linux-malware

E: we have a duplicate: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group E: we have a duplicate: https://twitter.com/Unit42_Intel/status/1653760405792014336

Press/academia

https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ (#19) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (#638) - Resource Development, Impact, attack:T1486:Data Encrypted for Impact, timb-machine#644, uses:CrossCompiled, LockBit, Linux, Internal specialist services
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf (#23) - various SSH, Bonadan, Kessel, Chandrila
https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ (#35)
https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 (#622) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html (#34)
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ (#22) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (#101) - Defense Evasion, Command and Control, Exfiltration, Impact, attack:T1486:Data Encrypted for Impact, XMRig, Hello Kitty, timb-machine#546, REvil, DarkSide, BlackMatter, Defray777, ViceSociety, Erebus, GonnaCry, eChoraix, Sysrv, TeamTNT, Mexalz, Omelette, WatchDog, Kinsing, Cobalt Strike, Vermillion Strike, Merlin, timb-machine#545, timb-machine#547, RedXOR, timb-machine#548, ACBackdoor, timb-machine#549, ELF_Plead, Linux, VMware, Internal enterprise services, Internal specialist services
https://en.wikipedia.org/wiki/Mirai_(malware) (#18) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai
https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf (#448)
https://malpedia.caad.fkie.fraunhofer.de/ (#29)
https://ieeexplore.ieee.org/document/8418602 (#25)
https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ (#33)
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations (#32)
https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf (#24) - various SSH, Bonadan, Kessel, Chandrila
https://reyammer.io/publications/2018_oakland_linuxmalware.pdf (#28)
https://wikileaks.org/vault7/ (#31)
http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf (#27)
https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 (#26)
https://rp.os3.nl/ (#30)
https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html (#37)
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf (#21) - WINNTI
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf (#417) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux
https://securelist.com/top-10-unattributed-apt-mysteries/107676/ (#552) - Metador, Plexing Eagle, wltm, Linux, Solaris, Telecomms
https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ (#40)
https://en.wikipedia.org/wiki/Linux_malware (#17) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide
https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer
https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives (#41) - Impact, BlackCat, timb-machine#512
https://www.group-ib.com/resources/threat-research/oldgremlin.html (#573) - Impact, OldGremlin, Linux
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf (#20) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux

In the wild

Breach reports

https://twitter.com/1ZRR4H/status/1560662815400407040 (#507) - Initial Access, Peer2Profit, Linux
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm (#42) - GoDaddy
http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (#766) - Initial Access, timb-machine#765, Linux
https://github.com/mttaggart/I-S00N (#799) - Persistence, Reptile, APT41, Linux, AIX, Solaris, HP-UX
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ (#446) - Initial Access, Linux
https://www.freedownloadmanager.org/blog/?p=664 (#765) - Initial Access, timb-machine#766, Linux
https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services

Supply chain attacks

https://lwn.net/Articles/371110/ (#291) - e107 CMS
https://www.webmin.com/exploit.html (#43) - Webmin
https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos (#290) - Homebrew
https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor (#44) - ProFTPd
https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack (#48) - PHP
https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html (#49) - VsFTPd
canonical/snapcraft.io#651 (#296) - Snapcraft
https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ (#45) - UnrealIRCd
https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html (#523) - timb-machine#525, wltm, Linux
https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 (#46) - Horde Webmail
https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html (#295) - OpenX
https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (#294) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm
https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ (#543) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux
https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ (#47) - PHPMyAdmin
https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux
https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb (#293) - event-stream
https://news.ycombinator.com/item?id=17501379 (#525) - Linux
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ (#289) - "Octopus Scanner" (Netbeans) attack
https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (#787) - Initial Access, Discovery, Command and Control, uses:npm, attack:T1195.001:Compromise Software Dependencies and Development Tools, attack:T1082:System Information Discovery, Linux
http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html (#292) - MyBB

Malware reports

https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html (#383)
https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ (#679) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf (#100) - Cyclops Blink
https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, attack:T1070.006:Timestomp, attack:T1070.004:File Deletion, BPFDoor, /malware/binaries/BPFDoor, wltm, Linux
https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (#784) - Command and Control, Exfiltration, uses:PHP, attack:T1090:Proxy, attack:T1071.001:Web Protocols, SystemBC, Linux
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (#442) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, timb-machine#544, Linux, VMware, Internal enterprise services, Internal specialist services
https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (#544) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Emperor Dragonfly, Linux, VMware
https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html (#58) - Mirai (by malwaremustdie.org)
https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ (#680) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services
https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ (#395) - uses:Go, Chaos (sebd), /malware/binaries/Chaos
https://twitter.com/tolisec/status/1507854421618839564 (#116) - Impact, KinSing
https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (#546) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux
https://zhuanlan.zhihu.com/p/348960748 (#403) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html (#614) - Command and Control, Persistence, SysUpdate, IronTiger
https://twitter.com/IntezerLabs/status/1338480158249013250 (#301) - Promotei
https://imgur.com/a/5vPEc (#74) - ChinaZ (by malwaremustdie.org)
https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ (#478) - timb-machine#480, Rekoobe, TSH, timb-machine#481, APT31, Linux
https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux, Solaris
https://imgur.com/a/H7YuWuj (#356) - SystemTen (by malwaremustdie.org)
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux
https://twitter.com/xnand_/status/1676336329985077249 (#710) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, timb-machine#711, timb-machine#724, Linux
https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ (#340) - Kaiji (by malwaremustdie.org)
https://securelist.com/the-penquin-turla-2/67962/ (#593) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, timb-machine#129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux
https://news.drweb.com/show/?i=14646&lng=en&c=23 (#602) - Initial Access, Command and Control, WordPressExploit, Linux
https://twitter.com/malwaremustd1e/status/1265321238383099904 (#317) - Gafgyt (by malwaremustdie.org)
https://www.cisa.gov/news-events/analysis-reports/ar23-209b (#730) - Command and Control, timb-machine#729, SEASPY, wltm, Linux
https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ (#360) - Rhombus (by malwaremustdie.org)
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability (#337) - Impact, Persistence, Impact, KinSing
https://ultimacybr.co.uk/2023-10-04-Sysrv/ (#767) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux
https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788) - Initial Access, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, attack:T1498:Network Denial of Service, attack:T1027:Obfuscated Files or Information, Mirai, TBOT, Linux, IOT
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html (#54) - VPNFilter
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux
https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ (#376) - HPC
https://sansec.io/research/cronrat (#399) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux
https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/ (#474) - Linux, FreeBSD
https://imgur.com/a/lAQ1tMQ (#78) - HelloBot (by malwaremustdie.org)
https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github (#97) - Botenago
https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, /malware/binaries/Chaos, Linux
https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ (#566) - Impact, XMRig, Sysrv, wltm, Linux
https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ (#120) - CAKETAP, UNC2891, Solaris
https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, timb-machine#510, Shikitega, /malware/binaries/Shikitega, XMRig, Linux
https://imgur.com/a/MuHSZtC (#81) - Mandibule (by malwaremustdie.org)
https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ (#526) - Metador, wltm, Linux
https://imgur.com/a/57uOiTu (#80) - DDoSMan (by malwaremustdie.org)
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, /malware/binaries/BPFDoor, Linux
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (#588) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux
https://imgur.com/a/4YxuSfV (#79) - Cayosin (by malwaremustdie.org)
http://it.rising.com.cn/fanglesuo/19851.html (#96) - SFile
https://atdotde.blogspot.com/2020/05/high-performance-hackers.html (#377) - HPC
https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign (#727) - Initial Access, Command and Control, Impact, XMRig, Linux
https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html (#398) - Polaris
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services
https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt (#320) - Gafgyt
https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html (#55) - CoinMiner
https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ (#459) - Persistence, Defense Evasion, Linux
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html (#336) - PLEAD
https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (#789) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, timb-machine#170, Earth Lusca, Linux
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer
https://www.cisa.gov/news-events/analysis-reports/ar23-209a (#731) - Persistence, timb-machine#729, SUBMARINE, wltm, Linux
https://twitter.com/malwaremustd1e/status/1251758225919115264 (#361) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html (#63) - timb-machine#134, SLAPSTICK, LightBasin, UNC1945, Solaris
https://twitter.com/billyleonard/status/1458531997576572929 (#480) - Rekoobe, TSH, TINYSHELL, timb-machine#481, APT31, Linux
https://asec.ahnlab.com/en/45182/ (#603) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux
https://twitter.com/malwaremustd1e/status/1264417940742389762 (#316) - Gafgyt (by malwaremustdie.org)
https://twitter.com/IntezerLabs/status/1272915284148531200 (#341) - Lazarus
https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ (#357) - SystemTen (by malwaremustdie.org)
https://asec.ahnlab.com/en/54647/ (#707) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, timb-machine#154, Tsunami, Kaiten, 0x333shadow Log Cleaner, timb-machine#706, ChinaZ, Linux
https://imgur.com/a/vS7xV (#75) - CarpeDiem (by malwaremustdie.org)
https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ (#479) - Rekoobe, APT31, Linux
https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#496) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (#750) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux
https://cujo.com/iot-malware-journals-prometei-linux/ (#300) - Promotei
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ (#117) - AcidRain
https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (#547) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux
https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ (#402) - Cloud Shovel
https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ (#681) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w (#394) - NAMO
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, /malware/binaries/Shikitega, Linux
https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html (#59) - Mirai (by malwaremustdie.org)
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware (#639) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux
https://blog.polyswarm.io/lightning-framework (#506) - Lightning, /malware/binaries/Lightning, Linux
https://twitter.com/Unit42_Intel/status/1653760405792014336 (#695) - Impact, BlackSuit, Linux
https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf (#551) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services
https://www.mandiant.com/resources/unc3524-eye-spy-email (#414) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment
https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers (#382) - Mayhem
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services
https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html (#366) - AirDropBot (by malwaremustdie.org)
https://honeynet.onofri.org/scans/scan13/som/som5.txt (#389) - Luckscan, UNC1945
https://twitter.com/IntezerLabs/status/1288487307369222145 (#331) - TrickBot
https://asec.ahnlab.com/en/49769/ (#624) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer
https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ (#52) - GodLua
https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ (#327) - TeamTNT, Mimipenguin
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf (#370) - Kobalos, #bsd, #solaris, #aix
https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720) - Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, attack:T1608:Stage Capabilities, attack:T1053.003:Cron, attack:T1027.002:Software Packing, attack:T1543.002:Systemd Service, attack:T1037.004:RC Scripts, attack:T1574.006:Dynamic Linker Hijacking, attack:T1036.005:Match Legitimate Name or Location, attack:T1190:Exploit Public-Facing Application, attack:T1110:Brute Force, uses:KillCompetition, XMRig, Rocke, Linux
https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ (#91) - Muhstik
https://twitter.com/cyb3rops/status/1523227511551033349 (#425) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#418, DecisiveArchitect, Linux
https://vms.drweb.com/virus/?i=21004786 (#433) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ (#68) - Mumblehard
https://imgur.com/a/a6RaZMP (#87) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (#690) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux
https://honeynet.onofri.org/scans/scan13/som/som13.txt (#385) - Luckscan, UNC1945
https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 (#106) - Specter, SideWalk, StageClient, wltm
https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ (#297) - FreakOut
https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html (#501) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing
https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ (#444) - EnemyBot, Linux
https://cybersecurity.att.com/blogs/labs-research/internet-of-termites (#517) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux
https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, timb-machine#460, Symbiote, Linux
https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis (#393) - Conti
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ (#110) - b1txor20
https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405) - attack:T1205.002:Socket Filters, ebpfkit
https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (#612) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions
https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ (#307) - QNAPCrypt, eCh0raix
https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ (#72) - DDoSTF (by malwaremustdie.org)
https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ (#350) - Stantinkos
https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, timb-machine#171, Diamorphine, timb-machine#217, ZiggyStarTux, timb-machine#701, Linux, IOT, Consumer
https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, timb-machine#717, Linux, IOT
https://twitter.com/IntezerLabs/status/1291355808811409408 (#346) - Carbanak
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux
https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ (#311) - HelloKitty
https://www.cadosecurity.com/redis-p2pinfect/ (#741) - Initial Access, Linux
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, /malware/binaries/OrBit, Linux
https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, timb-machine#134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ (#65) - Qemu, timb-machine#134, LightBasin, UNC1945
https://twitter.com/malwrhunterteam/status/1415403132230803460 (#310) - HelloKitty
https://lab52.io/blog/looking-for-penquins-in-the-wild/ (#594) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
https://twitter.com/sethkinghi/status/1397814848549900288 (#717) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT
https://twitter.com/IntezerLabs/status/1300403461809491969 (#347) - Dalcs
https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (#644) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, /malware/binaries/Multios.Ransomware.Lockbit, Linux
https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ (#351) - PGMiner
https://imgur.com/a/N3BgY (#73) - ChinaZ, GoARM (by malwaremustdie.org)
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html (#490) - uses:Go, Manjusaka, Linux
https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf (#613)
https://www.signalblur.io/through-the-looking-glass (#756) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services
https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ (#306) - QNAPCrypt, eCh0raix
https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (#111) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ (#404) - Hildegard, TeamTNT
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits (#392) - Botenago
https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux
https://twitter.com/malwrhunterteam/status/1559636227485319168 (#500) - Impact, REvil, wltm, Linux
https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware (#107) - Impact, BlackCat, timb-machine#512
https://s.tencent.com/research/report/1177.html (#384)
https://twitter.com/billyleonard/status/1417910729005490177 (#69) - timb-machine#329, timb-machine#131, Zirconium, APT31
https://imgur.com/a/y5BRx (#86) - r57shell (by malwaremustdie.org)
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites (#598) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services
https://blog.polyswarm.io/deadbolt-ransomware (#577) - Impact, Deadbolt, Linux, Consumer
https://twitter.com/CraigHRowland/status/1523266585133457408 (#424) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#418, DecisiveArchitect, Linux
https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ (#371) - Ebury
https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html (#721) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux
https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ (#408) - Linux
https://vms.drweb.com/virus/?i=15389228 (#326) - ?
https://blog.talosintelligence.com/2018/05/VPNFilter.html (#53) - VPNFilter
https://twitter.com/IntezerLabs/status/1326880812344676352 (#330) - AgeLocker
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux
https://imgur.com/a/Ak9zICq (#367) - Neko (by malwaremustdie.org)
http://www.thedarkside.nl/honeypot/microbul.html (#388)
https://imgur.com/a/LpTN7 (#85) - Elknot (by malwaremustdie.org)
https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ (#348) - Rakos
https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version (#309) - REvil
https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ (#759) - Impact, Octo Tempest, BlackCat, Linux, VMware
https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ (#470) - Lightning, /malware/binaries/Lightning, Linux
https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ (#372) - Kessel
https://asec.ahnlab.com/en/55229/ (#722) - Defense Evasion, Command and Control, timb-machine#709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ (#325) - RedXOR
https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials (#50) - TeamTNT
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf (#333) - Cloud Snooper
https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ (#299) - IPStorm, /malware/binaries/Unix.Trojan.Ipstorm
https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ (#671) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms
https://twitter.com/malwaremustd1e/status/1380637310346096641 (#364) - Ngioweb (by malwaremustdie.org)
https://unit42.paloaltonetworks.com/blackcat-ransomware/ (#108) - Impact, BlackCat, timb-machine#512
https://pastebin.com/Z3sXqDCA (#89) - Mozi (by malwaremustdie.org)
https://twitter.com/timb_machine/status/1450595881732947968 (#66) - timb-machine#134, LightBasin, UNC1945, Solaris
https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ (#313) - FritzFrog
https://www.akamai.com/blog/security-research/dhpcd-cryptominer-hid-four-years (#578) - Impact, dhcpcd, Linux, IOT
https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (#714) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT
https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ (#344) - NGrok
https://cert.gov.ua/article/4501891 (#651) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial
https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md (#352) - ITTS
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (#702) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT
https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf (#493) - Persistence, Command and Control, uses:Go, IPStorm, /malware/binaries/Unix.Trojan.Ipstorm, Linux
https://imgur.com/a/8mFGk (#70) - httpsd (by malwaremustdie.org)
https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors (#305) - Tycoon
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (#407) - Impact, attack:T1567:Financial Theft, timb-machine#135, FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services
https://www.mandiant.com/resources/unc2891-overview (#112) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, timb-machine#134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, timb-machine#154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking
https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542) - Defense Evasion, Discovery, Collection, Exfiltration, vertical:Telecomms, attack:T1040:Network Sniffing, uses:Non-persistentStorage, attack:T1070.004:File Deletion, MESSAGETAP, /malware/binaries/MESSAGETAP, APT41, Linux, Telecomms, Internal specialist services
https://cujo.com/threat-alert-krane-malware/ (#391) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm
https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ (#329) - Zirconium, APT31
https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ (#503)
https://twitter.com/ESETresearch/status/1410864752948043778 (#104) - Specter, SideWalk, StageClient
https://twitter.com/jhencinski/status/1451592508157345793 (#387) - Impact, XMRig
https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware
https://twitter.com/ESETresearch/status/1415542456360263682 (#368) - ?, #FreeBSD
http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc (#386) - sc (similar code to luckscan)
https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux
https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ (#369) - Kobalos, #linux, #bsd, #solaris, #aix
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ (#410) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing
https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ (#105) - Specter, SideWalk, StageClient
https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus
https://www.group-ib.com/blog/krasue-rat/ (#797) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:AbnormalSignal, attack:T1071:Application Layer Protocol, uses:RTSP, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205:Traffic Signaling, Krasue, Diamorphine, timb-machine#217, Suterusu, timb-machine#491, Rooty, timb-machine#440, Linux
https://twitter.com/bkMSFT/status/1417823714922610689 (#328) - timb-machine#329, Zirconium, APT31
https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:k8s, attack:T1140:Deobfuscate/Decode Files or Information, uses:Python, attack:T1611:Escape to Host, attack:T1562.008:Disable or Modify Cloud Logs, attack:T1027.004:Compile After Delivery, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, uses:ProcessTreeSpoofing, attack:T1190:Exploit Public-Facing Application, attack:T1595.002:Vulnerability Scanning, uses:ModifyServerShell, delivery:Redis, uses:Redis, XMRig, Diamorphine, libprocesshider, Pnscan, Zgrab, Masscan, Kiss-A-Dog, TeamTNT, Linux, Cloud hosted services
https://twitter.com/ESETresearch/status/1454100591261667329?s=20 (#390) - Hive
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux (#685) - Impact, RTM Locker, Linux
https://twitter.com/malwrhunterteam/status/1467264298237972484 (#406) - Cerber
http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm (#113) - NOPEN
https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html (#304) - DarkRadation
https://twitter.com/avastthreatlabs/status/1430527767855058949 (#492) - HCRootkit, timb-machine#491, Linux
https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ (#71) - SS, Shark (by malwaremustdie.org)
https://twitter.com/CraigHRowland/status/1422009387686645761 (#353) - ITTS
https://cyberplace.social/@GossiTheDog/110516069484635011 (#703) - Resource Development, BPFDoor, /malware/binaries/BPFDoor, Linux
https://unit42.paloaltonetworks.com/alloy-taurus/ (#646) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux
https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#580) - Command and Control, Torii, Linux
https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf (#345) - WellMail (APT29)
https://asec.ahnlab.com/en/51908/ (#650) - Impact, Defense Evasion, uses:ProcessTreeSpoofingBindMountProc, timb-machine#550, KONO DIO DA, XMRig, Linux
https://netadr.github.io/blog/a-quick-glimpse-sbz/ (#596) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris
https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, timb-machine#135, FastCash, Hidden Cobra, AIX, Banking
https://pastebin.com/iKyaqLTd (#88) - Exaramel, BlackEnergy, #ICS (by malwaremustdie.org)
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF (#67) - Drovorub
https://www.varonis.com/blog/alphv-blackcat-ransomware (#109) - Impact, BlackCat, timb-machine#512
https://twitter.com/malwaremustd1e/status/1379028201075187716 (#365) - DGAbot (by malwaremustdie.org)
https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html (#332) - NOTROBIN
https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ (#298) - RandomEXX
https://twitter.com/_larry0/status/1143532888538984448 (#51) - Silex
https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf (#518) - DarkNexus, Linux
https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ (#324) - WatchDog
https://blog.polyswarm.io/darkangels-linux-ransomware (#666) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux
https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (#373) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux
https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux
https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ (#92)
https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ (#471) - HiddenWasp, Linux
https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ (#308) - KillDisk
https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#758) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware
https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html (#563) - Command and Control, uses:Go, Alchemist, /malware/binaries/Alchimist, timb-machine#564, Sysrv?, Linux
http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf (#349) - Moose
https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery (#488) - Initial Access, Lateral Movement, Impact, RapperBot, /malware/binaries/RapperBot, Linux
https://imgur.com/a/DWKK5 (#84) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://twitter.com/ankit_anubhav/status/1490574137370103808 (#483) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, timb-machine#482, Linux
https://imgur.com/a/qqgfFXf (#60) - Mirai (by malwaremustdie.org)
https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ (#315) - Gafgyt
https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ (#342) - Doki
https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF (#657) - Command and Control, SNAKE, Linux
https://twitter.com/CraigHRowland/status/1422267857988063232 (#354) - ITTS
https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf (#641) - FontOnLake, Linux
https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD
https://imgur.com/a/eBF7Mqe (#76) - Haiduc (by malwaremustdie.org) (by malwaremustdie.org)
https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (#753) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware
https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ (#303) - DarkRadiation
https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d (#616) - Command and Control, TSH, TINYSHELL, timb-machine#481
https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ (#401) - Persistence, Defense Evasion, timb-machine#530, lib__mdma
https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ (#114) - HabitsRAT
https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon
https://www.lab539.com/blog/linux-malware-detection-with-limacharlie (#728) - Reconnaissance, Initial Access, Execution, Persistence, Linux
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html (#682) - Command and Control, uses:Go, GobRAT, Linux, Telecomms
https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ (#378) - #cobaltstrike, VermilionStrike
https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ (#513) - Collection, Impact, Linux
https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790) - Initial Access, Execution, Discovery, Lateral Movement, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1059.004:Unix Shell, attack:T1072:Software Deployment Tools, attack:T1083:File and Directory Discovery, attack:T1082:System Information Discovery, attack:T1485:Data Destruction, BiBi-Linux, Linux
https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development (#505) - Impact, DarkAngels, wltm, Linux
https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (#786) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux
https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ (#339) - Kaiji
https://sysdig.com/blog/ssh-snake/ (#801) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, timb-machine#791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (#102) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services
https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ (#381) - FontOnLake
https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ (#319) - Gafgyt
https://imgur.com/a/qI5Fvm4 (#83) - STD (by malwaremustdie.org)
https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, timb-machine#134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability (#572) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux
https://twitter.com/malwaremustd1e/status/1235595880041873408 (#358) - Hajimi (by malwaremustdie.org)
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95) - Command and Control, Defense Evasion, Persistence, Discovery, attack:T1102:Web Service, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, attack:T1573:Encrypted Traffic, attack:T1053.003:Cron, attack:T1033:System Owner/User Discovery, attack:T1016:System Network Configuration Discovery, attack:T1070.004:File Deletion, uses:RedirectionToNull, delivery:NPM, SysJoker, wltm, Linux
https://www.akamai.com/blog/security/new-p2p-botnet-panchan (#476) - Pan-chan, timb-machine#477, Linux
https://twitter.com/captainGeech42/status/1657121312425365524 (#661) - Persistence, Defense Evasion, SystemBC, timb-machine#662, Linux
https://twitter.com/malwrhunterteam/status/1422972905541996546 (#374) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware
https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, timb-machine#710, timb-machine#711, Linux
https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ (#548) - Command and Control, Exfiltration, timb-machine#325, RedXOR, Linux
https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 (#118) - Impact, BlackCat, timb-machine#512
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ (#636) - Initial Access, Linux
https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ (#323) - EvilGnome
https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ (#56) - LemonDuck
https://blog.exatrack.com/melofee/ (#620) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux
https://twitter.com/ESETresearch/status/1382054011264700416 (#335) - TSCookie, #freebsd
https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan (#732) - Persistence, Defense Evasion, Command and Control, Linux, Hosting
https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html (#698) - Impact, BlackSuit, Linux
https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 (#362) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://asec.ahnlab.com/en/55785/ (#733) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.001:Port Knocking, Reptile, TINYSHELL, Rekoobe, Linux
https://twitter.com/malwaremustd1e/status/1267068856645775360 (#363) - DarkNexus (by malwaremustdie.org)
https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d (#508) - Peer2Profit, Linux
https://asec.ahnlab.com/en/50316/ (#621) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html (#334) - TSCookie
https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html (#57) - Mirai (by malwaremustdie.org)
https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html (#637) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ (#322) - Turian
https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ (#549) - ACBackdoor, wltm, Linux
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (#660) - Initial Access, attack:T1480:Execution Guardrails, attack:T1562.006:Indicator Blocking, uses:Non-persistentStorage, BOLDMOVE, wltm, Linux, Collaboration across enterprise boundaries
https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar (#375) - PRISM
https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris
https://sansec.io/research/nginrat (#94) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm
https://github.com/akamai/akamai-security-research/tree/main/malware/panchan (#477) - Pan-chan, /malware/binaries/pan-chan, Linux
https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ (#565) - Initial Access, Lateral Movement, Impact, timb-machine#566, Sysrv, wltm, Linux, Internal enterprise services
https://asec.ahnlab.com/ko/55070/ (#709) - Command and Control, Defense Evasion, timb-machine#722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
https://twitter.com/malwaremustd1e/status/1237080802581565440 (#359) - Mozi (by malwaremustdie.org)
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, /malware/binaries/Chaos, Linux
https://imgur.com/a/CtHlmBE (#82) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://imgur.com/a/2zRCt (#318) - Gafgyt (by malwaremustdie.org)
https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html (#380) - Persistence, Defense Evasion, Impact, KinSing
https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf (#338) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux
https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://sansec.io/research/ecommerce-malware-linux-avp (#396) - linux_avp, Comma
https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors (#729) - Persistence, Command and Control, SEASPY, timb-machine#730, SUBMARINE, timb-machine#731, Linux
https://threatfabric.com/blogs/vultur-v-for-vnc.html (#379) - Vultur, Brunhilda, #Android
https://imp0rtp3.wordpress.com/2021/11/25/sowat/ (#400) - Command and Control, timb-machine#140, timb-machine#131, SoWaT, APT31, Zirconium
https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces (#115) - Impact, KinSing
https://blog.talosintelligence.com/lazarus-collectionrat/ (#752) - Command and Control, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, DeimosC2, timb-machine#751, HiddenCobra, Lazarus, APT38, Linux
https://igor-blue.github.io/2021/03/24/apt1.html (#302)
https://themittenmac.com/tinyshell-under-the-microscope/ (#617) - TSH, TINYSHELL, timb-machine#481
https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ (#98) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm
https://imgur.com/a/SSKmu (#77) - Rebirth, Vulcan (by malwaremustdie.org)
https://pastebin.com/raw/mEape37E (#355) - SystemTen (by malwaremustdie.org)
https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ (#640) - Initial Access, Command and Control, Impact, Sysrv, Linux
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT
https://sysdig.com/blog/cloud-defense-in-depth/ (#713) - Initial Access, Lateral Movement, KinSing, Linux
https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ (#343) - NGrok
https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (#656) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services
https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ (#314) - Gafgyt
https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT
https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ (#601) - Persistence, Privilege Escalation, OrBit, /malware/binaries/OrBit, Linux
https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 (#482) - Log4J, /malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86, Linux
https://imgur.com/a/53f29O9 (#61) - Mirai (by malwaremustdie.org)

Malware samples

Malware binaries

https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection (#141) - Linikatz
https://github.com/Caprico1/kinsing (#454) - Persistence, Impact, KinSing, Linux
https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d/ (#751) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, /malware/binaries/Unix.Backdoor.DeimosC2, Linux
https://samples.vx-underground.org/samples/Families/VermilionStrike/ (#136) - CobaltStrike, VermilionStrike, /malware/binaries/VermilionStrike
https://tria.ge/s?q=tag%3alinux (#121)
https://github.com/eset/malware-ioc/tree/master/kobalos (#137) - Kobalos
https://github.com/darrenmartyn/malware_samples (#530) - Execution, Persistence, Defense Evasion, Discovery, uses:ProcessTreeSpoofing, uses:RedirectionToNull, attack:T1546.004:Unix Shell, attack:T1574.006:Dynamic Linker Hijacking, attack:T1057:Process Discovery, attack:T1036.005:Match Legitimate Name or Location, lib__mdma, Linux
https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (#662) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, timb-machine#661, SystemBC, /malware/binaries/SystemBC, Linux
https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418) - Persistence, Defense Evasion, Command and Control, timb-machine#419, timb-machine#424, timb-machine#425, timb-machine#426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, /malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64, Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux
https://bazaar.abuse.ch/sample/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ (#140) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
https://samples.vx-underground.org/APTs/2021/2021.10.11/ (#409) - FontOnLake, /malware/binaries/FontOnLake, Linux
https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection (#126) - wltm
https://github.com/AngelGuyu/spirit (#757) - Persistence, Defense Evasion, Spirit, Gwisin, Linux
https://github.com/tstromberg/malware-menagerie (#795) - Impact, attack:T1496:Resource Hijacking, QubitStrike, StripedFly, Linux
https://bazaar.abuse.ch/browse/signature/Mirai/ (#127) - Mirai, /malware/binaries/Unix.Exploit.Mirai, /malware/binaries/Unix.Dropper.Mirai, /malware/binaries/Unix.Trojan.Mirai
https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection (#131) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
https://github.com/blackorbird/APT_REPORT (#124)
https://github.com/eset/malware-ioc/tree/master/rakos (#132) - Rakos
https://bazaar.abuse.ch/browse/signature/Gafgyt/ (#128) - Gafgyt, /malware/binaries/Unix.Trojan.Gafgyt
https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, /malware/binaries/Unix.Trojan.Xorddos, /malware/binaries/Unix.Malware.Xorddos, Linux
https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 (#133) - WellMail, wltm, APT29
https://twitter.com/nunohaien/status/1261281420791742464 (#125)
https://github.com/x0rz/EQGRP (#138)
https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460) - Persistence, Defense Evasion, Command and Control, timb-machine#452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, /malware/binaries/Symbiote, Symbiote, Linux
https://bazaar.abuse.ch/browse/tag/elf/ (#122)
https://samples.vx-underground.org/APTs/2020/2020.11.02/ (#134) - /malware/binaries/UNC1945, LightBasin, UNC1945, Solaris
https://samples.vx-underground.org/samples/Families/Fastcash/ (#135) - Impact, FastCash, /malware/binaries/FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services, Enclave deployment
https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420) - Persistence, Defense Evasion, Command and Control, timb-machine#421, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, /malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Solaris
https://github.com/MalwareSamples/Linux-Malware-Samples (#123)
https://github.com/hardenedvault/bootkit-samples (#103)
https://bazaar.abuse.ch/browse/tag/blackcat/ (#512) - Impact, timb-machine#118, timb-machine#109, timb-machine#108, timb-machine#107, timb-machine#41, BlackCat, /malware/binaries/BlackCat, Linux
https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ (#139) - Polaris, /malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64

Malware source

https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (#706) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX
https://github.com/chokepoint/Jynx2 (#531) - Persistence, Defense Evasion, Linux
https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, timb-machine#710, timb-machine#724, Linux
https://pastebin.com/kmmJuuQP (#802) - Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, uses:ProcessTreeSpoofing, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux
https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c (#147) - pscan (similar code to luckscan)
https://github.com/isdrupter/ziggystartux (#701) - Impact, Linux
https://github.com/HeapAllocate/sterben (#150) - sterben
https://github.com/gianlucaborello/libprocesshider (#776) - Defense Evasion, uses:ProcessTreeSpoofing, attack:T1574.006:Dynamic Linker Hijacking, libprocesshider, Linux
https://github.com/chenkaie/junkcode/blob/master/xhide.c (#775) - Defense Evasion, uses:ProcessTreeSpoofing, XHide, Linux
https://github.com/NexusBots/Umbreon-Rootkit (#149) - Umbreon Rootkit
https://pastebin.com/jkndLHQf (#145) - FinFisher
http://www.afn.org/~afn28925/wipe.c (#153) - UNC2891
https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (#152) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, UNC2891
https://gitlab.com/rav7teif/linux.wifatch (#144) - Initial Access, Persistence, Command and Control, Lateral Movement, Linux.Wifatch
https://github.com/0x27/sebd-0.2 (#148) - sebd 0.2 source code (a fix of 0.1)
https://pastebin.com/raw/kmmJuuQP (#426) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#418, DecisiveArchitect, Linux
https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux (#143)
https://github.com/arialdomartini/morris-worm (#694) - Initial Access, Execution, Discovery, Lateral Movement
https://github.com/shadow1ng/fscan (#564) - Initial Access, Lateral Movement, uses:Go, Alchimist, fscan, /malware/binaries/Alchimist/UPX/fscan, Linux
https://github.com/Kabot/mig-logcleaner-resurrected (#154) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, MIG Logcleaner, UNC2891, Linux, Solaris, BSD
https://github.com/0x27/linux.mirai (#142) - Mirai

Malware PoCs

https://github.com/EvelynSubarrow/BismuthScorpion (#182)
https://github.com/SafeBreach-Labs/backdoros (#213)
https://github.com/yaoyumeng/adore-ng (#458) - Persistence, Defense Evasion, Linux
https://github.com/guitmz/go-liora (#663) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux
https://github.com/vfsfitvnm/intruducer (#209)
https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 (#198)
https://github.com/mufeedvh/moonwalk (#208)
https://github.com/timb-machine-mirrors/ripmeep-memory-injector (#160)
https://github.com/elfmaster/skeksi_virus (#224)
https://github.com/ONsec-Lab/scripts/tree/master/pam_steal (#195)
https://www.guitmz.com/linux-nasty-elf-virus/ (#642) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux
https://github.com/EvelynSubarrow/IridiumScorpion (#183)
https://github.com/elfmaster/kprobe_rootkit (#223)
https://github.com/R3tr074/brokepkg (#777) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:ProcessTreeSpoofing, uses:AbnormalSignal, uses:TamperCredStruct, uses:HiddenPort, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1573:Encrypted Channel, attack:T1205:Traffic Signaling, BrokePkg, Linux
https://github.com/elfmaster/dt_infect (#219)
https://github.com/f0rb1dd3n/Reptile (#171)
https://github.com/alexander-pick/apinject (#608) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux
https://github.com/io-tl/degu-lib (#413) - Linux
https://github.com/croemheld/lkm-rootkit (#628) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux
https://github.com/sad0p/d0zer (#782) - Execution, Persistence, uses:Go, attack:T1625:Hijack Execution Flow, attack:T1204:Malicious File, Linux
https://github.com/Gui774ume/ebpfkit (#151) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux
https://github.com/reveng007/reveng_rtkit (#669) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/mncoppola/suterusu (#491) - Persistence, Defense Evasion, wltm, Linux
https://github.com/fbkcs/msf-elf-in-memory-execution (#203)
https://github.com/stealth/devpops (#192) - DevPops by stealth (not really malicious, has guard rails)
https://github.com/nnsee/fileless-elf-exec (#193) - Defense Evasion, attack:T1620:Reflective Code Loading
https://github.com/wunderwuzzi23/Offensive-BPF (#469) - Credential Access, attack:T1205.002:Socket Filters, Linux
https://github.com/tarcisio-marinho/GonnaCry (#486) - Impact, Linux
https://github.com/X-C3LL/memdlopen-lib (#605) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux
https://github.com/codewhitesec/daphne (#740) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
https://github.com/compilepeace/KAAL_BHAIRAV (#202)
https://github.com/h3xduck/Umbra (#668) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1095:Non-Application Layer Protocol, attack:T1486:Data Encrypted for Impact, attacK:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/schrodyn/bad_UDP (#453) - Linux
https://github.com/timb-machine-mirrors/sar5430-coolkid (#629) - Persistence, Defense Evasion, Linux
https://github.com/SilentVoid13/Silent_Packer (#783) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://github.com/h3xduck/TripleCross (#465) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux
https://github.com/ixty/mandibule (#170)
https://github.com/blendin/3snake (#189)
https://github.com/guitmz/midrashim (#664) - Persistence, attack:T1577:Compromise Application Executable, Linux
https://github.com/arget13/DDexec (#222)
https://github.com/citronneur/pamspy (#466) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux
https://github.com/toffan/binfmt_misc (#431) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
https://github.com/timb-machine-mirrors/phath0m-JadedWraith (#165)
https://github.com/QuokkaLight/rkduck (#667) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux
https://github.com/kris-nova/boopkit (#221)
https://github.com/codewhitesec/apollon (#734) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
https://github.com/mav8557/Father (#606) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux
https://packetstormsecurity.com/files/22121/cd00r.c.html (#597) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux
https://github.com/0x1CA3/parasite (#201) - wltm
https://github.com/m0nad/Diamorphine (#217) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Diamorphine, Linux
https://github.com/jtripper/parasite (#169)
https://github.com/noptrix/fbkit (#684) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205.002:Socket Filters, attack:T1548.001:Setuid and Setgid, FreeBSD
https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (#739) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, timb-machine#734, timb-machine#740, Linux
https://github.com/liamg/memit (#200)
https://github.com/airman604/jdbc-backdoor (#607) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services
https://github.com/chokepoint/azazel (#191)
https://github.com/Eterna1/puszek-rootkit (#670) - Persistence, Defense Evasion, Credential Access, Discovery, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1040:Network Sniffing, Linux
https://github.com/elfmaster/saruman (#220)
https://hckng.org/articles/perljam-elf64-virus.html (#735) - Persistence, attack:T1554:Compromise Client Software Binary, attack:T1505:Server Software Component, uses:Perl, Linux, AIX, Solaris, HP-UX
https://github.com/nurupo/rootkit (#172)
https://github.com/roddux/santa (#207)
https://github.com/aviat/passe-partout (#704) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX
https://github.com/elfmaster/linker_preloading_virus (#211)
https://github.com/therealdreg/enyelkm (#456) - Persistence, Defense Evasion, Linux
https://github.com/jermeyyy/rooty (#440) - Persistence, Defense Evasion, timb-machine#439, attack:T1547.006:Kernel Modules and Extensions, XorDDoS, Linux, Consumer, Cloud hosted services, Device application sandboxing
https://github.com/m1m1x/memdlopen (#175) - Defense Evasion, attack:T1620:Reflective Code Loading
https://github.com/rek7/fireELF (#159)
https://github.com/mempodippy/vlany (#174)
https://github.com/trustedsec/ELFLoader (#416) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
https://packetstormsecurity.com/files/author/3859/ (#553) - Persistence, Defense Evasion, uses:DTrace, SInAR, /malware/pocs/SInAR, Archim, Solaris, Internal specialist services, Device application sandboxing
https://github.com/MegaManSec/SSH-Snake (#791) - Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
https://github.com/zephrax/linux-pam-backdoor (#181) - Credential Access, Persistence, Defense Evasion, attack:T1556.003:Pluggable Authentication Modules, Linux
https://github.com/gaffe23/linux-inject (#210)

Offensive research

Not necessarily malicious code (see Linikatz and unix-privesc-check =)) but interesting capabilities...

Offensive tools

https://github.com/ciscocxsecurity/unix-privesc-check (#157) - Privilege Escalation
https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/ (#585) - Execution, Persistence, Linux, Cloud hosted services
https://github.com/pathtofile/bad-bpf (#205) - uses:BPF
https://github.com/netifera/netifera (#194)
https://github.com/creaktive/tsh (#481) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux
https://github.com/Frissi0n/GTFONow (#771) - Privilege Escalation, attack:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/zMarch/Orc (#161)
https://github.com/stealth/injectso (#589) - Defense Evasion, Linux
https://github.com/ropnop/windapsearch (#177)
https://github.com/alichtman/malware-techniques (#199)
https://github.com/ropnop/kerbrute (#176)
https://github.com/NetSPI/sshkey-grab (#619) - Credential Access, attack:T1552.004:Private Keys, attack:T1003.007:Proc Filesystem, attack:T1055.009:Proc Memory, Linux, Enhanced identity governance
https://github.com/guitmz/memrun (#592) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, Linux
https://github.com/pmorjan/kmod (#654) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux
https://github.com/IvanGlinkin/AutoSUID (#204)
https://github.com/milabs/khook (#212)
https://github.com/dsnezhkov/zombieant (#793) - Defense Evasion, attack:T1562:Impair Defenses, Linux
https://github.com/CiscoCXSecurity/linikatz (#156) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, timb-machine#141
https://github.com/NixOS/patchelf (#443) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux, Device application sandboxing
https://github.com/eeriedusk/nysm (#761) - Persistence, Linux
https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ (#188)
https://github.com/controlplaneio/truffleproc (#537) - Privilege Escalation, Credential Access, Linux
https://github.com/oldboy21/LDAP-Password-Hunter (#167)
https://github.com/namazso/linux_injector (#599) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux
https://github.com/liamg/siphon (#576) - Discovery, Collection, Linux
https://github.com/aojea/netkat (#464) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux
https://github.com/akawashiro/sloader (#521) - Defense Evasion, Linux
https://github.com/TarlogicSecurity/tickey (#184)
https://github.com/vbpf/ebpf-samples (#215) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing
https://github.com/io-tl/Mara (#487) - Linux
https://github.com/DeimosC2/DeimosC2 (#652) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, /malware/binaries/Unix.Backdoor.DeimosC2, Linux
https://github.com/Idov31/Sandman (#582) - Persistence, Command and Control, Linux
https://github.com/huntergregal/mimipenguin (#185)
https://github.com/liamg/traitor (#687) - Privilege Escalation, Linux
https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz (#146) - Reconnaissance, pscan (similar code to luckscan)
https://github.com/anko/xkbcat (#691) - Credential Access, Collection, attack:T1056.001:Keylogging, Linux, AIX, Solaris, HP-UX, Consumer, Internal enterprise services
https://github.com/fireeye/SSSDKCMExtractor (#520) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
https://github.com/FiloSottile/age (#166)
https://github.com/hackerschoice/ssh-key-backdoor (#672) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX
https://github.com/metac0rtex/SSH-Key-Brute-Forcer (#489) - Initial Access, Lateral Movement, Linux, Enclave deployment
https://github.com/timb-machine-mirrors/adamcaudill-EquationGroupLeak/tree/master/Linux (#173)
https://github.com/89luca89/pakkero (#718) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://github.com/naksyn/Pyramid (#630) - Persistence, Command and Control, Linux
https://github.com/blacklanternsecurity/KCMTicketFormatter (#519) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
https://github.com/DavidBuchanan314/dlinject (#485) - Linux
https://github.com/willshiao/node-bash-obfuscate (#190)
https://github.com/mnagel/gnome-keyring-dumper (#186)
https://github.com/sevagas/swap_digger (#515) - Credential Access, Linux
https://github.com/DavidBuchanan314/stelf-loader (#738) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux
https://github.com/SkyperTHC/bpf-keylogger (#781) - Credential Access, Collection, uses:eBPF, attack:T1417.001:Keylogging, Linux
https://github.com/redcode-labs/Bashark (#168)
https://github.com/timb-machine-mirrors/CoolerVoid-casper-fs (#216)
https://github.com/airbus-seclab/nbutools (#689) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services
https://github.com/DavidBuchanan314/monomorph (#534) - Defense Evasion, Linux
https://github.com/NetDirect/nfsshell (#164)
https://gtfobins.github.io/ (#179)
https://github.com/t3l3machus/Villain (#591) - Command and Control, Linux
https://github.com/JonathonReinhart/nosecmem (#180)
https://github.com/AlessandroZ/LaZagne (#155)
https://chromium.googlesource.com/linux-syscall-support/ (#533) - Linux
https://github.com/CiscoCXSecurity/sudo-parser (#163) - Privilege Escalation
https://github.com/MatheuZSecurity/D3m0n1z3dShell (#773) - Persistence, Linux
https://github.com/nicocha30/ligolo-ng (#699) - Command and Control, Exfiltration, Linux
https://github.com/rebootuser/LinEnum (#158)
https://github.com/TH3xACE/SUDO_KILLER (#162) - Privilege Escalation
https://github.com/elfmaster/maya (#504) - Defense Evasion, Linux, Device application sandboxing
https://github.com/Ne0nd0g/merlin (#545) - Command and Control, Exfiltration, uses:Go, Merlin, Linux
https://github.com/sosdave/KeyTabExtract (#206)
https://github.com/CiscoCXSecurity/enum4linux (#178)

Offensive techniques

https://www.tarlogic.com/blog/how-to-attack-kerberos/ (#229)
https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (#550) - Defense Evasion, attack:T1562:Impair Defenses, Linux
https://sysdig.com/blog/containers-read-only-fileless-malware/ (#415) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing
http://lists.openstack.org/pipermail/openstack/2013-December/004138.html (#244)
https://www.guitmz.com/running-elf-from-memory/ (#252)
https://tmpout.sh/1/ (#225)
https://rp.os3.nl/2016-2017/p59/presentation.pdf (#233)
https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf (#248)
https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm
https://grugq.github.io/docs/ul_exec.txt (#463) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm
https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (#567) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://blog.fbkcs.ru/en/elf-in-memory-execution/ (#249)
https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ (#475) - Linux
https://rp.os3.nl/2016-2017/p59/report.pdf (#232)
https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ (#635) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services
https://github.com/elfmaster/scop_virus_paper (#253)
https://www.form3.tech/engineering/content/bypassing-ebpf-tools (#584) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf (#245)
http://www.hick.org/code/skape/papers/remote-library-injection.pdf (#455) - Persistence, Linux
https://vxug.fakedoma.in/papers.html (#228)
https://rp.os3.nl/2016-2017/p97/presentation.pdf (#235)
https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (#665) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer
https://www.blackhat.com/presentations/bh-dc-08/Beauchamp-Weston/Whitepaper/bh-dc-08-beauchamp-weston-WP.pdf (#556) - Persistence, Defense Evasion, uses:DTrace, Solaris, Internal specialist services, Device application sandboxing
https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ (#239)
https://twitter.com/Alh4zr3d/status/1577649651376791552 (#540) - Defense Evasion, Linux, AIX, Solaris, HP-UX
http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (#242) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653) - Initial Access, Credential Access, attack:T1110:Brute Force, attack:T1078:Valid Accounts, Linux, AIX, Solaris, HP-UX, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services
https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (#254) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
https://packetstormsecurity.com/files/34013/0x4553-Static_Infecting.html (#255)
https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium (#428) - Persistence, Linux, Device application sandboxing
http://shell-storm.org/api/?s=arm (#243)
https://twitter.com/HuskyHacksMK/status/1578413641669308416 (#541) - Defense Evasion, Linux, AIX, Solaris, HP-UX
https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ (#238)
http://hick.org/code/skape/papers/needle.txt (#557) - Persistence, Defense Evasion, Linux
microsoft/SysmonForLinux#83 (#648) - Defense Evasion, Linux
https://grugq.github.io/docs/subversiveld.pdf (#473) - Linux
https://rp.os3.nl/2016-2017/p97/report.pdf (#234)
https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ (#562) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris
http://www.nth-dimension.org.uk/downloads.php?id=77 (#237)
https://gtfoargs.github.io/ (#626) - Initial Access, Execution
https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ (#558) - Persistence, Defense Evasion, Linux
https://devilinside.me/blogs/becoming-rat-your-system (#256)
https://twitter.com/Alh4zr3d/status/1578406155453276160 (#539) - Defense Evasion, Linux, AIX, Solaris, HP-UX
https://github.com/0xor0ne/debugoff (#755) - Defense Evasion, uses:Rust, attack:T1622:Debugger Evasion, Linux
https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (#240) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
https://www.archcloudlabs.com/projects/debuginfod/ (#796) - Command and Control, Exfiltration, attack:T1071:Application Layer Protocol, attack:T1567:Exfiltration Over Web Service, Linux
https://c3media.vsos.ethz.ch/congress/2004/papers/057%20SUN%20Bloody%20Daft%20Solaris%20Mechanisms.pdf (#554) - Persistence, Defense Evasion, uses:DTrace, SInAR, timb-machine#553, Archim, Solaris, Internal specialist services, Device application sandboxing
https://www.cs.dartmouth.edu/~sergey/cs258/2010/spainhower_DT.pdf (#555) - Persistence, Defense Evasion, uses:DTrace, SInAR, timb-machine#553, timb-machine#554, Archim, Solaris, Internal specialist services, Device application sandboxing
https://rushter.com/blog/public-ssh-keys/ (#754) - Initial Access, Discovery, Lateral Movement, attack:T1018:Remote System Discovery, attack:T1199:Trusted Relationship, attack:T1021.004:SSH, Linux, AIX, Solaris, HP-UX
https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html (#611) - Defense Evasion
https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (#241) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
https://github.com/rapid7/ssh-badkeys (#538) - Initial Access, Linux, AIX, Solaris, HP-UX
https://github.com/hakivvi/ermir (#579) - Initial Access, Lateral Movement, Linux, Internal enterprise services
http://www.ouah.org/LKM_HACKING.html (#257) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
https://sonarsource.github.io/argument-injection-vectors/ (#627) - Initial Access, Execution
https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ (#236)
https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (#575) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux
https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ (#430) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 (#250)
http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf (#246)
https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh (#708) - Lateral Movement, Linux, AIX, Solaris, HP-UX
https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (#231) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
https://twitter.com/brainsmoke/status/399558997994668033 (#509) - Execution, Linux
https://n0.lol/ (#227)
https://tmpout.sh/2/ (#226)
https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (#772) - Persistence, Defense Evasion, Credential Access, attack:T1556.003:Pluggable Authentication Modules, Linux
https://github.com/CiscoCXSecurity/linikatz/issues (#230)
https://twitter.com/David3141593/status/1575978540868435968 (#532) - Linux
https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (#436) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing
https://github.com/milabs/awesome-linux-rootkits (#9) - Persistence, Linux
https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm
https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, timb-machine#791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
https://sysdig.com/blog/ebpf-offensive-capabilities/ (#768) - Persistence, Defense Evasion, uses:eBPF, Linux
https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (#683) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux
https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92 (#247)
https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, timb-machine#669, Linux
https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html (#251)
https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (#197) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm

Defensive research

Defensive tools

https://github.com/CYB3RMX/Qu1cksc0pe (#696) - Defense Evasion, Linux
https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ (#268)
https://github.com/evilsocket/ebpf-process-anomaly-detection (#497) - Execution, Linux
https://tbhaxor.com/hunting-malicious-binaries-in-containers/ (#272)
https://github.com/sandflysecurity/sandfly-file-decloak (#634) - Defense Evasion, Linux
https://github.com/marin-m/vmlinux-to-elf (#726) - Defense Evasion, attack:T1601:Modify System Image, Linux
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf (#423) - Persistence, Privilege Escalation, Defense Evasion, Credential Access, Collection, Command and Control, Exfiltration, Linux
https://twitter.com/inversecos/status/1527188391347068928 (#435) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing
https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570) - Persistence, Defense Evasion, Command and Control, timb-machine#571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://twitter.com/ldsopreload/status/1582780282758828035 (#571) - Persistence, Defense Evasion, Command and Control, timb-machine#570, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://elastic.github.io/security-research/intelligence/2022/03/03.dirty-pipe/article/ (#265)
https://github.com/elfmaster/avu32 (#273)
https://github.com/M00NLIG7/ChopChopGo (#674) - Defense Evasion, Linux
https://youtu.be/16_EAsYAApI (#438) - Linux
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 (#269)
https://github.com/deepfence/ebpfguard (#697) - Defense Evasion, Linux
https://github.com/niveb/NoCrypt (#673) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ (#274)
https://github.com/sandflysecurity/sandfly-entropyscan (#632) - Defense Evasion, Linux
https://elfdigest.com/ (#262)
https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 (#472) - Linux
https://github.com/monnappa22/Limon (#258)
https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 (#278)
https://github.com/tstromberg/sunlight (#794) - Defense Evasion, uses:eBPF, Linux
https://github.com/tclahr/uac (#583) - Persistence, Defense Evasion, Linux
https://github.com/alex-cart/LEAF (#445) - Linux
https://github.com/falcosecurity/falco (#412) - Linux, Device application sandboxing
https://github.com/jafarlihi/modreveal (#609) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions, Linux
https://bazaar.abuse.ch/ (#259)
https://github.com/ancat/egrets (#218)
https://github.com/sandflysecurity/sandfly-processdecloak (#633) - Defense Evasion, Linux
https://tria.ge/ (#263)
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ (#275)
https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449) - Persistence, Defense Evasion, Credential Access, Command and Control, timb-machine#156, timb-machine#418, timb-machine#420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux
https://github.com/hardenedvault/ved-ebpf (#737) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux
https://github.com/chainguard-dev/osquery-defense-kit (#574) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux
https://github.com/NozomiNetworks/upx-recovery-tool (#535) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://www.virustotal.com/gui/ (#260)
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ (#276)
https://github.com/threathunters-io/laurel (#581) - Defense Evasion, Linux
https://github.com/signalblur/impelf (#647) - Defense Evasion, Linux
https://github.com/sqall01/LSMS (#610) - Defense Evasion, Linux
https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals (#450) - Persistence, Privilege Escalation, Defense Evasion, Linux
https://github.com/Achiefs/fim (#779) - Defense Evasion, Linux
https://github.com/sourque/louis (#411) - Linux, Device application sandboxing
https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 (#451) - Linux
https://github.com/chriskaliX/Hades (#514) - Linux
https://github.com/504ensicsLabs/LiME (#187)
https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ (#277)
https://www.rfxn.com/projects/linux-malware-detect/ (#261)
https://github.com/Gui774ume/ebpfkit-monitor (#467) - Persistence, Defense Evasion, Discovery, Command and Control, Linux
https://twitter.com/ldsopreload/status/1583178316286029824 (#568) - Persistence, Defense Evasion, Command and Control, timb-machine#569, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://github.com/0xrawsec/kunai (#749) - Defense Evasion, Linux
https://github.com/snapattack/bpfdoor-scanner (#437) - Persistence, Defense Evasion, Command and Control, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect
https://twitter.com/timb_machine/status/1523253031382687744 (#421) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#420, DecisiveArchitect, Solaris
https://github.com/op7ic/unix_collector (#266) - Solaris, Linux, AIX, OS X
https://github.com/vmware/kernel-event-collector-module (#271) - Carbon Black
https://github.com/nikhilh-20/ELFEN (#764) - Defense Evasion, Linux
https://github.com/Gui774ume/krie (#498) - Defense Evasion, Privilege Escalation, Persistence, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, attack:T1562.001:Disable or Modify Tools, attack:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/avilum/secimport (#748) - Persistence, Defense Evasion, Linux
https://www.volatilityfoundation.org/releases-vol3 (#457) - Persistence, Defense Evasion, Linux, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569) - Persistence, Defense Evasion, Command and Control, timb-machine#568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://github.com/david942j/seccomp-tools (#590) - Defense Evasion, Linux

Defensive techniques

https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (#747) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://www.mandiant.com/sites/default/files/2022-03/wp-linux-endpoint-hardening.pdf (#675) - Defense Evasion, Linux
https://github.com/archcloudlabs/BSidesRoc2022_Linux_Malware_Analysis_Course (#264)
https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ (#39) - honeypot, Linux
https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ (#38) - honeypot, Linux
https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (#736) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://archive.org/details/HalLinuxForensics (#560) - Defense Evasion, Linux
https://www.youtube.com/watch?v=Zig-inHOhII (#561) - Defense Evasion, Linux
https://sandflysecurity.com/blog/detecting-evasive-linux-backdoors-presentation/ (#760) - Persistence, Defense Evasion, Command and Control, Linux
https://github.com/rung/threat-matrix-cicd (#10) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Exfiltration, Impact, Linux
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html (#559) - Defense Evasion, Linux
https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/ (#762) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux
https://github.com/DevinRTK/rtk-eLibrary (#631) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise
https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html (#774) - Defense Evasion, Linux
https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX
https://www.forensicxlab.com/posts/inodes/ (#522) - Defense Evasion, Linux
https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery (#529) - Linux
https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (#745) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://github.com/cr0nx/awesome-linux-attack-forensics-purplelabs (#712) - Defense Evasion, Linux
https://twitter.com/CraigHRowland/status/1593102427276050433 (#587) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Linux
https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux
https://redcanary.com/blog/ebpf-for-security/ (#270) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading
https://github.com/timb-machine/obscure-forensics (#267)
https://redcanary.com/blog/process-streams/ (#494) - Lateral Movement, Command and Control, Exfiltration, uses:bash, uses:ksh93, attack:T1059:Command and Scripting Interpreter, attack:T1095:Non-Application Layer Protocol, Linux, Enclave deployment
https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ (#528) - Persistence, Defense Evasion, Linux, Device application sandboxing

Defensive Yara

Personal rules

pscan.yara (#287) - Hunts for references to pscan
luckscan.yara (#286) - Hunts for references to luckscan
adonunix2.yara (#281) - Hunts for binaries that attack AD on UNIX
aix.yara (#280) - Hunts for AIX binaries
ciscotools.yara (#279) - Hunts for references to our tools
enterpriseapps2.yara (#283) - Hunts for enterprise app binaries
enterpriseunix2.yara (#282) - Hunts for enterprise UNIX binaries
unixredflags3.yara (#285) - Hunts for UNIX red flags
canvasspectre.yara (#284) - Hunts for CANVAS Spectre

Other rules

https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (#419) - attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#418, DecisiveArchitect, Linux
https://github.com/Yara-Rules/rules (#288)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

linux-malware

Press/academia

In the wild

Breach reports

Supply chain attacks

Malware reports

Malware samples

Malware binaries

Malware source

Malware PoCs

Offensive research

Offensive tools

Offensive techniques

Defensive research

Defensive tools

Defensive techniques

Defensive Yara

Personal rules

Other rules

About

Releases

Packages

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 687 Commits
.github		.github
articles		articles
defensive		defensive
doc		doc
intel		intel
malware		malware
offensive		offensive
src		src
.gitmodules		.gitmodules
ATT&CK.md		ATT&CK.md
COPYING		COPYING
README.md		README.md

License

magnologan/linux-malware

Folders and files

Latest commit

History

Repository files navigation

linux-malware

Press/academia

In the wild

Breach reports

Supply chain attacks

Malware reports

Malware samples

Malware binaries

Malware source

Malware PoCs

Offensive research

Offensive tools

Offensive techniques

Defensive research

Defensive tools

Defensive techniques

Defensive Yara

Personal rules

Other rules

About

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages