ (#533) - Linux
• https://github.com/CiscoCXSecurity/sudo-parser (#163) - Privilege Escalation
• https://github.com/MatheuZSecurity/D3m0n1z3dShell (#773) - Persistence, Linux
• https://github.com/nicocha30/ligolo-ng (#699) - Command and Control, Exfiltration, Linux
• https://github.com/rebootuser/LinEnum (#158)
• https://github.com/TH3xACE/SUDO_KILLER (#162) - Privilege Escalation
• https://github.com/elfmaster/maya (#504) - Defense Evasion, Linux, Device application sandboxing
• https://github.com/Ne0nd0g/merlin (#545) - Command and Control, Exfiltration, uses:Go, Merlin, Linux
• https://github.com/sosdave/KeyTabExtract (#206)
• https://github.com/CiscoCXSecurity/enum4linux (#178)

Offensive techniques

• https://www.tarlogic.com/blog/how-to-attack-kerberos/ (#229)
• https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (#550) - Defense Evasion, attack:T1562:Impair Defenses, Linux
• https://sysdig.com/blog/containers-read-only-fileless-malware/ (#415) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing
• http://lists.openstack.org/pipermail/openstack/2013-December/004138.html (#244)
• https://www.guitmz.com/running-elf-from-memory/ (#252)
• https://tmpout.sh/1/ (#225)
• https://rp.os3.nl/2016-2017/p59/presentation.pdf (#233)
• https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf (#248)
• https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm
• https://grugq.github.io/docs/ul_exec.txt (#463) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm
• https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (#567) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
• https://blog.fbkcs.ru/en/elf-in-memory-execution/ (#249)
• https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ (#475) - Linux
• https://rp.os3.nl/2016-2017/p59/report.pdf (#232)
• https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ (#635) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services
• https://github.com/elfmaster/scop_virus_paper (#253)
• https://www.form3.tech/engineering/content/bypassing-ebpf-tools (#584) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
• https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf (#245)
• http://www.hick.org/code/skape/papers/remote-library-injection.pdf (#455) - Persistence, Linux
• https://vxug.fakedoma.in/papers.html (#228)
• https://rp.os3.nl/2016-2017/p97/presentation.pdf (#235)
• https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (#665) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer
• https://www.blackhat.com/presentations/bh-dc-08/Beauchamp-Weston/Whitepaper/bh-dc-08-beauchamp-weston-WP.pdf (#556) - Persistence, Defense Evasion, uses:DTrace, Solaris, Internal specialist services, Device application sandboxing
• https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ (#239)
• https://twitter.com/Alh4zr3d/status/1577649651376791552 (#540) - Defense Evasion, Linux, AIX, Solaris, HP-UX
• http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (#242) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
• https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653) - Initial Access, Credential Access, attack:T1110:Brute Force, attack:T1078:Valid Accounts, Linux, AIX, Solaris, HP-UX, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services
• https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (#254) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
• https://packetstormsecurity.com/files/34013/0x4553-Static_Infecting.html (#255)
• https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium (#428) - Persistence, Linux, Device application sandboxing
• http://shell-storm.org/api/?s=arm (#243)
• https://twitter.com/HuskyHacksMK/status/1578413641669308416 (#541) - Defense Evasion, Linux, AIX, Solaris, HP-UX
• https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ (#238)
• http://hick.org/code/skape/papers/needle.txt (#557) - Persistence, Defense Evasion, Linux
• https://github.com/Sysinternals/SysmonForLinux/issues/83 (#648) - Defense Evasion, Linux
• https://grugq.github.io/docs/subversiveld.pdf (#473) - Linux
• https://rp.os3.nl/2016-2017/p97/report.pdf (#234)
• https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ (#562) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris
• http://www.nth-dimension.org.uk/downloads.php?id=77 (#237)
• https://gtfoargs.github.io/ (#626) - Initial Access, Execution
• https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ (#558) - Persistence, Defense Evasion, Linux
• https://devilinside.me/blogs/becoming-rat-your-system (#256)
• https://twitter.com/Alh4zr3d/status/1578406155453276160 (#539) - Defense Evasion, Linux, AIX, Solaris, HP-UX
• https://github.com/0xor0ne/debugoff (#755) - Defense Evasion, uses:Rust, attack:T1622:Debugger Evasion, Linux
• https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (#240) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
• https://www.archcloudlabs.com/projects/debuginfod/ (#796) - Command and Control, Exfiltration, attack:T1071:Application Layer Protocol, attack:T1567:Exfiltration Over Web Service, Linux
• https://c3media.vsos.ethz.ch/congress/2004/papers/057%20SUN%20Bloody%20Daft%20Solaris%20Mechanisms.pdf (#554) - Persistence, Defense Evasion, uses:DTrace, SInAR, https://github.com/timb-machine/linux-malware/issues/553, Archim, Solaris, Internal specialist services, Device application sandboxing
• https://www.cs.dartmouth.edu/~sergey/cs258/2010/spainhower_DT.pdf (#555) - Persistence, Defense Evasion, uses:DTrace, SInAR, https://github.com/timb-machine/linux-malware/issues/553, https://github.com/timb-machine/linux-malware/issues/554, Archim, Solaris, Internal specialist services, Device application sandboxing
• https://rushter.com/blog/public-ssh-keys/ (#754) - Initial Access, Discovery, Lateral Movement, attack:T1018:Remote System Discovery, attack:T1199:Trusted Relationship, attack:T1021.004:SSH, Linux, AIX, Solaris, HP-UX
• https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html (#611) - Defense Evasion
• https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (#241) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
• https://github.com/rapid7/ssh-badkeys (#538) - Initial Access, Linux, AIX, Solaris, HP-UX
• https://github.com/hakivvi/ermir (#579) - Initial Access, Lateral Movement, Linux, Internal enterprise services
• http://www.ouah.org/LKM_HACKING.html (#257) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
• https://sonarsource.github.io/argument-injection-vectors/ (#627) - Initial Access, Execution
• https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ (#236)
• https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (#575) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux
• https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ (#430) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
• https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 (#250)
• http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf (#246)
• https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh (#708) - Lateral Movement, Linux, AIX, Solaris, HP-UX
• https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (#231) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
• https://twitter.com/brainsmoke/status/399558997994668033 (#509) - Execution, Linux
• https://n0.lol/ (#227)
• https://tmpout.sh/2/ (#226)
• https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (#772) - Persistence, Defense Evasion, Credential Access, attack:T1556.003:Pluggable Authentication Modules, Linux
• https://github.com/CiscoCXSecurity/linikatz/issues (#230)
• https://twitter.com/David3141593/status/1575978540868435968 (#532) - Linux
• https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (#436) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing
• https://github.com/milabs/awesome-linux-rootkits (#9) - Persistence, Linux
• https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm
• https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, https://github.com/timb-machine/linux-malware/issues/791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
• https://sysdig.com/blog/ebpf-offensive-capabilities/ (#768) - Persistence, Defense Evasion, uses:eBPF, Linux
• https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (#683) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux
• https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92 (#247)
• https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/669, Linux
• https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html (#251)
• https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (#197) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm

Defensive research

Defensive tools

• https://github.com/CYB3RMX/Qu1cksc0pe (#696) - Defense Evasion, Linux
• https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ (#268)
• https://github.com/evilsocket/ebpf-process-anomaly-detection (#497) - Execution, Linux
• https://tbhaxor.com/hunting-malicious-binaries-in-containers/ (#272)
• https://github.com/sandflysecurity/sandfly-file-decloak (#634) - Defense Evasion, Linux
• https://github.com/marin-m/vmlinux-to-elf (#726) - Defense Evasion, attack:T1601:Modify System Image, Linux
• https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf (#423) - Persistence, Privilege Escalation, Defense Evasion, Credential Access, Collection, Command and Control, Exfiltration, Linux
• https://twitter.com/inversecos/status/1527188391347068928 (#435) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing
• https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://twitter.com/ldsopreload/status/1582780282758828035 (#571) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/570, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://elastic.github.io/security-research/intelligence/2022/03/03.dirty-pipe/article/ (#265)
• https://github.com/elfmaster/avu32 (#273)
• https://github.com/M00NLIG7/ChopChopGo (#674) - Defense Evasion, Linux
• https://youtu.be/16_EAsYAApI (#438) - Linux
• https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 (#269)
• https://github.com/deepfence/ebpfguard (#697) - Defense Evasion, Linux
• https://github.com/niveb/NoCrypt (#673) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux
• https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ (#274)
• https://github.com/sandflysecurity/sandfly-entropyscan (#632) - Defense Evasion, Linux
• https://elfdigest.com/ (#262)
• https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 (#472) - Linux
• https://github.com/monnappa22/Limon (#258)
• https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 (#278)
• https://github.com/tstromberg/sunlight (#794) - Defense Evasion, uses:eBPF, Linux
• https://github.com/tclahr/uac (#583) - Persistence, Defense Evasion, Linux
• https://github.com/alex-cart/LEAF (#445) - Linux
• https://github.com/falcosecurity/falco (#412) - Linux, Device application sandboxing
• https://github.com/jafarlihi/modreveal (#609) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions, Linux
• https://bazaar.abuse.ch/ (#259)
• https://github.com/ancat/egrets (#218)
• https://github.com/sandflysecurity/sandfly-processdecloak (#633) - Defense Evasion, Linux
• https://tria.ge/ (#263)
• https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ (#275)
• https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449) - Persistence, Defense Evasion, Credential Access, Command and Control, https://github.com/timb-machine/linux-malware/issues/156, https://github.com/timb-machine/linux-malware/issues/418, https://github.com/timb-machine/linux-malware/issues/420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux
• https://github.com/hardenedvault/ved-ebpf (#737) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux
• https://github.com/chainguard-dev/osquery-defense-kit (#574) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux
• https://github.com/NozomiNetworks/upx-recovery-tool (#535) - Defense Evasion, attack:T1027.002:Software Packing, Linux
• https://www.virustotal.com/gui/ (#260)
• https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ (#276)
• https://github.com/threathunters-io/laurel (#581) - Defense Evasion, Linux
• https://github.com/signalblur/impelf (#647) - Defense Evasion, Linux
• https://github.com/sqall01/LSMS (#610) - Defense Evasion, Linux
• https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals (#450) - Persistence, Privilege Escalation, Defense Evasion, Linux
• https://github.com/Achiefs/fim (#779) - Defense Evasion, Linux
• https://github.com/sourque/louis (#411) - Linux, Device application sandboxing
• https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 (#451) - Linux
• https://github.com/chriskaliX/Hades (#514) - Linux
• https://github.com/504ensicsLabs/LiME (#187)
• https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ (#277)
• https://www.rfxn.com/projects/linux-malware-detect/ (#261)
• https://github.com/Gui774ume/ebpfkit-monitor (#467) - Persistence, Defense Evasion, Discovery, Command and Control, Linux
• https://twitter.com/ldsopreload/status/1583178316286029824 (#568) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/569, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://github.com/0xrawsec/kunai (#749) - Defense Evasion, Linux
• https://github.com/snapattack/bpfdoor-scanner (#437) - Persistence, Defense Evasion, Command and Control, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect
• https://twitter.com/timb_machine/status/1523253031382687744 (#421) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/420, DecisiveArchitect, Solaris
• https://github.com/op7ic/unix_collector (#266) - Solaris, Linux, AIX, OS X
• https://github.com/vmware/kernel-event-collector-module (#271) - Carbon Black
• https://github.com/nikhilh-20/ELFEN (#764) - Defense Evasion, Linux
• https://github.com/Gui774ume/krie (#498) - Defense Evasion, Privilege Escalation, Persistence, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, attack:T1562.001:Disable or Modify Tools, attack:T1548:Abuse Elevation Control Mechanism, Linux
• https://github.com/avilum/secimport (#748) - Persistence, Defense Evasion, Linux
• https://www.volatilityfoundation.org/releases-vol3 (#457) - Persistence, Defense Evasion, Linux, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
• https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
• https://github.com/david942j/seccomp-tools (#590) - Defense Evasion, Linux

Defensive techniques

• https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (#747) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
• https://www.mandiant.com/sites/default/files/2022-03/wp-linux-endpoint-hardening.pdf (#675) - Defense Evasion, Linux
• https://github.com/archcloudlabs/BSidesRoc2022_Linux_Malware_Analysis_Course (#264)
• https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ (#39) - honeypot, Linux
• https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ (#38) - honeypot, Linux
• https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (#736) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
• https://archive.org/details/HalLinuxForensics (#560) - Defense Evasion, Linux
• https://www.youtube.com/watch?v=Zig-inHOhII (#561) - Defense Evasion, Linux
• https://sandflysecurity.com/blog/detecting-evasive-linux-backdoors-presentation/ (#760) - Persistence, Defense Evasion, Command and Control, Linux
• https://github.com/rung/threat-matrix-cicd (#10) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Exfiltration, Impact, Linux
• https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html (#559) - Defense Evasion, Linux
• https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/ (#762) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux
• https://github.com/DevinRTK/rtk-eLibrary (#631) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise
• https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html (#774) - Defense Evasion, Linux
• https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX
• https://www.forensicxlab.com/posts/inodes/ (#522) - Defense Evasion, Linux
• https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery (#529) - Linux
• https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (#745) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
• https://github.com/cr0nx/awesome-linux-attack-forensics-purplelabs (#712) - Defense Evasion, Linux
• https://twitter.com/CraigHRowland/status/1593102427276050433 (#587) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Linux
• https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux
• https://redcanary.com/blog/ebpf-for-security/ (#270) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading
• https://github.com/timb-machine/obscure-forensics (#267)
• https://redcanary.com/blog/process-streams/ (#494) - Lateral Movement, Command and Control, Exfiltration, uses:bash, uses:ksh93, attack:T1059:Command and Scripting Interpreter, attack:T1095:Non-Application Layer Protocol, Linux, Enclave deployment
• https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ (#528) - Persistence, Defense Evasion, Linux, Device application sandboxing

Defensive Yara

Personal rules

• pscan.yara (#287) - Hunts for references to pscan
• luckscan.yara (#286) - Hunts for references to luckscan
• adonunix2.yara (#281) - Hunts for binaries that attack AD on UNIX
• aix.yara (#280) - Hunts for AIX binaries
• ciscotools.yara (#279) - Hunts for references to our tools
• enterpriseapps2.yara (#283) - Hunts for enterprise app binaries
• enterpriseunix2.yara (#282) - Hunts for enterprise UNIX binaries
• unixredflags3.yara (#285) - Hunts for UNIX red flags
• canvasspectre.yara (#284) - Hunts for CANVAS Spectre

Other rules

• https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (#419) - attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
• https://github.com/Yara-Rules/rules (#288)