Name	Name	Last commit message	Last commit date
Latest commit History 690 Commits
.github	.github
articles	articles
defensive	defensive
doc	doc
intel	intel
malware	malware
offensive	offensive
src	src
.gitmodules	.gitmodules
ATT&CK.md	ATT&CK.md
COPYING	COPYING
README.md	README.md

E: we have a duplicate: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group E: we have a duplicate: https://twitter.com/Unit42_Intel/status/1653760405792014336

Press/academia

https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf (#20) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux
https://www.group-ib.com/resources/threat-research/oldgremlin.html (#573) - Impact, OldGremlin, Linux
https://en.wikipedia.org/wiki/Linux_malware (#17) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide
https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html (#37)
https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf (#24) - various SSH, Bonadan, Kessel, Chandrila
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html (#34)
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations (#32)
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf (#21) - WINNTI
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf (#23) - various SSH, Bonadan, Kessel, Chandrila
https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 (#26)
https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives (#41) - Impact, BlackCat, #512
https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (#101) - Defense Evasion, Command and Control, Exfiltration, Impact, attack:T1486:Data Encrypted for Impact, XMRig, Hello Kitty, #546, REvil, DarkSide, BlackMatter, Defray777, ViceSociety, Erebus, GonnaCry, eChoraix, Sysrv, TeamTNT, Mexalz, Omelette, WatchDog, Kinsing, Cobalt Strike, Vermillion Strike, Merlin, #545, #547, RedXOR, #548, ACBackdoor, #549, ELF_Plead, Linux, VMware, Internal enterprise services, Internal specialist services
https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 (#622) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux
https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ (#35)
https://rp.os3.nl/ (#30)
https://reyammer.io/publications/2018_oakland_linuxmalware.pdf (#28)
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (#638) - Resource Development, Impact, attack:T1486:Data Encrypted for Impact, #644, uses:CrossCompiled, LockBit, Linux, Internal specialist services
https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ (#33)
https://wikileaks.org/vault7/ (#31)
https://en.wikipedia.org/wiki/Mirai_(malware) (#18) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai
https://securelist.com/top-10-unattributed-apt-mysteries/107676/ (#552) - Metador, Plexing Eagle, wltm, Linux, Solaris, Telecomms
https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf (#448)
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf (#417) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux
https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ (#40)
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ (#22) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf (#27)
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ (#19) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
https://malpedia.caad.fkie.fraunhofer.de/ (#29)
https://ieeexplore.ieee.org/document/8418602 (#25)

In the wild

Breach reports

https://www.freedownloadmanager.org/blog/?p=664 (#765) - Initial Access, #766, Linux
http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (#766) - Initial Access, #765, Linux
https://twitter.com/1ZRR4H/status/1560662815400407040 (#507) - Initial Access, Peer2Profit, Linux
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ (#446) - Initial Access, Linux
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm (#42) - GoDaddy
https://github.com/mttaggart/I-S00N (#799) - Persistence, Reptile, APT41, Linux, AIX, Solaris, HP-UX
https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services

Supply chain attacks

https://lwn.net/Articles/371110/ (#291) - e107 CMS
https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ (#45) - UnrealIRCd
https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ (#47) - PHPMyAdmin
http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html (#292) - MyBB
https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ (#543) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux
https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html (#49) - VsFTPd
canonical/snapcraft.io#651 (#296) - Snapcraft
https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack (#48) - PHP
https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (#787) - Initial Access, Discovery, Command and Control, uses:npm, attack:T1195.001:Compromise Software Dependencies and Development Tools, attack:T1082:System Information Discovery, Linux
https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html (#523) - #525, wltm, Linux
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ (#289) - "Octopus Scanner" (Netbeans) attack
https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor (#44) - ProFTPd
https://www.webmin.com/exploit.html (#43) - Webmin
https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html (#295) - OpenX
https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 (#46) - Horde Webmail
https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos (#290) - Homebrew
https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (#294) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm
https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux
https://news.ycombinator.com/item?id=17501379 (#525) - Linux
https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb (#293) - event-stream

Malware reports

https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery (#488) - Initial Access, Lateral Movement, Impact, RapperBot, /malware/binaries/RapperBot, Linux
https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ (#565) - Initial Access, Lateral Movement, Impact, #566, Sysrv, wltm, Linux, Internal enterprise services
https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, attack:T1070.006:Timestomp, attack:T1070.004:File Deletion, BPFDoor, /malware/binaries/BPFDoor, wltm, Linux
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits (#392) - Botenago
https://twitter.com/_larry0/status/1143532888538984448 (#51) - Silex
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ (#404) - Hildegard, TeamTNT
http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf (#349) - Moose
https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (#373) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux
https://twitter.com/IntezerLabs/status/1272915284148531200 (#341) - Lazarus
https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ (#120) - CAKETAP, UNC2891, Solaris
https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, #171, Diamorphine, #217, ZiggyStarTux, #701, Linux, IOT, Consumer
https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ (#91) - Muhstik
https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware (#107) - Impact, BlackCat, #512
https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (#102) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services
https://www.cisa.gov/news-events/analysis-reports/ar23-209a (#731) - Persistence, #729, SUBMARINE, wltm, Linux
https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ (#351) - PGMiner
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, /malware/binaries/OrBit, Linux
https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ (#549) - ACBackdoor, wltm, Linux
https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, /malware/binaries/BPFDoor, Linux
https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (#588) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux
https://pastebin.com/iKyaqLTd (#88) - Exaramel, BlackEnergy, #ICS (by malwaremustdie.org)
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis (#393) - Conti
https://twitter.com/IntezerLabs/status/1326880812344676352 (#330) - AgeLocker
https://twitter.com/malwrhunterteam/status/1559636227485319168 (#500) - Impact, REvil, wltm, Linux
https://twitter.com/malwaremustd1e/status/1380637310346096641 (#364) - Ngioweb (by malwaremustdie.org)
https://twitter.com/malwrhunterteam/status/1467264298237972484 (#406) - Cerber
https://asec.ahnlab.com/en/55229/ (#722) - Defense Evasion, Command and Control, #709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
https://sansec.io/research/ecommerce-malware-linux-avp (#396) - linux_avp, Comma
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ (#636) - Initial Access, Linux
https://twitter.com/sethkinghi/status/1397814848549900288 (#717) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT
https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ (#92)
https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ (#526) - Metador, wltm, Linux
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95) - Command and Control, Defense Evasion, Persistence, Discovery, attack:T1102:Web Service, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, attack:T1573:Encrypted Traffic, attack:T1053.003:Cron, attack:T1033:System Owner/User Discovery, attack:T1016:System Network Configuration Discovery, attack:T1070.004:File Deletion, uses:RedirectionToNull, delivery:NPM, SysJoker, wltm, Linux
https://imp0rtp3.wordpress.com/2021/11/25/sowat/ (#400) - Command and Control, #140, #131, SoWaT, APT31, Zirconium
https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus
https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites (#598) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services
https://imgur.com/a/DWKK5 (#84) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://www.lab539.com/blog/linux-malware-detection-with-limacharlie (#728) - Reconnaissance, Initial Access, Execution, Persistence, Linux
https://twitter.com/jhencinski/status/1451592508157345793 (#387) - Impact, XMRig
https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html (#501) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing
https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development (#505) - Impact, DarkAngels, wltm, Linux
https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces (#115) - Impact, KinSing
https://twitter.com/ESETresearch/status/1410864752948043778 (#104) - Specter, SideWalk, StageClient
https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#580) - Command and Control, Torii, Linux
https://threatfabric.com/blogs/vultur-v-for-vnc.html (#379) - Vultur, Brunhilda, #Android
https://imgur.com/a/LpTN7 (#85) - Elknot (by malwaremustdie.org)
https://sysdig.com/blog/cloud-defense-in-depth/ (#713) - Initial Access, Lateral Movement, KinSing, Linux
https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html (#59) - Mirai (by malwaremustdie.org)
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ (#110) - b1txor20
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf (#333) - Cloud Snooper
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors (#305) - Tycoon
https://cujo.com/iot-malware-journals-prometei-linux/ (#300) - Promotei
https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ (#503)
https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf (#493) - Persistence, Command and Control, uses:Go, IPStorm, /malware/binaries/Unix.Trojan.Ipstorm, Linux
https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ (#325) - RedXOR
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html (#54) - VPNFilter
https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ (#566) - Impact, XMRig, Sysrv, wltm, Linux
https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ (#369) - Kobalos, #linux, #bsd, #solaris, #aix
https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ (#68) - Mumblehard
https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ (#479) - Rekoobe, APT31, Linux
https://asec.ahnlab.com/en/55785/ (#733) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.001:Port Knocking, Reptile, TINYSHELL, Rekoobe, Linux
https://blog.polyswarm.io/darkangels-linux-ransomware (#666) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux
https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, #135, FastCash, Hidden Cobra, AIX, Banking
https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 (#362) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, #510, Shikitega, /malware/binaries/Shikitega, XMRig, Linux
https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ (#313) - FritzFrog
https://ultimacybr.co.uk/2023-10-04-Sysrv/ (#767) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux
https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ (#395) - uses:Go, Chaos (sebd), /malware/binaries/Chaos
https://igor-blue.github.io/2021/03/24/apt1.html (#302)
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware (#639) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, /malware/binaries/Shikitega, Linux
https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ (#381) - FontOnLake
https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ (#303) - DarkRadiation
https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ (#378) - #cobaltstrike, VermilionStrike
https://twitter.com/cyb3rops/status/1523227511551033349 (#425) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #418, DecisiveArchitect, Linux
https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ (#402) - Cloud Shovel
https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials (#50) - TeamTNT
http://www.thedarkside.nl/honeypot/microbul.html (#388)
https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d (#508) - Peer2Profit, Linux
https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ (#299) - IPStorm, /malware/binaries/Unix.Trojan.Ipstorm
https://vms.drweb.com/virus/?i=15389228 (#326) - ?
https://zhuanlan.zhihu.com/p/348960748 (#403) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ (#410) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing
https://twitter.com/CraigHRowland/status/1422267857988063232 (#354) - ITTS
https://imgur.com/a/CtHlmBE (#82) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://imgur.com/a/Ak9zICq (#367) - Neko (by malwaremustdie.org)
https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html (#332) - NOTROBIN
https://imgur.com/a/qqgfFXf (#60) - Mirai (by malwaremustdie.org)
https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 (#118) - Impact, BlackCat, #512
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html (#614) - Command and Control, Persistence, SysUpdate, IronTiger
https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ (#680) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services
https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (#789) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, #170, Earth Lusca, Linux
https://twitter.com/malwrhunterteam/status/1415403132230803460 (#310) - HelloKitty
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux
https://cert.gov.ua/article/4501891 (#651) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (#750) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux
https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris
https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ (#52) - GodLua
https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github (#97) - Botenago
https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ (#640) - Initial Access, Command and Control, Impact, Sysrv, Linux
https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf (#641) - FontOnLake, Linux
https://twitter.com/malwaremustd1e/status/1264417940742389762 (#316) - Gafgyt (by malwaremustdie.org)
https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ (#342) - Doki
https://sansec.io/research/nginrat (#94) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm
https://s.tencent.com/research/report/1177.html (#384)
https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://vms.drweb.com/virus/?i=21004786 (#433) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf (#345) - WellMail (APT29)
https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (#753) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware
https://pastebin.com/Z3sXqDCA (#89) - Mozi (by malwaremustdie.org)
https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ (#323) - EvilGnome
https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ (#350) - Stantinkos
https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ (#308) - KillDisk
https://unit42.paloaltonetworks.com/alloy-taurus/ (#646) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux
https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, #460, Symbiote, Linux
https://atdotde.blogspot.com/2020/05/high-performance-hackers.html (#377) - HPC
https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html (#63) - #134, SLAPSTICK, LightBasin, UNC1945, Solaris
https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 (#482) - Log4J, /malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86, Linux
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf (#370) - Kobalos, #bsd, #solaris, #aix
https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (#690) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux
https://twitter.com/bkMSFT/status/1417823714922610689 (#328) - #329, Zirconium, APT31
https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542) - Defense Evasion, Discovery, Collection, Exfiltration, vertical:Telecomms, attack:T1040:Network Sniffing, uses:Non-persistentStorage, attack:T1070.004:File Deletion, MESSAGETAP, /malware/binaries/MESSAGETAP, APT41, Linux, Telecomms, Internal specialist services
https://imgur.com/a/lAQ1tMQ (#78) - HelloBot (by malwaremustdie.org)
https://twitter.com/CraigHRowland/status/1422009387686645761 (#353) - ITTS
https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, #710, #711, Linux
https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html (#304) - DarkRadation
https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, #717, Linux, IOT
https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware
https://www.mandiant.com/resources/unc2891-overview (#112) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, #134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, #154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking
https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux
https://twitter.com/malwaremustd1e/status/1235595880041873408 (#358) - Hajimi (by malwaremustdie.org)
https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ (#327) - TeamTNT, Mimipenguin
https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d (#616) - Command and Control, TSH, TINYSHELL, #481
https://twitter.com/captainGeech42/status/1657121312425365524 (#661) - Persistence, Defense Evasion, SystemBC, #662, Linux
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ (#117) - AcidRain
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux
https://imgur.com/a/vS7xV (#75) - CarpeDiem (by malwaremustdie.org)
https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ (#444) - EnemyBot, Linux
https://imgur.com/a/SSKmu (#77) - Rebirth, Vulcan (by malwaremustdie.org)
https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ (#298) - RandomEXX
https://twitter.com/ESETresearch/status/1382054011264700416 (#335) - TSCookie, #freebsd
https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w (#394) - NAMO
https://twitter.com/malwaremustd1e/status/1267068856645775360 (#363) - DarkNexus (by malwaremustdie.org)
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux
https://blog.polyswarm.io/lightning-framework (#506) - Lightning, /malware/binaries/Lightning, Linux
https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf (#518) - DarkNexus, Linux
https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788) - Initial Access, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, attack:T1498:Network Denial of Service, attack:T1027:Obfuscated Files or Information, Mirai, TBOT, Linux, IOT
https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ (#681) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF (#657) - Command and Control, SNAKE, Linux
https://twitter.com/malwaremustd1e/status/1237080802581565440 (#359) - Mozi (by malwaremustdie.org)
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ (#322) - Turian
https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#496) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF (#67) - Drovorub
https://imgur.com/a/MuHSZtC (#81) - Mandibule (by malwaremustdie.org)
https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720) - Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, attack:T1608:Stage Capabilities, attack:T1053.003:Cron, attack:T1027.002:Software Packing, attack:T1543.002:Systemd Service, attack:T1037.004:RC Scripts, attack:T1574.006:Dynamic Linker Hijacking, attack:T1036.005:Match Legitimate Name or Location, attack:T1190:Exploit Public-Facing Application, attack:T1110:Brute Force, uses:KillCompetition, XMRig, Rocke, Linux
https://twitter.com/billyleonard/status/1458531997576572929 (#480) - Rekoobe, TSH, TINYSHELL, #481, APT31, Linux
https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ (#72) - DDoSTF (by malwaremustdie.org)
https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ (#459) - Persistence, Defense Evasion, Linux
https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (#111) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap
https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ (#315) - Gafgyt
https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, #134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment
https://twitter.com/Unit42_Intel/status/1653760405792014336 (#785) - Impact, attack:T1486:Data Encrypted for Impact, wltm, BlackSuite, Linux
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (#442) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, #544, Linux, VMware, Internal enterprise services, Internal specialist services
https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ (#671) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms
https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405) - attack:T1205.002:Socket Filters, ebpfkit
https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (#786) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html (#336) - PLEAD
https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790) - Initial Access, Execution, Discovery, Lateral Movement, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1059.004:Unix Shell, attack:T1072:Software Deployment Tools, attack:T1083:File and Directory Discovery, attack:T1082:System Information Discovery, attack:T1485:Data Destruction, BiBi-Linux, Linux
https://blog.talosintelligence.com/2018/05/VPNFilter.html (#53) - VPNFilter
https://themittenmac.com/tinyshell-under-the-microscope/ (#617) - TSH, TINYSHELL, #481
https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html (#383)
https://twitter.com/avastthreatlabs/status/1430527767855058949 (#492) - HCRootkit, #491, Linux
https://twitter.com/IntezerLabs/status/1288487307369222145 (#331) - TrickBot
https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html (#563) - Command and Control, uses:Go, Alchemist, /malware/binaries/Alchimist, #564, Sysrv?, Linux
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services
https://imgur.com/a/qI5Fvm4 (#83) - STD (by malwaremustdie.org)
https://honeynet.onofri.org/scans/scan13/som/som13.txt (#385) - Luckscan, UNC1945
https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/ (#474) - Linux, FreeBSD
https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html (#55) - CoinMiner
https://honeynet.onofri.org/scans/scan13/som/som5.txt (#389) - Luckscan, UNC1945
https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html (#366) - AirDropBot (by malwaremustdie.org)
https://twitter.com/malwrhunterteam/status/1422972905541996546 (#374) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware
https://imgur.com/a/5vPEc (#74) - ChinaZ (by malwaremustdie.org)
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html (#682) - Command and Control, uses:Go, GobRAT, Linux, Telecomms
https://twitter.com/IntezerLabs/status/1300403461809491969 (#347) - Dalcs
https://twitter.com/timb_machine/status/1450595881732947968 (#66) - #134, LightBasin, UNC1945, Solaris
https://twitter.com/ESETresearch/status/1415542456360263682 (#368) - ?, #FreeBSD
https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (#714) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT
https://asec.ahnlab.com/en/45182/ (#603) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux
https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html (#721) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux
https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 (#106) - Specter, SideWalk, StageClient, wltm
https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ (#759) - Impact, Octo Tempest, BlackCat, Linux, VMware
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ (#371) - Ebury
https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html (#57) - Mirai (by malwaremustdie.org)
https://twitter.com/tolisec/status/1507854421618839564 (#116) - Impact, KinSing
https://www.akamai.com/blog/security/new-p2p-botnet-panchan (#476) - Pan-chan, #477, Linux
https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ (#324) - WatchDog
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services
https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ (#98) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm
https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (#612) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions
https://pastebin.com/raw/mEape37E (#355) - SystemTen (by malwaremustdie.org)
https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ (#340) - Kaiji (by malwaremustdie.org)
https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ (#513) - Collection, Impact, Linux
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (#660) - Initial Access, attack:T1480:Execution Guardrails, attack:T1562.006:Indicator Blocking, uses:Non-persistentStorage, BOLDMOVE, wltm, Linux, Collaboration across enterprise boundaries
https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf (#551) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services
https://cujo.com/threat-alert-krane-malware/ (#391) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm
http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc (#386) - sc (similar code to luckscan)
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html (#490) - uses:Go, Manjusaka, Linux
https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ (#376) - HPC
https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ (#478) - #480, Rekoobe, TSH, #481, APT31, Linux
https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ (#408) - Linux
https://www.varonis.com/blog/alphv-blackcat-ransomware (#109) - Impact, BlackCat, #512
https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ (#372) - Kessel
https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ (#679) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux
https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (#784) - Command and Control, Exfiltration, uses:PHP, attack:T1090:Proxy, attack:T1071.001:Web Protocols, SystemBC, Linux
https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ (#105) - Specter, SideWalk, StageClient
https://www.signalblur.io/through-the-looking-glass (#756) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services
https://imgur.com/a/N3BgY (#73) - ChinaZ, GoARM (by malwaremustdie.org)
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux (#685) - Impact, RTM Locker, Linux
https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (#546) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux
https://blog.talosintelligence.com/lazarus-collectionrat/ (#752) - Command and Control, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, DeimosC2, #751, HiddenCobra, Lazarus, APT38, Linux
https://unit42.paloaltonetworks.com/blackcat-ransomware/ (#108) - Impact, BlackCat, #512
https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html (#58) - Mirai (by malwaremustdie.org)
https://news.drweb.com/show/?i=14646&lng=en&c=23 (#602) - Initial Access, Command and Control, WordPressExploit, Linux
https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ (#343) - NGrok
https://www.akamai.com/blog/security-research/dhpcd-cryptominer-hid-four-years (#578) - Impact, dhcpcd, Linux, IOT
https://twitter.com/malwaremustd1e/status/1265321238383099904 (#317) - Gafgyt (by malwaremustdie.org)
https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux
https://imgur.com/a/4YxuSfV (#79) - Cayosin (by malwaremustdie.org)
https://blog.exatrack.com/melofee/ (#620) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux
https://asec.ahnlab.com/en/54647/ (#707) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, #154, Tsunami, Kaiten, 0x333shadow Log Cleaner, #706, ChinaZ, Linux
https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ (#114) - HabitsRAT
https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html (#398) - Polaris
https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt (#320) - Gafgyt
https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ (#360) - Rhombus (by malwaremustdie.org)
https://asec.ahnlab.com/ko/55070/ (#709) - Command and Control, Defense Evasion, #722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md (#352) - ITTS
https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, #129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux
https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ (#357) - SystemTen (by malwaremustdie.org)
https://securelist.com/the-penquin-turla-2/67962/ (#593) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
https://sansec.io/research/cronrat (#399) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux
https://cyberplace.social/@GossiTheDog/110516069484635011 (#703) - Resource Development, BPFDoor, /malware/binaries/BPFDoor, Linux
https://twitter.com/IntezerLabs/status/1338480158249013250 (#301) - Promotei
https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar (#375) - PRISM
https://asec.ahnlab.com/en/50316/ (#621) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux
https://netadr.github.io/blog/a-quick-glimpse-sbz/ (#596) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris
https://imgur.com/a/a6RaZMP (#87) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ (#339) - Kaiji
https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ (#601) - Persistence, Privilege Escalation, OrBit, /malware/binaries/OrBit, Linux
https://twitter.com/CraigHRowland/status/1523266585133457408 (#424) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #418, DecisiveArchitect, Linux
https://imgur.com/a/y5BRx (#86) - r57shell (by malwaremustdie.org)
http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm (#113) - NOPEN
https://www.mandiant.com/resources/unc3524-eye-spy-email (#414) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment
https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors (#729) - Persistence, Command and Control, SEASPY, #730, SUBMARINE, #731, Linux
https://twitter.com/IntezerLabs/status/1291355808811409408 (#346) - Carbanak
https://imgur.com/a/57uOiTu (#80) - DDoSMan (by malwaremustdie.org)
https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (#644) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, /malware/binaries/Multios.Ransomware.Lockbit, Linux
https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ (#319) - Gafgyt
https://twitter.com/xnand_/status/1676336329985077249 (#710) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, #711, #724, Linux
https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ (#344) - NGrok
https://twitter.com/malwaremustd1e/status/1379028201075187716 (#365) - DGAbot (by malwaremustdie.org)
https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ (#471) - HiddenWasp, Linux
https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html (#637) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services
https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux
https://twitter.com/malwaremustd1e/status/1251758225919115264 (#361) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ (#314) - Gafgyt
https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (#547) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT
https://imgur.com/a/53f29O9 (#61) - Mirai (by malwaremustdie.org)
https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ (#71) - SS, Shark (by malwaremustdie.org)
https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign (#727) - Initial Access, Command and Control, Impact, XMRig, Linux
https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:k8s, attack:T1140:Deobfuscate/Decode Files or Information, uses:Python, attack:T1611:Escape to Host, attack:T1562.008:Disable or Modify Cloud Logs, attack:T1027.004:Compile After Delivery, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, uses:ProcessTreeSpoofing, attack:T1190:Exploit Public-Facing Application, attack:T1595.002:Vulnerability Scanning, uses:ModifyServerShell, delivery:Redis, uses:Redis, XMRig, Diamorphine, libprocesshider, Pnscan, Zgrab, Masscan, Kiss-A-Dog, TeamTNT, Linux, Cloud hosted services
https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ (#470) - Lightning, /malware/binaries/Lightning, Linux
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ (#65) - Qemu, #134, LightBasin, UNC1945
https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (#544) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Emperor Dragonfly, Linux, VMware
https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux, Solaris
https://asec.ahnlab.com/en/51908/ (#650) - Impact, Defense Evasion, uses:ProcessTreeSpoofingBindMountProc, #550, KONO DIO DA, XMRig, Linux
https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ (#56) - LemonDuck
https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ (#306) - QNAPCrypt, eCh0raix
https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (#656) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services
https://www.group-ib.com/blog/krasue-rat/ (#797) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:AbnormalSignal, attack:T1071:Application Layer Protocol, uses:RTSP, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205:Traffic Signaling, Krasue, Diamorphine, #217, Suterusu, #491, Rooty, #440, Linux
https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version (#309) - REvil
https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html (#698) - Impact, BlackSuit, Linux
https://imgur.com/a/8mFGk (#70) - httpsd (by malwaremustdie.org)
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer
https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#758) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware
https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html (#380) - Persistence, Defense Evasion, Impact, KinSing
https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux
https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm
https://sysdig.com/blog/ssh-snake/ (#801) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, #791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
https://twitter.com/billyleonard/status/1417910729005490177 (#69) - #329, #131, Zirconium, APT31
https://www.cisa.gov/news-events/analysis-reports/ar23-209b (#730) - Command and Control, #729, SEASPY, wltm, Linux
https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan (#732) - Persistence, Defense Evasion, Command and Control, Linux, Hosting
https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ (#311) - HelloKitty
https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ (#401) - Persistence, Defense Evasion, #530, lib__mdma
https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, /malware/binaries/Chaos, Linux
https://cybersecurity.att.com/blogs/labs-research/internet-of-termites (#517) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux
https://github.com/akamai/akamai-security-research/tree/main/malware/panchan (#477) - Pan-chan, /malware/binaries/pan-chan, Linux
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial
https://imgur.com/a/eBF7Mqe (#76) - Haiduc (by malwaremustdie.org) (by malwaremustdie.org)
https://asec.ahnlab.com/en/49769/ (#624) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer
https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (#407) - Impact, attack:T1567:Financial Theft, #135, FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services
https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf (#338) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux
https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD
https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf (#100) - Cyclops Blink
https://lab52.io/blog/looking-for-penquins-in-the-wild/ (#594) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers (#382) - Mayhem
https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ (#329) - Zirconium, APT31
https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, #134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux
https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (#702) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT
https://imgur.com/a/2zRCt (#318) - Gafgyt (by malwaremustdie.org)
https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf (#613)
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html (#334) - TSCookie
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, /malware/binaries/Chaos, Linux
https://blog.polyswarm.io/deadbolt-ransomware (#577) - Impact, Deadbolt, Linux, Consumer
http://it.rising.com.cn/fanglesuo/19851.html (#96) - SFile
https://twitter.com/ankit_anubhav/status/1490574137370103808 (#483) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, #482, Linux
https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ (#348) - Rakos
https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ (#307) - QNAPCrypt, eCh0raix
https://twitter.com/ESETresearch/status/1454100591261667329?s=20 (#390) - Hive
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability (#572) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability (#337) - Impact, Persistence, Impact, KinSing
https://imgur.com/a/H7YuWuj (#356) - SystemTen (by malwaremustdie.org)
https://www.cadosecurity.com/redis-p2pinfect/ (#741) - Initial Access, Linux
https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ (#297) - FreakOut
https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ (#548) - Command and Control, Exfiltration, #325, RedXOR, Linux

Malware samples

Malware binaries

https://bazaar.abuse.ch/browse/signature/Gafgyt/ (#128) - Gafgyt, /malware/binaries/Unix.Trojan.Gafgyt
https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418) - Persistence, Defense Evasion, Command and Control, #419, #424, #425, #426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, /malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64, Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux
https://github.com/eset/malware-ioc/tree/master/rakos (#132) - Rakos
https://github.com/darrenmartyn/malware_samples (#530) - Execution, Persistence, Defense Evasion, Discovery, uses:ProcessTreeSpoofing, uses:RedirectionToNull, attack:T1546.004:Unix Shell, attack:T1574.006:Dynamic Linker Hijacking, attack:T1057:Process Discovery, attack:T1036.005:Match Legitimate Name or Location, lib__mdma, Linux
https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460) - Persistence, Defense Evasion, Command and Control, #452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, /malware/binaries/Symbiote, Symbiote, Linux
https://github.com/eset/malware-ioc/tree/master/kobalos (#137) - Kobalos
https://github.com/Caprico1/kinsing (#454) - Persistence, Impact, KinSing, Linux
https://twitter.com/nunohaien/status/1261281420791742464 (#125)
https://github.com/x0rz/EQGRP (#138)
https://github.com/blackorbird/APT_REPORT (#124)
https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection (#141) - Linikatz
https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d/ (#751) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, /malware/binaries/Unix.Backdoor.DeimosC2, Linux
https://github.com/AngelGuyu/spirit (#757) - Persistence, Defense Evasion, Spirit, Gwisin, Linux
https://bazaar.abuse.ch/browse/tag/blackcat/ (#512) - Impact, #118, #109, #108, #107, #41, BlackCat, /malware/binaries/BlackCat, Linux
https://github.com/hardenedvault/bootkit-samples (#103)
https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (#662) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, #661, SystemBC, /malware/binaries/SystemBC, Linux
https://bazaar.abuse.ch/browse/tag/elf/ (#122)
https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection (#126) - wltm
https://samples.vx-underground.org/samples/Families/VermilionStrike/ (#136) - CobaltStrike, VermilionStrike, /malware/binaries/VermilionStrike
https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420) - Persistence, Defense Evasion, Command and Control, #421, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, /malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Solaris
https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 (#133) - WellMail, wltm, APT29
https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ (#139) - Polaris, /malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64
https://samples.vx-underground.org/samples/Families/Fastcash/ (#135) - Impact, FastCash, /malware/binaries/FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services, Enclave deployment
https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, /malware/binaries/Unix.Trojan.Xorddos, /malware/binaries/Unix.Malware.Xorddos, Linux
https://bazaar.abuse.ch/browse/signature/Mirai/ (#127) - Mirai, /malware/binaries/Unix.Exploit.Mirai, /malware/binaries/Unix.Dropper.Mirai, /malware/binaries/Unix.Trojan.Mirai
https://samples.vx-underground.org/APTs/2021/2021.10.11/ (#409) - FontOnLake, /malware/binaries/FontOnLake, Linux
https://github.com/MalwareSamples/Linux-Malware-Samples (#123)
https://tria.ge/s?q=tag%3alinux (#121)
https://bazaar.abuse.ch/sample/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ (#140) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
https://samples.vx-underground.org/APTs/2020/2020.11.02/ (#134) - /malware/binaries/UNC1945, LightBasin, UNC1945, Solaris
https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection (#131) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
https://github.com/tstromberg/malware-menagerie (#795) - Impact, attack:T1496:Resource Hijacking, QubitStrike, StripedFly, Linux

Malware source

https://pastebin.com/raw/kmmJuuQP (#426) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #418, DecisiveArchitect, Linux
https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (#706) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX
https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux (#143)
https://github.com/arialdomartini/morris-worm (#694) - Initial Access, Execution, Discovery, Lateral Movement
https://github.com/chenkaie/junkcode/blob/master/xhide.c (#775) - Defense Evasion, uses:ProcessTreeSpoofing, XHide, Linux
https://github.com/Kabot/mig-logcleaner-resurrected (#154) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, MIG Logcleaner, UNC2891, Linux, Solaris, BSD
https://pastebin.com/kmmJuuQP (#802) - Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, uses:ProcessTreeSpoofing, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux
https://pastebin.com/jkndLHQf (#145) - FinFisher
https://gitlab.com/rav7teif/linux.wifatch (#144) - Initial Access, Persistence, Command and Control, Lateral Movement, Linux.Wifatch
https://github.com/chokepoint/Jynx2 (#531) - Persistence, Defense Evasion, Linux
https://github.com/0x27/sebd-0.2 (#148) - sebd 0.2 source code (a fix of 0.1)
https://github.com/gianlucaborello/libprocesshider (#776) - Defense Evasion, uses:ProcessTreeSpoofing, attack:T1574.006:Dynamic Linker Hijacking, libprocesshider, Linux
https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c (#147) - pscan (similar code to luckscan)
https://github.com/0x27/linux.mirai (#142) - Mirai
http://www.afn.org/~afn28925/wipe.c (#153) - UNC2891
https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (#152) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, UNC2891
https://github.com/shadow1ng/fscan (#564) - Initial Access, Lateral Movement, uses:Go, Alchimist, fscan, /malware/binaries/Alchimist/UPX/fscan, Linux
https://github.com/isdrupter/ziggystartux (#701) - Impact, Linux
https://github.com/NexusBots/Umbreon-Rootkit (#149) - Umbreon Rootkit
https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, #710, #724, Linux
https://github.com/HeapAllocate/sterben (#150) - sterben

Malware PoCs

https://github.com/timb-machine-mirrors/phath0m-JadedWraith (#165)
https://github.com/mufeedvh/moonwalk (#208)
https://github.com/m1m1x/memdlopen (#175) - Defense Evasion, attack:T1620:Reflective Code Loading
https://github.com/elfmaster/saruman (#220)
https://github.com/airman604/jdbc-backdoor (#607) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services
https://github.com/ixty/mandibule (#170)
https://github.com/therealdreg/enyelkm (#456) - Persistence, Defense Evasion, Linux
https://github.com/trustedsec/ELFLoader (#416) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
https://github.com/toffan/binfmt_misc (#431) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
https://github.com/nurupo/rootkit (#172)
https://github.com/elfmaster/kprobe_rootkit (#223)
https://github.com/reveng007/reveng_rtkit (#669) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/SafeBreach-Labs/backdoros (#213)
https://github.com/codewhitesec/daphne (#740) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
https://github.com/yaoyumeng/adore-ng (#458) - Persistence, Defense Evasion, Linux
https://github.com/aviat/passe-partout (#704) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX
https://github.com/jermeyyy/rooty (#440) - Persistence, Defense Evasion, #439, attack:T1547.006:Kernel Modules and Extensions, XorDDoS, Linux, Consumer, Cloud hosted services, Device application sandboxing
https://github.com/blendin/3snake (#189)
https://github.com/vfsfitvnm/intruducer (#209)
https://github.com/gaffe23/linux-inject (#210)
https://github.com/fbkcs/msf-elf-in-memory-execution (#203)
https://github.com/R3tr074/brokepkg (#777) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:ProcessTreeSpoofing, uses:AbnormalSignal, uses:TamperCredStruct, uses:HiddenPort, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1573:Encrypted Channel, attack:T1205:Traffic Signaling, BrokePkg, Linux
https://github.com/MegaManSec/SSH-Snake (#791) - Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
https://github.com/arget13/DDexec (#222)
https://github.com/roddux/santa (#207)
https://github.com/compilepeace/KAAL_BHAIRAV (#202)
https://github.com/X-C3LL/memdlopen-lib (#605) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux
https://github.com/mncoppola/suterusu (#491) - Persistence, Defense Evasion, wltm, Linux
https://github.com/h3xduck/TripleCross (#465) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux
https://github.com/guitmz/midrashim (#664) - Persistence, attack:T1577:Compromise Application Executable, Linux
https://github.com/wunderwuzzi23/Offensive-BPF (#469) - Credential Access, attack:T1205.002:Socket Filters, Linux
https://github.com/SilentVoid13/Silent_Packer (#783) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://github.com/zephrax/linux-pam-backdoor (#181) - Credential Access, Persistence, Defense Evasion, attack:T1556.003:Pluggable Authentication Modules, Linux
https://github.com/chokepoint/azazel (#191)
https://packetstormsecurity.com/files/author/3859/ (#553) - Persistence, Defense Evasion, uses:DTrace, SInAR, /malware/pocs/SInAR, Archim, Solaris, Internal specialist services, Device application sandboxing
https://github.com/guitmz/go-liora (#663) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux
https://github.com/stealth/devpops (#192) - DevPops by stealth (not really malicious, has guard rails)
https://github.com/timb-machine-mirrors/sar5430-coolkid (#629) - Persistence, Defense Evasion, Linux
https://packetstormsecurity.com/files/22121/cd00r.c.html (#597) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux
https://github.com/elfmaster/dt_infect (#219)
https://github.com/f0rb1dd3n/Reptile (#171)
https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 (#198)
https://hckng.org/articles/perljam-elf64-virus.html (#735) - Persistence, attack:T1554:Compromise Client Software Binary, attack:T1505:Server Software Component, uses:Perl, Linux, AIX, Solaris, HP-UX
https://github.com/Gui774ume/ebpfkit (#151) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux
https://github.com/noptrix/fbkit (#684) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205.002:Socket Filters, attack:T1548.001:Setuid and Setgid, FreeBSD
https://github.com/ONsec-Lab/scripts/tree/master/pam_steal (#195)
https://github.com/mempodippy/vlany (#174)
https://github.com/sad0p/d0zer (#782) - Execution, Persistence, uses:Go, attack:T1625:Hijack Execution Flow, attack:T1204:Malicious File, Linux
https://github.com/codewhitesec/apollon (#734) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
https://github.com/EvelynSubarrow/IridiumScorpion (#183)
https://github.com/nnsee/fileless-elf-exec (#193) - Defense Evasion, attack:T1620:Reflective Code Loading
https://github.com/mav8557/Father (#606) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux
https://github.com/Eterna1/puszek-rootkit (#670) - Persistence, Defense Evasion, Credential Access, Discovery, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1040:Network Sniffing, Linux
https://github.com/timb-machine-mirrors/ripmeep-memory-injector (#160)
https://www.guitmz.com/linux-nasty-elf-virus/ (#642) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux
https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (#739) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, #734, #740, Linux
https://github.com/h3xduck/Umbra (#668) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1095:Non-Application Layer Protocol, attack:T1486:Data Encrypted for Impact, attacK:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/croemheld/lkm-rootkit (#628) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux
https://github.com/rek7/fireELF (#159)
https://github.com/schrodyn/bad_UDP (#453) - Linux
https://github.com/QuokkaLight/rkduck (#667) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux
https://github.com/citronneur/pamspy (#466) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux
https://github.com/EvelynSubarrow/BismuthScorpion (#182)
https://github.com/liamg/memit (#200)
https://github.com/io-tl/degu-lib (#413) - Linux
https://github.com/elfmaster/linker_preloading_virus (#211)
https://github.com/0x1CA3/parasite (#201) - wltm
https://github.com/kris-nova/boopkit (#221)
https://github.com/tarcisio-marinho/GonnaCry (#486) - Impact, Linux
https://github.com/jtripper/parasite (#169)
https://github.com/alexander-pick/apinject (#608) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux
https://github.com/m0nad/Diamorphine (#217) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Diamorphine, Linux
https://github.com/elfmaster/skeksi_virus (#224)

Offensive research

Not necessarily malicious code (see Linikatz and unix-privesc-check =)) but interesting capabilities...

Offensive tools

https://github.com/dsnezhkov/zombieant (#793) - Defense Evasion, attack:T1562:Impair Defenses, Linux
https://github.com/Idov31/Sandman (#582) - Persistence, Command and Control, Linux
https://github.com/SkyperTHC/bpf-keylogger (#781) - Credential Access, Collection, uses:eBPF, attack:T1417.001:Keylogging, Linux
https://github.com/liamg/traitor (#687) - Privilege Escalation, Linux
https://github.com/aojea/netkat (#464) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux
https://github.com/airbus-seclab/nbutools (#689) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services
https://github.com/FiloSottile/age (#166)
https://github.com/namazso/linux_injector (#599) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux
https://github.com/sosdave/KeyTabExtract (#206)
https://github.com/CiscoCXSecurity/linikatz (#156) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, #141
https://github.com/liamg/siphon (#576) - Discovery, Collection, Linux
https://github.com/zMarch/Orc (#161)
https://github.com/CiscoCXSecurity/enum4linux (#178)
https://github.com/huntergregal/mimipenguin (#185)
https://github.com/NixOS/patchelf (#443) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux, Device application sandboxing
https://github.com/timb-machine-mirrors/adamcaudill-EquationGroupLeak/tree/master/Linux (#173)
https://github.com/t3l3machus/Villain (#591) - Command and Control, Linux
https://github.com/controlplaneio/truffleproc (#537) - Privilege Escalation, Credential Access, Linux
https://github.com/eeriedusk/nysm (#761) - Persistence, Linux
https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/ (#585) - Execution, Persistence, Linux, Cloud hosted services
https://github.com/DavidBuchanan314/dlinject (#485) - Linux
https://github.com/Frissi0n/GTFONow (#771) - Privilege Escalation, attack:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/io-tl/Mara (#487) - Linux
https://github.com/NetDirect/nfsshell (#164)
https://github.com/stealth/injectso (#589) - Defense Evasion, Linux
https://github.com/Ne0nd0g/merlin (#545) - Command and Control, Exfiltration, uses:Go, Merlin, Linux
https://github.com/blacklanternsecurity/KCMTicketFormatter (#519) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
https://github.com/DeimosC2/DeimosC2 (#652) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, /malware/binaries/Unix.Backdoor.DeimosC2, Linux
https://chromium.googlesource.com/linux-syscall-support/ (#533) - Linux
https://github.com/hackerschoice/ssh-key-backdoor (#672) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX
https://github.com/TH3xACE/SUDO_KILLER (#162) - Privilege Escalation
https://github.com/TarlogicSecurity/tickey (#184)
https://github.com/milabs/khook (#212)
https://github.com/IvanGlinkin/AutoSUID (#204)
https://github.com/pmorjan/kmod (#654) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux
https://github.com/ciscocxsecurity/unix-privesc-check (#157) - Privilege Escalation
https://github.com/vbpf/ebpf-samples (#215) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing
https://github.com/willshiao/node-bash-obfuscate (#190)
https://github.com/anko/xkbcat (#691) - Credential Access, Collection, attack:T1056.001:Keylogging, Linux, AIX, Solaris, HP-UX, Consumer, Internal enterprise services
https://github.com/timb-machine-mirrors/CoolerVoid-casper-fs (#216)
https://github.com/naksyn/Pyramid (#630) - Persistence, Command and Control, Linux
https://github.com/rebootuser/LinEnum (#158)
https://github.com/sevagas/swap_digger (#515) - Credential Access, Linux
https://github.com/oldboy21/LDAP-Password-Hunter (#167)
https://gtfobins.github.io/ (#179)
https://github.com/AlessandroZ/LaZagne (#155)
https://github.com/elfmaster/maya (#504) - Defense Evasion, Linux, Device application sandboxing
https://github.com/nicocha30/ligolo-ng (#699) - Command and Control, Exfiltration, Linux
https://github.com/guitmz/memrun (#592) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, Linux
https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz (#146) - Reconnaissance, pscan (similar code to luckscan)
https://github.com/ropnop/kerbrute (#176)
https://github.com/ropnop/windapsearch (#177)
https://github.com/mnagel/gnome-keyring-dumper (#186)
https://github.com/MatheuZSecurity/D3m0n1z3dShell (#773) - Persistence, Linux
https://github.com/CiscoCXSecurity/sudo-parser (#163) - Privilege Escalation
https://github.com/akawashiro/sloader (#521) - Defense Evasion, Linux
https://github.com/fireeye/SSSDKCMExtractor (#520) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
https://github.com/DavidBuchanan314/stelf-loader (#738) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux
https://github.com/netifera/netifera (#194)
https://github.com/JonathonReinhart/nosecmem (#180)
https://github.com/metac0rtex/SSH-Key-Brute-Forcer (#489) - Initial Access, Lateral Movement, Linux, Enclave deployment
https://github.com/DavidBuchanan314/monomorph (#534) - Defense Evasion, Linux
https://github.com/redcode-labs/Bashark (#168)
https://github.com/NetSPI/sshkey-grab (#619) - Credential Access, attack:T1552.004:Private Keys, attack:T1003.007:Proc Filesystem, attack:T1055.009:Proc Memory, Linux, Enhanced identity governance
https://github.com/alichtman/malware-techniques (#199)
https://github.com/pathtofile/bad-bpf (#205) - uses:BPF
https://github.com/creaktive/tsh (#481) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux
https://github.com/89luca89/pakkero (#718) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ (#188)

Offensive techniques

https://github.com/0xor0ne/debugoff (#755) - Defense Evasion, uses:Rust, attack:T1622:Debugger Evasion, Linux
https://sonarsource.github.io/argument-injection-vectors/ (#627) - Initial Access, Execution
https://rushter.com/blog/public-ssh-keys/ (#754) - Initial Access, Discovery, Lateral Movement, attack:T1018:Remote System Discovery, attack:T1199:Trusted Relationship, attack:T1021.004:SSH, Linux, AIX, Solaris, HP-UX
http://www.nth-dimension.org.uk/downloads.php?id=77 (#237)
https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html (#251)
https://rp.os3.nl/2016-2017/p97/report.pdf (#234)
https://twitter.com/David3141593/status/1575978540868435968 (#532) - Linux
https://github.com/hakivvi/ermir (#579) - Initial Access, Lateral Movement, Linux, Internal enterprise services
https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ (#239)
https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ (#562) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris
https://tmpout.sh/2/ (#226)
https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, #791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
http://lists.openstack.org/pipermail/openstack/2013-December/004138.html (#244)
http://shell-storm.org/api/?s=arm (#243)
https://www.form3.tech/engineering/content/bypassing-ebpf-tools (#584) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://twitter.com/brainsmoke/status/399558997994668033 (#509) - Execution, Linux
https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ (#238)
https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653) - Initial Access, Credential Access, attack:T1110:Brute Force, attack:T1078:Valid Accounts, Linux, AIX, Solaris, HP-UX, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services
http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf (#246)
https://packetstormsecurity.com/files/34013/0x4553-Static_Infecting.html (#255)
http://www.hick.org/code/skape/papers/remote-library-injection.pdf (#455) - Persistence, Linux
https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (#241) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (#575) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux
https://www.cs.dartmouth.edu/~sergey/cs258/2010/spainhower_DT.pdf (#555) - Persistence, Defense Evasion, uses:DTrace, SInAR, #553, #554, Archim, Solaris, Internal specialist services, Device application sandboxing
https://www.guitmz.com/running-elf-from-memory/ (#252)
https://rp.os3.nl/2016-2017/p59/report.pdf (#232)
https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (#197) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm
http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (#242) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (#683) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux
https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf (#245)
https://sysdig.com/blog/ebpf-offensive-capabilities/ (#768) - Persistence, Defense Evasion, uses:eBPF, Linux
https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (#550) - Defense Evasion, attack:T1562:Impair Defenses, Linux
https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium (#428) - Persistence, Linux, Device application sandboxing
https://www.archcloudlabs.com/projects/debuginfod/ (#796) - Command and Control, Exfiltration, attack:T1071:Application Layer Protocol, attack:T1567:Exfiltration Over Web Service, Linux
https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 (#250)
https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh (#708) - Lateral Movement, Linux, AIX, Solaris, HP-UX
https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (#772) - Persistence, Defense Evasion, Credential Access, attack:T1556.003:Pluggable Authentication Modules, Linux
https://www.blackhat.com/presentations/bh-dc-08/Beauchamp-Weston/Whitepaper/bh-dc-08-beauchamp-weston-WP.pdf (#556) - Persistence, Defense Evasion, uses:DTrace, Solaris, Internal specialist services, Device application sandboxing
microsoft/SysmonForLinux#83 (#648) - Defense Evasion, Linux
https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm
https://tmpout.sh/1/ (#225)
https://c3media.vsos.ethz.ch/congress/2004/papers/057%20SUN%20Bloody%20Daft%20Solaris%20Mechanisms.pdf (#554) - Persistence, Defense Evasion, uses:DTrace, SInAR, #553, Archim, Solaris, Internal specialist services, Device application sandboxing
https://github.com/elfmaster/scop_virus_paper (#253)
https://twitter.com/HuskyHacksMK/status/1578413641669308416 (#541) - Defense Evasion, Linux, AIX, Solaris, HP-UX
https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, #669, Linux
http://hick.org/code/skape/papers/needle.txt (#557) - Persistence, Defense Evasion, Linux
https://github.com/rapid7/ssh-badkeys (#538) - Initial Access, Linux, AIX, Solaris, HP-UX
https://devilinside.me/blogs/becoming-rat-your-system (#256)
https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (#665) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer
https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (#231) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (#567) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (#254) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ (#430) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
https://grugq.github.io/docs/ul_exec.txt (#463) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm
https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92 (#247)
https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ (#635) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services
https://rp.os3.nl/2016-2017/p59/presentation.pdf (#233)
https://gtfoargs.github.io/ (#626) - Initial Access, Execution
https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ (#236)
https://grugq.github.io/docs/subversiveld.pdf (#473) - Linux
https://github.com/milabs/awesome-linux-rootkits (#9) - Persistence, Linux
https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (#240) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
https://n0.lol/ (#227)
https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html (#611) - Defense Evasion
https://twitter.com/Alh4zr3d/status/1577649651376791552 (#540) - Defense Evasion, Linux, AIX, Solaris, HP-UX
https://twitter.com/Alh4zr3d/status/1578406155453276160 (#539) - Defense Evasion, Linux, AIX, Solaris, HP-UX
https://sysdig.com/blog/containers-read-only-fileless-malware/ (#415) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing
https://blog.fbkcs.ru/en/elf-in-memory-execution/ (#249)
https://github.com/CiscoCXSecurity/linikatz/issues (#230)
https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf (#248)
https://rp.os3.nl/2016-2017/p97/presentation.pdf (#235)
https://www.tarlogic.com/blog/how-to-attack-kerberos/ (#229)
https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ (#475) - Linux
https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ (#558) - Persistence, Defense Evasion, Linux
http://www.ouah.org/LKM_HACKING.html (#257) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (#436) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing
https://vxug.fakedoma.in/papers.html (#228)
https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm

Defensive research

Defensive tools

https://www.volatilityfoundation.org/releases-vol3 (#457) - Persistence, Defense Evasion, Linux, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ (#276)
https://twitter.com/inversecos/status/1527188391347068928 (#435) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing
https://github.com/M00NLIG7/ChopChopGo (#674) - Defense Evasion, Linux
https://github.com/NozomiNetworks/upx-recovery-tool (#535) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://github.com/snapattack/bpfdoor-scanner (#437) - Persistence, Defense Evasion, Command and Control, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect
https://github.com/monnappa22/Limon (#258)
https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449) - Persistence, Defense Evasion, Credential Access, Command and Control, #156, #418, #420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux
https://github.com/Gui774ume/krie (#498) - Defense Evasion, Privilege Escalation, Persistence, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, attack:T1562.001:Disable or Modify Tools, attack:T1548:Abuse Elevation Control Mechanism, Linux
https://bazaar.abuse.ch/ (#259)
https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals (#450) - Persistence, Privilege Escalation, Defense Evasion, Linux
https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 (#278)
https://github.com/Gui774ume/ebpfkit-monitor (#467) - Persistence, Defense Evasion, Discovery, Command and Control, Linux
https://twitter.com/timb_machine/status/1523253031382687744 (#421) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #420, DecisiveArchitect, Solaris
https://github.com/threathunters-io/laurel (#581) - Defense Evasion, Linux
https://github.com/sandflysecurity/sandfly-entropyscan (#632) - Defense Evasion, Linux
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ (#274)
https://github.com/sourque/louis (#411) - Linux, Device application sandboxing
https://youtu.be/16_EAsYAApI (#438) - Linux
https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569) - Persistence, Defense Evasion, Command and Control, #568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 (#451) - Linux
https://github.com/avilum/secimport (#748) - Persistence, Defense Evasion, Linux
https://tbhaxor.com/hunting-malicious-binaries-in-containers/ (#272)
https://github.com/vmware/kernel-event-collector-module (#271) - Carbon Black
https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ (#277)
https://github.com/signalblur/impelf (#647) - Defense Evasion, Linux
https://twitter.com/ldsopreload/status/1582780282758828035 (#571) - Persistence, Defense Evasion, Command and Control, #570, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://github.com/tstromberg/sunlight (#794) - Defense Evasion, uses:eBPF, Linux
https://github.com/chainguard-dev/osquery-defense-kit (#574) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux
https://github.com/op7ic/unix_collector (#266) - Solaris, Linux, AIX, OS X
https://github.com/0xrawsec/kunai (#749) - Defense Evasion, Linux
https://www.rfxn.com/projects/linux-malware-detect/ (#261)
https://twitter.com/ldsopreload/status/1583178316286029824 (#568) - Persistence, Defense Evasion, Command and Control, #569, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 (#472) - Linux
https://github.com/falcosecurity/falco (#412) - Linux, Device application sandboxing
https://github.com/david942j/seccomp-tools (#590) - Defense Evasion, Linux
https://github.com/evilsocket/ebpf-process-anomaly-detection (#497) - Execution, Linux
https://github.com/alex-cart/LEAF (#445) - Linux
https://github.com/marin-m/vmlinux-to-elf (#726) - Defense Evasion, attack:T1601:Modify System Image, Linux
https://github.com/sandflysecurity/sandfly-file-decloak (#634) - Defense Evasion, Linux
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf (#423) - Persistence, Privilege Escalation, Defense Evasion, Credential Access, Collection, Command and Control, Exfiltration, Linux
https://github.com/Achiefs/fim (#779) - Defense Evasion, Linux
https://elfdigest.com/ (#262)
https://github.com/hardenedvault/ved-ebpf (#737) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux
https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ (#268)
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 (#269)
https://elastic.github.io/security-research/intelligence/2022/03/03.dirty-pipe/article/ (#265)
https://github.com/niveb/NoCrypt (#673) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux
https://github.com/tclahr/uac (#583) - Persistence, Defense Evasion, Linux
https://github.com/ancat/egrets (#218)
https://github.com/sandflysecurity/sandfly-processdecloak (#633) - Defense Evasion, Linux
https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570) - Persistence, Defense Evasion, Command and Control, #571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://github.com/504ensicsLabs/LiME (#187)
https://github.com/CYB3RMX/Qu1cksc0pe (#696) - Defense Evasion, Linux
https://github.com/chriskaliX/Hades (#514) - Linux
https://github.com/nikhilh-20/ELFEN (#764) - Defense Evasion, Linux
https://github.com/elfmaster/avu32 (#273)
https://github.com/sqall01/LSMS (#610) - Defense Evasion, Linux
https://www.virustotal.com/gui/ (#260)
https://github.com/jafarlihi/modreveal (#609) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions, Linux
https://github.com/deepfence/ebpfguard (#697) - Defense Evasion, Linux
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ (#275)
https://tria.ge/ (#263)

Defensive techniques

https://redcanary.com/blog/ebpf-for-security/ (#270) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading
https://github.com/rung/threat-matrix-cicd (#10) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Exfiltration, Impact, Linux
https://redcanary.com/blog/process-streams/ (#494) - Lateral Movement, Command and Control, Exfiltration, uses:bash, uses:ksh93, attack:T1059:Command and Scripting Interpreter, attack:T1095:Non-Application Layer Protocol, Linux, Enclave deployment
https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html (#774) - Defense Evasion, Linux
https://www.mandiant.com/sites/default/files/2022-03/wp-linux-endpoint-hardening.pdf (#675) - Defense Evasion, Linux
https://www.forensicxlab.com/posts/inodes/ (#522) - Defense Evasion, Linux
https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (#747) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://archive.org/details/HalLinuxForensics (#560) - Defense Evasion, Linux
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html (#559) - Defense Evasion, Linux
https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux
https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (#736) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/ (#762) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux
https://github.com/cr0nx/awesome-linux-attack-forensics-purplelabs (#712) - Defense Evasion, Linux
https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ (#39) - honeypot, Linux
https://www.youtube.com/watch?v=Zig-inHOhII (#561) - Defense Evasion, Linux
https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX
https://twitter.com/CraigHRowland/status/1593102427276050433 (#587) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Linux
https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (#745) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://github.com/archcloudlabs/BSidesRoc2022_Linux_Malware_Analysis_Course (#264)
https://sandflysecurity.com/blog/detecting-evasive-linux-backdoors-presentation/ (#760) - Persistence, Defense Evasion, Command and Control, Linux
https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ (#528) - Persistence, Defense Evasion, Linux, Device application sandboxing
https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ (#38) - honeypot, Linux
https://github.com/timb-machine/obscure-forensics (#267)
https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery (#529) - Linux
https://github.com/DevinRTK/rtk-eLibrary (#631) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise

Defensive Yara

Personal rules

enterpriseapps2.yara (#283) - Hunts for enterprise app binaries
unixredflags3.yara (#285) - Hunts for UNIX red flags
aix.yara (#280) - Hunts for AIX binaries
ciscotools.yara (#279) - Hunts for references to our tools
luckscan.yara (#286) - Hunts for references to luckscan
canvasspectre.yara (#284) - Hunts for CANVAS Spectre
enterpriseunix2.yara (#282) - Hunts for enterprise UNIX binaries
pscan.yara (#287) - Hunts for references to pscan
adonunix2.yara (#281) - Hunts for binaries that attack AD on UNIX

Other rules

https://github.com/Yara-Rules/rules (#288)
https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (#419) - attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #418, DecisiveArchitect, Linux

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

linux-malware

Press/academia

In the wild

Breach reports

Supply chain attacks

Malware reports

Malware samples

Malware binaries

Malware source

Malware PoCs

Offensive research

Offensive tools

Offensive techniques

Defensive research

Defensive tools

Defensive techniques

Defensive Yara

Personal rules

Other rules

About

Releases

Packages

Contributors 8

Languages

License

timb-machine/linux-malware

Folders and files

Latest commit

History

Repository files navigation

linux-malware

Press/academia

In the wild

Breach reports

Supply chain attacks

Malware reports

Malware samples

Malware binaries

Malware source

Malware PoCs

Offensive research

Offensive tools

Offensive techniques

Defensive research

Defensive tools

Defensive techniques

Defensive Yara

Personal rules

Other rules

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 8

Languages

Packages