Rolling 7 day view of updates from this repo
- https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ (#19) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (#638) - Resource Development, Impact, attack:T1486:Data Encrypted for Impact, timb-machine#644, uses:CrossCompiled, LockBit, Linux, Internal specialist services
- https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf (#23) - various SSH, Bonadan, Kessel, Chandrila
- https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ (#35)
- https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 (#622) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux
- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
- https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html (#34)
- https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ (#22) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
- https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (#101) - Defense Evasion, Command and Control, Exfiltration, Impact, attack:T1486:Data Encrypted for Impact, XMRig, Hello Kitty, timb-machine#546, REvil, DarkSide, BlackMatter, Defray777, ViceSociety, Erebus, GonnaCry, eChoraix, Sysrv, TeamTNT, Mexalz, Omelette, WatchDog, Kinsing, Cobalt Strike, Vermillion Strike, Merlin, timb-machine#545, timb-machine#547, RedXOR, timb-machine#548, ACBackdoor, timb-machine#549, ELF_Plead, Linux, VMware, Internal enterprise services, Internal specialist services
- https://en.wikipedia.org/wiki/Mirai_(malware) (#18) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai
- https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf (#448)
- https://malpedia.caad.fkie.fraunhofer.de/ (#29)
- https://ieeexplore.ieee.org/document/8418602 (#25)
- https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ (#33)
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations (#32)
- https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf (#24) - various SSH, Bonadan, Kessel, Chandrila
- https://reyammer.io/publications/2018_oakland_linuxmalware.pdf (#28)
- https://wikileaks.org/vault7/ (#31)
- http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf (#27)
- https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 (#26)
- https://rp.os3.nl/ (#30)
- https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html (#37)
- https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf (#21) - WINNTI
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf (#417) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux
- https://securelist.com/top-10-unattributed-apt-mysteries/107676/ (#552) - Metador, Plexing Eagle, wltm, Linux, Solaris, Telecomms
- https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ (#40)
- https://en.wikipedia.org/wiki/Linux_malware (#17) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide
- https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer
- https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives (#41) - Impact, BlackCat, timb-machine#512
- https://www.group-ib.com/resources/threat-research/oldgremlin.html (#573) - Impact, OldGremlin, Linux
- https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf (#20) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux
- https://twitter.com/1ZRR4H/status/1560662815400407040 (#507) - Initial Access, Peer2Profit, Linux
- https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm (#42) - GoDaddy
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ (#446) - Initial Access, Linux
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services
- https://lwn.net/Articles/371110/ (#291) - e107 CMS
- https://www.webmin.com/exploit.html (#43) - Webmin
- https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos (#290) - Homebrew
- https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor (#44) - ProFTPd
- https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack (#48) - PHP
- https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html (#49) - VsFTPd
- canonical/snapcraft.io#651 (#296) - Snapcraft
- https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ (#45) - UnrealIRCd
- https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html (#523) - timb-machine#525, wltm, Linux
- https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 (#46) - Horde Webmail
- https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html (#295) - OpenX
- https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (#294) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm
- https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ (#543) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux
- https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ (#47) - PHPMyAdmin
- https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux
- https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb (#293) - event-stream
- https://news.ycombinator.com/item?id=17501379 (#525) - Linux
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ (#289) - "Octopus Scanner" (Netbeans) attack
- http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html (#292) - MyBB
- https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html (#383)
- https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ (#679) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf (#100) - Cyclops Blink
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (#442) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, timb-machine#544, Linux, VMware, Internal enterprise services, Internal specialist services
- https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html (#58) - Mirai (by malwaremustdie.org)
- https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ (#680) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services
- https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ (#395) - uses:Go, Chaos (sebd), /malware/binaries/Chaos
- https://twitter.com/tolisec/status/1507854421618839564 (#116) - Impact, KinSing
- https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (#546) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux
- https://zhuanlan.zhihu.com/p/348960748 (#403) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html (#614) - Command and Control, Persistence, SysUpdate, IronTiger
- https://twitter.com/IntezerLabs/status/1338480158249013250 (#301) - Promotei
- https://imgur.com/a/5vPEc (#74) - ChinaZ (by malwaremustdie.org)
- https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ (#478) - timb-machine#480, Rekoobe, TSH, timb-machine#481, APT31, Linux
- https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux, Solaris
- https://imgur.com/a/H7YuWuj (#356) - SystemTen (by malwaremustdie.org)
- https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux
- https://twitter.com/xnand_/status/1676336329985077249 (#710) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, timb-machine#711, timb-machine#724, Linux
- https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ (#340) - Kaiji (by malwaremustdie.org)
- https://securelist.com/the-penquin-turla-2/67962/ (#593) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, timb-machine#129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux
- https://news.drweb.com/show/?i=14646&lng=en&c=23 (#602) - Initial Access, Command and Control, WordPressExploit, Linux
- https://twitter.com/malwaremustd1e/status/1265321238383099904 (#317) - Gafgyt (by malwaremustdie.org)
- https://news.sophos.com/en-us/2020/12/16/systembc/ (#62) - SystemBC
- https://www.cisa.gov/news-events/analysis-reports/ar23-209b (#730) - Command and Control, timb-machine#729, SEASPY, wltm, Linux
- https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ (#360) - Rhombus (by malwaremustdie.org)
- https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability (#337) - Impact, Persistence, Impact, KinSing
- https://blog.talosintelligence.com/2018/06/vpnfilter-update.html (#54) - VPNFilter
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux
- https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ (#376) - HPC
- https://sansec.io/research/cronrat (#399) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux
- https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/ (#474) - Linux, FreeBSD
- https://imgur.com/a/lAQ1tMQ (#78) - HelloBot (by malwaremustdie.org)
- https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github (#97) - Botenago
- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, /malware/binaries/Chaos, Linux
- https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ (#566) - Impact, XMRig, Sysrv, wltm, Linux
- https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ (#120) - CAKETAP, UNC2891, Solaris
- https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistantStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, timb-machine#510, Shikitega, /malware/binaries/Shikitega, XMRig, Linux
- https://imgur.com/a/MuHSZtC (#81) - Mandibule (by malwaremustdie.org)
- https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ (#526) - Metador, wltm, Linux
- https://imgur.com/a/57uOiTu (#80) - DDoSMan (by malwaremustdie.org)
- https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, /malware/binaries/BPFDoor, Linux
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
- https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (#588) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux
- https://imgur.com/a/4YxuSfV (#79) - Cayosin (by malwaremustdie.org)
- http://it.rising.com.cn/fanglesuo/19851.html (#96) - SFile
- https://atdotde.blogspot.com/2020/05/high-performance-hackers.html (#377) - HPC
- https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html (#398) - Polaris
- https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt (#320) - Gafgyt
- https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html (#55) - CoinMiner
- https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ (#459) - Persistence, Defense Evasion, Linux
- https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html (#336) - PLEAD
- https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer
- https://www.cisa.gov/news-events/analysis-reports/ar23-209a (#731) - Persistence, timb-machine#729, SUBMARINE, wltm, Linux
- https://twitter.com/malwaremustd1e/status/1251758225919115264 (#361) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
- https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html (#63) - timb-machine#134, SLAPSTICK, LightBasin, UNC1945, Solaris
- https://twitter.com/billyleonard/status/1458531997576572929 (#480) - Rekoobe, TSH, TINYSHELL, timb-machine#481, APT31, Linux
- https://asec.ahnlab.com/en/45182/ (#603) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux
- https://twitter.com/malwaremustd1e/status/1264417940742389762 (#316) - Gafgyt (by malwaremustdie.org)
- https://twitter.com/IntezerLabs/status/1272915284148531200 (#341) - Lazarus
- https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ (#357) - SystemTen (by malwaremustdie.org)
- https://asec.ahnlab.com/en/54647/ (#707) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, timb-machine#154, Tsunami, Kaiten, 0x333shadow Log Cleaner, timb-machine#706, ChinaZ, Linux
- https://imgur.com/a/vS7xV (#75) - CarpeDiem (by malwaremustdie.org)
- https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ (#479) - Rekoobe, APT31, Linux
- https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#496) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (#750) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux
- https://cujo.com/iot-malware-journals-prometei-linux/ (#300) - Promotei
- https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ (#117) - AcidRain
- https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (#547) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux
- https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ (#402) - Cloud Shovel
- https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ (#681) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
- https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w (#394) - NAMO
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistantStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, /malware/binaries/Shikitega, Linux
- https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html (#59) - Mirai (by malwaremustdie.org)
- https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware (#639) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux
- https://blog.polyswarm.io/lightning-framework (#506) - Lightning, /malware/binaries/Lightning, Linux
- https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf (#551) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services
- https://www.mandiant.com/resources/unc3524-eye-spy-email (#414) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment
- https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers (#382) - Mayhem
- https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services
- https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html (#366) - AirDropBot (by malwaremustdie.org)
- https://honeynet.onofri.org/scans/scan13/som/som5.txt (#389) - Luckscan, UNC1945
- https://twitter.com/IntezerLabs/status/1288487307369222145 (#331) - TrickBot
- https://asec.ahnlab.com/en/49769/ (#624) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer
- https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ (#52) - GodLua
- https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ (#327) - TeamTNT, Mimipenguin
- https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf (#370) - Kobalos, #bsd, #solaris, #aix
- https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720) - Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, attack:T1608:Stage Capabilities, attack:T1053.003:Cron, attack:T1027.002:Software Packing, attack:T1543.002:Systemd Service, attack:T1037.004:RC Scripts, attack:T1574.006:Dynamic Linker Hijacking, attack:T1036.005:Match Legitimate Name or Location, attack:T1190:Exploit Public-Facing Application, attack:T1110:Brute Force, uses:KillCompetition, XMRig, Rocke, Linux
- https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ (#91) - Muhstik
- https://twitter.com/cyb3rops/status/1523227511551033349 (#425) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#418, DecisiveArchitect, Linux
- https://vms.drweb.com/virus/?i=21004786 (#433) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
- https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ (#68) - Mumblehard
- https://imgur.com/a/a6RaZMP (#87) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
- https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (#690) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux
- https://honeynet.onofri.org/scans/scan13/som/som13.txt (#385) - Luckscan, UNC1945
- https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 (#106) - Specter, SideWalk, StageClient, wltm
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ (#297) - FreakOut
- https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html (#501) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing
- https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ (#444) - EnemyBot, Linux
- https://cybersecurity.att.com/blogs/labs-research/internet-of-termites (#517) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, timb-machine#460, Symbiote, Linux
- https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux
- https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis (#393) - Conti
- https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ (#110) - b1txor20
- https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405) - attack:T1205.002:Socket Filters, ebpfkit
- https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (#612) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions
- https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ (#307) - QNAPCrypt, eCh0raix
- https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ (#72) - DDoSTF (by malwaremustdie.org)
- https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ (#350) - Stantinkos
- https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, timb-machine#171, Diamorphine, timb-machine#217, ZiggyStarTux, timb-machine#701, Linux, IOT, Consumer
- https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, timb-machine#717, Linux, IOT
- https://twitter.com/IntezerLabs/status/1291355808811409408 (#346) - Carbanak
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux
- https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ (#311) - HelloKitty
- https://www.cadosecurity.com/redis-p2pinfect/ (#741) - Initial Access, Linux
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, /malware/binaries/OrBit, Linux
- https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, timb-machine#134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux
- https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ (#65) - Qemu, timb-machine#134, LightBasin, UNC1945
- https://twitter.com/malwrhunterteam/status/1415403132230803460 (#310) - HelloKitty
- https://lab52.io/blog/looking-for-penquins-in-the-wild/ (#594) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
- https://twitter.com/sethkinghi/status/1397814848549900288 (#717) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT
- https://twitter.com/IntezerLabs/status/1300403461809491969 (#347) - Dalcs
- https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (#644) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, /malware/binaries/Multios.Ransomware.Lockbit, Linux
- https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ (#351) - PGMiner
- https://imgur.com/a/N3BgY (#73) - ChinaZ, GoARM (by malwaremustdie.org)
- https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html (#490) - uses:Go, Manjusaka, Linux
- https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf (#613)
- https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ (#306) - QNAPCrypt, eCh0raix
- https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (#111) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ (#404) - Hildegard, TeamTNT
- https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits (#392) - Botenago
- https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux
- https://twitter.com/malwrhunterteam/status/1559636227485319168 (#500) - Impact, REvil, wltm, Linux
- https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware (#107) - Impact, BlackCat, timb-machine#512
- https://s.tencent.com/research/report/1177.html (#384)
- https://twitter.com/billyleonard/status/1417910729005490177 (#69) - timb-machine#329, timb-machine#131, Zirconium, APT31
- https://imgur.com/a/y5BRx (#86) - r57shell (by malwaremustdie.org)
- https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
- https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites (#598) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services
- https://blog.polyswarm.io/deadbolt-ransomware (#577) - Impact, Deadbolt, Linux, Consumer
- https://twitter.com/CraigHRowland/status/1523266585133457408 (#424) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#418, DecisiveArchitect, Linux
- https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm
- https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ (#371) - Ebury
- https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html (#721) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux
- https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ (#408) - Linux
- https://vms.drweb.com/virus/?i=15389228 (#326) - ?
- https://blog.talosintelligence.com/2018/05/VPNFilter.html (#53) - VPNFilter
- https://twitter.com/IntezerLabs/status/1326880812344676352 (#330) - AgeLocker
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux
- https://imgur.com/a/Ak9zICq (#367) - Neko (by malwaremustdie.org)
- http://www.thedarkside.nl/honeypot/microbul.html (#388)
- https://imgur.com/a/LpTN7 (#85) - Elknot (by malwaremustdie.org)
- https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ (#348) - Rakos
- https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
- https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version (#309) - REvil
- https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ (#470) - Lightning, /malware/binaries/Lightning, Linux
- https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ (#372) - Kessel
- https://asec.ahnlab.com/en/55229/ (#722) - Defense Evasion, Command and Control, timb-machine#709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
- https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ (#325) - RedXOR
- https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials (#50) - TeamTNT
- https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf (#333) - Cloud Snooper
- https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ (#299) - IPStorm, /malware/binaries/Unix.Trojan.Ipstorm
- https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ (#671) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms
- https://twitter.com/malwaremustd1e/status/1380637310346096641 (#364) - Ngioweb (by malwaremustdie.org)
- https://unit42.paloaltonetworks.com/blackcat-ransomware/ (#108) - Impact, BlackCat, timb-machine#512
- https://pastebin.com/Z3sXqDCA (#89) - Mozi (by malwaremustdie.org)
- https://twitter.com/timb_machine/status/1450595881732947968 (#66) - timb-machine#134, LightBasin, UNC1945, Solaris
- https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ (#313) - FritzFrog
- https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger (#743) - Impact, Monti, Linux
- https://www.akamai.com/blog/security-research/dhpcd-cryptominer-hid-four-years (#578) - Impact, dhcpcd, Linux, IOT
- https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (#714) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT
- https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ (#344) - NGrok
- https://cert.gov.ua/article/4501891 (#651) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial
- https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md (#352) - ITTS
- https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (#702) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT
- https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf (#493) - Persistence, Command and Control, uses:Go, IPStorm, /malware/binaries/Unix.Trojan.Ipstorm, Linux
- https://imgur.com/a/8mFGk (#70) - httpsd (by malwaremustdie.org)
- https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors (#305) - Tycoon
- https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (#407) - Impact, timb-machine#135, FastCash, HiddenCobra, Lazarus, APT28, AIX, Banking, Internal specialist services, Enclave deployment
- https://www.mandiant.com/resources/unc2891-overview (#112) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, timb-machine#134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, timb-machine#154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking
- https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542) - Discovery, Collection, Impact, vertical:Telecomms, MESSAGETAP, wltm, APT41, Linux, Telecomms, Internal specialist services
- https://cujo.com/threat-alert-krane-malware/ (#391) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm
- https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ (#329) - Zirconium, APT31
- https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ (#503)
- https://twitter.com/ESETresearch/status/1410864752948043778 (#104) - Specter, SideWalk, StageClient
- https://twitter.com/jhencinski/status/1451592508157345793 (#387) - Impact, XMRig
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware
- https://twitter.com/ESETresearch/status/1415542456360263682 (#368) - ?, #FreeBSD
- http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc (#386) - sc (similar code to luckscan)
- https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux
- https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ (#369) - Kobalos, #linux, #bsd, #solaris, #aix
- https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ (#410) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing
- https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ (#105) - Specter, SideWalk, StageClient
- https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus
- https://twitter.com/bkMSFT/status/1417823714922610689 (#328) - timb-machine#329, Zirconium, APT31
- https://twitter.com/ESETresearch/status/1454100591261667329?s=20 (#390) - Hive
- https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux (#685) - Impact, RTM Locker, Linux
- https://twitter.com/malwrhunterteam/status/1467264298237972484 (#406) - Cerber
- http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm (#113) - NOPEN
- https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html (#304) - DarkRadation
- https://twitter.com/avastthreatlabs/status/1430527767855058949 (#492) - HCRootkit, timb-machine#491, Linux
- https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ (#71) - SS, Shark (by malwaremustdie.org)
- https://twitter.com/CraigHRowland/status/1422009387686645761 (#353) - ITTS
- https://cyberplace.social/@GossiTheDog/110516069484635011 (#703) - Resource Development, BPFDoor, /malware/binaries/BPFDoor, Linux
- https://unit42.paloaltonetworks.com/alloy-taurus/ (#646) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux
- https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#580) - Command and Control, Torii, Linux
- https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux
- https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf (#345) - WellMail (APT29)
- https://asec.ahnlab.com/en/51908/ (#650) - Impact, Defense Evasion, LM:ProcessTreeSpoofingBindMountProc, timb-machine#550, KONO DIO DA, XMRig, Linux
- https://netadr.github.io/blog/a-quick-glimpse-sbz/ (#596) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris
- https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, timb-machine#135, FastCash, Hidden Cobra, AIX, Banking
- https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding (#742) - Impact, Monti, Linux
- https://pastebin.com/iKyaqLTd (#88) - Exaramel, BlackEnergy, #ICS (by malwaremustdie.org)
- https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF (#67) - Drovorub
- https://www.varonis.com/blog/alphv-blackcat-ransomware (#109) - Impact, BlackCat, timb-machine#512
- https://twitter.com/malwaremustd1e/status/1379028201075187716 (#365) - DGAbot (by malwaremustdie.org)
- https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html (#332) - NOTROBIN
- https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ (#298) - RandomEXX
- https://twitter.com/_larry0/status/1143532888538984448 (#51) - Silex
- https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf (#518) - DarkNexus, Linux
- https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ (#324) - WatchDog
- https://blog.polyswarm.io/darkangels-linux-ransomware (#666) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux
- https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (#373) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux
- https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux
- https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ (#92)
- https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ (#471) - HiddenWasp, Linux
- https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ (#308) - KillDisk
- https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html (#563) - Command and Control, uses:Go, Alchemist, /malware/binaries/Alchimist, timb-machine#564, Sysrv?, Linux
- http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf (#349) - Moose
- https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery (#488) - Initial Access, Lateral Movement, Impact, RapperBot, /malware/binaries/RapperBot, Linux
- https://imgur.com/a/DWKK5 (#84) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux
- https://twitter.com/ankit_anubhav/status/1490574137370103808 (#483) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, timb-machine#482, Linux
- https://imgur.com/a/qqgfFXf (#60) - Mirai (by malwaremustdie.org)
- https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ (#315) - Gafgyt
- https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ (#342) - Doki
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF (#657) - Command and Control, SNAKE, Linux
- https://twitter.com/CraigHRowland/status/1422267857988063232 (#354) - ITTS
- https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf (#641) - FontOnLake, Linux
- https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD
- https://imgur.com/a/eBF7Mqe (#76) - Haiduc (by malwaremustdie.org) (by malwaremustdie.org)
- https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ (#303) - DarkRadiation
- https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d (#616) - Command and Control, TSH, TINYSHELL, timb-machine#481
- https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ (#401) - Persistence, Defense Evasion, timb-machine#530, lib__mdma
- https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ (#114) - HabitsRAT
- https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (#544) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Emperor Dragonfly, Linux, VMware
- https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon
- https://www.lab539.com/blog/linux-malware-detection-with-limacharlie (#728) - Reconnaissance, Initial Access, Execution, Persistence, Linux
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html (#682) - Command and Control, uses:Go, GobRAT, Linux, Telecomms
- https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ (#378) - #cobaltstrike, VermilionStrike
- https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ (#513) - Collection, Impact, Linux
- https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development (#505) - Impact, DarkAngels, wltm, Linux
- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ (#339) - Kaiji
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (#102) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services
- https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ (#381) - FontOnLake
- https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ (#319) - Gafgyt
- https://imgur.com/a/qI5Fvm4 (#83) - STD (by malwaremustdie.org)
- https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, timb-machine#134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment
- https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability (#572) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux
- https://twitter.com/malwaremustd1e/status/1235595880041873408 (#358) - Hajimi (by malwaremustdie.org)
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95) - Command and Control, Defense Evasion, Persistence, Discovery, attack:T1102:Web Service, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, attack:T1573:Encrypted Traffic, attack:T1053.003:Cron, attack:T1033:System Owner/User Discovery, attack:T1016:System Network Configuration Discovery, attack:T1070.004:File Deletion, uses:RedirectionToNull, delivery:NPM, SysJoker, wltm, Linux
- https://www.akamai.com/blog/security/new-p2p-botnet-panchan (#476) - Pan-chan, timb-machine#477, Linux
- https://twitter.com/captainGeech42/status/1657121312425365524 (#661) - Persistence, Defense Evasion, SystemBC, timb-machine#662, Linux
- https://twitter.com/malwrhunterteam/status/1422972905541996546 (#374) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware
- https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, timb-machine#710, timb-machine#711, Linux
- https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ (#548) - Command and Control, Exfiltration, timb-machine#325, RedXOR, Linux
- https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 (#118) - Impact, BlackCat, timb-machine#512
- https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ (#636) - Initial Access, Linux
- https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ (#323) - EvilGnome
- https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ (#56) - LemonDuck
- https://blog.exatrack.com/melofee/ (#620) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux
- https://twitter.com/ESETresearch/status/1382054011264700416 (#335) - TSCookie, #freebsd
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan (#732) - Persistence, Defense Evasion, Command and Control, Linux, Hosting
- https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html (#698) - Impact, BlackSuit, Linux
- https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 (#362) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
- https://asec.ahnlab.com/en/55785/ (#733) - Persistence, Defense Evasion, Command and Control, Reptile, Linux
- https://twitter.com/malwaremustd1e/status/1267068856645775360 (#363) - DarkNexus (by malwaremustdie.org)
- https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d (#508) - Peer2Profit, Linux
- https://asec.ahnlab.com/en/50316/ (#621) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-perisistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux
- https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html (#334) - TSCookie
- https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html (#57) - Mirai (by malwaremustdie.org)
- https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html (#637) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services
- https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ (#322) - Turian
- https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ (#549) - ACBackdoor, wltm, Linux
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial
- https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (#660) - Initial Access, attack:T1480:Execution Guardrails, attack:T1562.006:Indicator Blocking, uses:Non-persistantStorage, BOLDMOVE, wltm, Linux, Collaboration across enterprise boundaries
- https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar (#375) - PRISM
- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris
- https://sansec.io/research/nginrat (#94) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm
- https://github.com/akamai/akamai-security-research/tree/main/malware/panchan (#477) - Pan-chan, /malware/binaries/pan-chan, Linux
- https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ (#565) - Initial Access, Lateral Movement, Impact, timb-machine#566, Sysrv, wltm, Linux, Internal enterprise services
- https://asec.ahnlab.com/ko/55070/ (#709) - Command and Control, Defense Evasion, timb-machine#722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
- https://twitter.com/malwaremustd1e/status/1237080802581565440 (#359) - Mozi (by malwaremustdie.org)
- https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, /malware/binaries/Chaos, Linux
- https://imgur.com/a/CtHlmBE (#82) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
- https://imgur.com/a/2zRCt (#318) - Gafgyt (by malwaremustdie.org)
- https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html (#380) - Persistence, Defense Evasion, Impact, KinSing
- https://twitter.com/Unit42_Intel/status/1653760405792014336 (#695) - Impact, BlackSuit, Linux
- https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf (#338) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux
- https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
- https://sansec.io/research/ecommerce-malware-linux-avp (#396) - linux_avp, Comma
- https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors (#729) - Persistence, Command and Control, SEASPY, timb-machine#730, SUBMARINE, timb-machine#731, Linux
- https://threatfabric.com/blogs/vultur-v-for-vnc.html (#379) - Vultur, Brunhilda, #Android
- https://imp0rtp3.wordpress.com/2021/11/25/sowat/ (#400) - Command and Control, timb-machine#140, timb-machine#131, SoWaT, APT31, Zirconium
- https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces (#115) - Impact, KinSing
- https://igor-blue.github.io/2021/03/24/apt1.html (#302)
- https://themittenmac.com/tinyshell-under-the-microscope/ (#617) - TSH, TINYSHELL, timb-machine#481
- https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ (#98) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm
- https://imgur.com/a/SSKmu (#77) - Rebirth, Vulcan (by malwaremustdie.org)
- https://pastebin.com/raw/mEape37E (#355) - SystemTen (by malwaremustdie.org)
- https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ (#640) - Initial Access, Command and Control, Impact, Sysrv, Linux
- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT
- https://sysdig.com/blog/cloud-defense-in-depth/ (#713) - Initial Access, Lateral Movement, KinSing, Linux
- https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ (#343) - NGrok
- https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (#656) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services
- https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ (#314) - Gafgyt
- https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT
- https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ (#601) - Persistence, Privilege Escalation, OrBit, /malware/binaries/OrBit, Linux
- https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 (#482) - Log4J, /malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86, Linux
- https://imgur.com/a/53f29O9 (#61) - Mirai (by malwaremustdie.org)
- https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection (#141) - Linikatz
- https://github.com/Caprico1/kinsing (#454) - Persistence, Impact, KinSing, Linux
- https://samples.vx-underground.org/samples/Families/VermilionStrike/ (#136) - CobaltStrike, VermilionStrike, /malware/binaries/VermilionStrike
- https://tria.ge/s?q=tag%3alinux (#121)
- https://github.com/eset/malware-ioc/tree/master/kobalos (#137) - Kobalos
- https://github.com/darrenmartyn/malware_samples (#530) - Execution, Persistence, Defense Evasion, Discovery, uses:ProcessTreeSpoofing, uses:RedirectionToNull, attack:T1546.004:Unix Shell, attack:T1574.006:Dynamic Linker Hijacking, attack:T1057:Process Discovery, attack:T1036.005:Match Legitimate Name or Location, lib__mdma, Linux
- https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (#662) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, timb-machine#661, SystemBC, /malware/binaries/SystemBC, Linux
- https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418) - Persistence, Defense Evasion, Command and Control, timb-machine#419, timb-machine#424, timb-machine#425, timb-machine#426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, /malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64, Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux
- https://bazaar.abuse.ch/sample/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ (#140) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
- https://samples.vx-underground.org/APTs/2021/2021.10.11/ (#409) - FontOnLake, /malware/binaries/FontOnLake, Linux
- https://bazaar.abuse.ch/browse/signature/SystemBC/ (#130) - SystemBC
- https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection (#126) - wltm
- https://bazaar.abuse.ch/browse/signature/Mirai/ (#127) - Mirai, /malware/binaries/Unix.Exploit.Mirai, /malware/binaries/Unix.Dropper.Mirai, /malware/binaries/Unix.Trojan.Mirai
- https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection (#131) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
- https://github.com/blackorbird/APT_REPORT (#124)
- https://github.com/eset/malware-ioc/tree/master/rakos (#132) - Rakos
- https://bazaar.abuse.ch/browse/signature/Gafgyt/ (#128) - Gafgyt, /malware/binaries/Unix.Trojan.Gafgyt
- https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, /malware/binaries/Unix.Trojan.Xorddos, /malware/binaries/Unix.Malware.Xorddos, Linux
- https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 (#133) - WellMail, wltm, APT29
- https://twitter.com/nunohaien/status/1261281420791742464 (#125)
- https://github.com/x0rz/EQGRP (#138)
- https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460) - Persistence, Defense Evasion, Command and Control, timb-machine#452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, /malware/binaries/Symbiote, Symbiote, Linux
- https://bazaar.abuse.ch/browse/tag/elf/ (#122)
- https://samples.vx-underground.org/APTs/2020/2020.11.02/ (#134) - /malware/binaries/UNC1945, LightBasin, UNC1945, Solaris
- https://samples.vx-underground.org/samples/Families/Fastcash/ (#135) - Impact, FastCash, /malware/binaries/FastCash, HiddenCobra, Lazarus, APT28, AIX, Banking, Internal specialist services, Enclave deployment
- https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420) - Persistence, Defense Evasion, Command and Control, timb-machine#421, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, /malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Solaris
- https://github.com/MalwareSamples/Linux-Malware-Samples (#123)
- https://github.com/hardenedvault/bootkit-samples (#103)
- https://bazaar.abuse.ch/browse/tag/blackcat/ (#512) - Impact, timb-machine#118, timb-machine#109, timb-machine#108, timb-machine#107, timb-machine#41, BlackCat, /malware/binaries/BlackCat, Linux
- https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ (#139) - Polaris, /malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64
- https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (#706) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX
- https://github.com/chokepoint/Jynx2 (#531) - Persistence, Defense Evasion, Linux
- https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, timb-machine#710, timb-machine#724, Linux
- https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c (#147) - pscan (similar code to luckscan)
- https://github.com/isdrupter/ziggystartux (#701) - Impact, Linux
- https://github.com/HeapAllocate/sterben (#150) - sterben
- https://github.com/NexusBots/Umbreon-Rootkit (#149) - Umbreon Rootkit
- https://pastebin.com/jkndLHQf (#145) - FinFisher
- http://www.afn.org/~afn28925/wipe.c (#153) - UNC2891
- https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (#152) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, UNC2891
- https://gitlab.com/rav7teif/linux.wifatch (#144) - Initial Access, Persistence, Command and Control, Lateral Movement, Linux.Wifatch
- https://github.com/0x27/sebd-0.2 (#148) - sebd 0.2 source code (a fix of 0.1)
- https://pastebin.com/raw/kmmJuuQP (#426) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#418, DecisiveArchitect, Linux
- https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux (#143)
- https://github.com/arialdomartini/morris-worm (#694) - Initial Access, Execution, Discovery, Lateral Movement
- https://github.com/shadow1ng/fscan (#564) - Initial Access, Lateral Movement, uses:Go, Alchimist, fscan, /malware/binaries/Alchimist/UPX/fscan, Linux
- https://github.com/Kabot/mig-logcleaner-resurrected (#154) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, MIG Logcleaner, UNC2891, Linux, Solaris, BSD
- https://github.com/0x27/linux.mirai (#142) - Mirai
- https://github.com/EvelynSubarrow/BismuthScorpion (#182)
- https://github.com/SafeBreach-Labs/backdoros (#213)
- https://github.com/yaoyumeng/adore-ng (#458) - Persistence, Defense Evasion, Linux
- https://github.com/guitmz/go-liora (#663) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux
- https://github.com/vfsfitvnm/intruducer (#209)
- https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 (#198)
- https://github.com/mufeedvh/moonwalk (#208)
- https://github.com/timb-machine-mirrors/ripmeep-memory-injector (#160)
- https://github.com/elfmaster/skeksi_virus (#224)
- https://github.com/ONsec-Lab/scripts/tree/master/pam_steal (#195)
- https://www.guitmz.com/linux-nasty-elf-virus/ (#642) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux
- https://github.com/EvelynSubarrow/IridiumScorpion (#183)
- https://github.com/elfmaster/kprobe_rootkit (#223)
- https://github.com/elfmaster/dt_infect (#219)
- https://github.com/f0rb1dd3n/Reptile (#171)
- https://github.com/alexander-pick/apinject (#608) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux
- https://github.com/io-tl/degu-lib (#413) - Linux
- https://github.com/croemheld/lkm-rootkit (#628) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux
- https://github.com/Gui774ume/ebpfkit (#151) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux
- https://github.com/reveng007/reveng_rtkit (#669) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux
- https://github.com/mncoppola/suterusu (#491) - Persistence, Defense Evasion, wltm, Linux
- https://github.com/fbkcs/msf-elf-in-memory-execution (#203)
- https://github.com/stealth/devpops (#192) - DevPops by stealth (not really malicious, has guard rails)
- https://github.com/nnsee/fileless-elf-exec (#193) - Defense Evasion, attack:T1620:Reflective Code Loading
- https://github.com/wunderwuzzi23/Offensive-BPF (#469) - Credential Access, attack:T1205.002:Socket Filters, Linux
- https://github.com/tarcisio-marinho/GonnaCry (#486) - Impact, Linux
- https://github.com/X-C3LL/memdlopen-lib (#605) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux
- https://github.com/codewhitesec/daphne (#740) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
- https://github.com/compilepeace/KAAL_BHAIRAV (#202)
- https://github.com/h3xduck/Umbra (#668) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1095:Non-Application Layer Protocol, attack:T1486:Data Encrypted for Impact, attacK:T1548:Abuse Elevation Control Mechanism, Linux
- https://github.com/schrodyn/bad_UDP (#453) - Linux
- https://github.com/timb-machine-mirrors/sar5430-coolkid (#629) - Persistence, Defense Evasion, Linux
- https://github.com/h3xduck/TripleCross (#465) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux
- https://github.com/ixty/mandibule (#170)
- https://github.com/blendin/3snake (#189)
- https://github.com/guitmz/midrashim (#664) - Persistence, attack:T1577:Compromise Application Executable, Linux
- https://github.com/arget13/DDexec (#222)
- https://github.com/citronneur/pamspy (#466) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux
- https://github.com/toffan/binfmt_misc (#431) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
- https://github.com/timb-machine-mirrors/phath0m-JadedWraith (#165)
- https://github.com/QuokkaLight/rkduck (#667) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux
- https://github.com/kris-nova/boopkit (#221)
- https://github.com/codewhitesec/apollon (#734) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
- https://github.com/mav8557/Father (#606) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux
- https://packetstormsecurity.com/files/22121/cd00r.c.html (#597) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux
- https://github.com/0x1CA3/parasite (#201) - wltm
- https://github.com/m0nad/Diamorphine (#217)
- https://github.com/jtripper/parasite (#169)
- https://github.com/noptrix/fbkit (#684) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205.002:Socket Filters, attack:T1548.001:Setuid and Setgid, FreeBSD
- https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (#739) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, timb-machine#734, timb-machine#740, Linux
- https://github.com/liamg/memit (#200)
- https://github.com/airman604/jdbc-backdoor (#607) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services
- https://github.com/chokepoint/azazel (#191)
- https://github.com/Eterna1/puszek-rootkit (#670) - Persistence, Defense Evasion, Credential Access, Discovery, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1040:Network Sniffing, Linux
- https://github.com/elfmaster/saruman (#220)
- https://hckng.org/articles/perljam-elf64-virus.html (#735) - Persistence, attack:T1554:Compromise Client Software Binary, attack:T1505:Server Software Component, uses:Perl, Linux, AIX, Solaris, HP-UX
- https://github.com/nurupo/rootkit (#172)
- https://github.com/roddux/santa (#207)
- https://github.com/aviat/passe-partout (#704) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX
- https://github.com/elfmaster/linker_preloading_virus (#211)
- https://github.com/therealdreg/enyelkm (#456) - Persistence, Defense Evasion, Linux
- https://github.com/jermeyyy/rooty (#440) - Persistence, Defense Evasion, timb-machine#439, attack:T1547.006:Kernel Modules and Extensions, XorDDoS, Linux, Consumer, Cloud hosted services, Device application sandboxing
- https://github.com/m1m1x/memdlopen (#175) - Defense Evasion, attack:T1620:Reflective Code Loading
- https://github.com/rek7/fireELF (#159)
- https://github.com/mempodippy/vlany (#174)
- https://github.com/trustedsec/ELFLoader (#416) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
- https://packetstormsecurity.com/files/author/3859/ (#553) - Persistence, Defense Evasion, uses:DTrace, SInAR, /malware/pocs/SInAR, Archim, Solaris, Internal specialist services, Device application sandboxing
- https://github.com/zephrax/linux-pam-backdoor (#181)
- https://github.com/gaffe23/linux-inject (#210)
Not necessarily malicious code (see Linikatz and unix-privesc-check =)) but interesting capabilities...
- https://github.com/ciscocxsecurity/unix-privesc-check (#157) - Privilege Escalation
- https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/ (#585) - Execution, Persistence, Linux, Cloud hosted services
- https://github.com/pathtofile/bad-bpf (#205) - uses:BPF
- https://github.com/netifera/netifera (#194)
- https://github.com/creaktive/tsh (#481) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux
- https://github.com/zMarch/Orc (#161)
- https://github.com/stealth/injectso (#589) - Defense Evasion, Linux
- https://github.com/ropnop/windapsearch (#177)
- https://github.com/alichtman/malware-techniques (#199)
- https://github.com/ropnop/kerbrute (#176)
- https://github.com/NetSPI/sshkey-grab (#619) - Credential Access, attack:T1552.004:Private Keys, attack:T1003.007:Proc Filesystem, attack:T1055.009:Proc Memory, Linux, Enhanced identity governance
- https://github.com/guitmz/memrun (#592) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistantStorage, Linux
- https://github.com/pmorjan/kmod (#654) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux
- https://github.com/IvanGlinkin/AutoSUID (#204)
- https://github.com/milabs/khook (#212)
- https://github.com/CiscoCXSecurity/linikatz (#156) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, timb-machine#141
- https://github.com/NixOS/patchelf (#443) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux, Device application sandboxing
- https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ (#188)
- https://github.com/controlplaneio/truffleproc (#537) - Privilege Escalation, Credential Access, Linux
- https://github.com/oldboy21/LDAP-Password-Hunter (#167)
- https://github.com/namazso/linux_injector (#599) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux
- https://github.com/liamg/siphon (#576) - Discovery, Collection, Linux
- https://github.com/aojea/netkat (#464) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux
- https://github.com/akawashiro/sloader (#521) - Defense Evasion, Linux
- https://github.com/TarlogicSecurity/tickey (#184)
- https://github.com/vbpf/ebpf-samples (#215) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing
- https://github.com/io-tl/Mara (#487) - Linux
- https://github.com/DeimosC2/DeimosC2 (#652) - Command and Control, DeimosC2, Linux
- https://github.com/Idov31/Sandman (#582) - Persistence, Command and Control, Linux
- https://github.com/huntergregal/mimipenguin (#185)
- https://github.com/liamg/traitor (#687) - Privilege Escalation, Linux
- https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz (#146) - Reconnaissance, pscan (similar code to luckscan)
- https://github.com/anko/xkbcat (#691) - Credential Access, Collection, attack:T1056.001:Keylogging, Linux, AIX, Solaris, HP-UX, Consumer, Internal enterprise services
- https://github.com/fireeye/SSSDKCMExtractor (#520) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
- https://github.com/FiloSottile/age (#166)
- https://github.com/hackerschoice/ssh-key-backdoor (#672) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX
- https://github.com/metac0rtex/SSH-Key-Brute-Forcer (#489) - Initial Access, Lateral Movement, Linux, Enclave deployment
- https://github.com/timb-machine-mirrors/adamcaudill-EquationGroupLeak/tree/master/Linux (#173)
- https://github.com/89luca89/pakkero (#718) - Defense Evasion, attack:T1027.002:Software Packing, Linux
- https://github.com/naksyn/Pyramid (#630) - Persistence, Command and Control, Linux
- https://github.com/blacklanternsecurity/KCMTicketFormatter (#519) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
- https://github.com/DavidBuchanan314/dlinject (#485) - Linux
- https://github.com/willshiao/node-bash-obfuscate (#190)
- https://github.com/mnagel/gnome-keyring-dumper (#186)
- https://github.com/sevagas/swap_digger (#515) - Credential Access, Linux
- https://github.com/DavidBuchanan314/stelf-loader (#738) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux
- https://github.com/redcode-labs/Bashark (#168)
- https://github.com/timb-machine-mirrors/CoolerVoid-casper-fs (#216)
- https://github.com/airbus-seclab/nbutools (#689) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services
- https://github.com/DavidBuchanan314/monomorph (#534) - Defense Evasion, Linux
- https://github.com/NetDirect/nfsshell (#164)
- https://gtfobins.github.io/ (#179)
- https://github.com/t3l3machus/Villain (#591) - Command and Control, Linux
- https://github.com/JonathonReinhart/nosecmem (#180)
- https://github.com/AlessandroZ/LaZagne (#155)
- https://chromium.googlesource.com/linux-syscall-support/ (#533) - Linux
- https://github.com/CiscoCXSecurity/sudo-parser (#163) - Privilege Escalation
- https://github.com/nicocha30/ligolo-ng (#699) - Command and Control, Exfiltration, Linux
- https://github.com/rebootuser/LinEnum (#158)
- https://github.com/TH3xACE/SUDO_KILLER (#162) - Privilege Escalation
- https://github.com/elfmaster/maya (#504) - Defense Evasion, Linux, Device application sandboxing
- https://github.com/Ne0nd0g/merlin (#545) - Command and Control, Exfiltration, uses:Go, Merlin, Linux
- https://github.com/sosdave/KeyTabExtract (#206)
- https://github.com/CiscoCXSecurity/enum4linux (#178)
- https://www.tarlogic.com/blog/how-to-attack-kerberos/ (#229)
- https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (#550) - Defense Evasion, attack:T1562:Impair Defenses, Linux
- https://sysdig.com/blog/containers-read-only-fileless-malware/ (#415) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing
- http://lists.openstack.org/pipermail/openstack/2013-December/004138.html (#244)
- https://www.guitmz.com/running-elf-from-memory/ (#252)
- https://tmpout.sh/1/ (#225)
- https://rp.os3.nl/2016-2017/p59/presentation.pdf (#233)
- https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf (#248)
- https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm
- https://grugq.github.io/docs/ul_exec.txt (#463) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm
- https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (#567) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
- https://blog.fbkcs.ru/en/elf-in-memory-execution/ (#249)
- https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ (#475) - Linux
- https://rp.os3.nl/2016-2017/p59/report.pdf (#232)
- https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ (#635) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services
- https://github.com/elfmaster/scop_virus_paper (#253)
- https://www.form3.tech/engineering/content/bypassing-ebpf-tools (#584) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
- https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf (#245)
- http://www.hick.org/code/skape/papers/remote-library-injection.pdf (#455) - Persistence, Linux
- https://vxug.fakedoma.in/papers.html (#228)
- https://rp.os3.nl/2016-2017/p97/presentation.pdf (#235)
- https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (#665) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer
- https://www.blackhat.com/presentations/bh-dc-08/Beauchamp-Weston/Whitepaper/bh-dc-08-beauchamp-weston-WP.pdf (#556) - Persistence, Defense Evasion, uses:DTrace, Solaris, Internal specialist services, Device application sandboxing
- https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ (#239)
- https://twitter.com/Alh4zr3d/status/1577649651376791552 (#540) - Defense Evasion, Linux, AIX, Solaris, HP-UX
- http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (#242) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
- https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653) - Initial Access, Credential Access, attack:T1110:Brute Force, attack:T1078:Valid Accounts, Linux, AIX, Solaris, HP-UX, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services
- https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (#254) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
- https://packetstormsecurity.com/files/34013/0x4553-Static_Infecting.html (#255)
- https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium (#428) - Persistence, Linux, Device application sandboxing
- http://shell-storm.org/api/?s=arm (#243)
- https://twitter.com/HuskyHacksMK/status/1578413641669308416 (#541) - Defense Evasion, Linux, AIX, Solaris, HP-UX
- https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ (#238)
- http://hick.org/code/skape/papers/needle.txt (#557) - Persistence, Defense Evasion, Linux
- microsoft/SysmonForLinux#83 (#648) - Defense Evasion, Linux
- https://grugq.github.io/docs/subversiveld.pdf (#473) - Linux
- https://rp.os3.nl/2016-2017/p97/report.pdf (#234)
- https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ (#562) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris
- http://www.nth-dimension.org.uk/downloads.php?id=77 (#237)
- https://gtfoargs.github.io/ (#626) - Initial Access, Execution
- https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ (#558) - Persistence, Defense Evasion, Linux
- https://devilinside.me/blogs/becoming-rat-your-system (#256)
- https://twitter.com/Alh4zr3d/status/1578406155453276160 (#539) - Defense Evasion, Linux, AIX, Solaris, HP-UX
- https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (#240) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
- https://c3media.vsos.ethz.ch/congress/2004/papers/057%20SUN%20Bloody%20Daft%20Solaris%20Mechanisms.pdf (#554) - Persistence, Defense Evasion, uses:DTrace, SInAR, timb-machine#553, Archim, Solaris, Internal specialist services, Device application sandboxing
- https://www.cs.dartmouth.edu/~sergey/cs258/2010/spainhower_DT.pdf (#555) - Persistence, Defense Evasion, uses:DTrace, SInAR, timb-machine#553, timb-machine#554, Archim, Solaris, Internal specialist services, Device application sandboxing
- https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html (#611) - Defense Evasion
- https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (#241) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
- https://github.com/rapid7/ssh-badkeys (#538) - Initial Access, Linux, AIX, Solaris, HP-UX
- https://github.com/hakivvi/ermir (#579) - Initial Access, Lateral Movement, Linux, Internal enterprise services
- http://www.ouah.org/LKM_HACKING.html (#257) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
- https://sonarsource.github.io/argument-injection-vectors/ (#627) - Initial Access, Execution
- https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ (#236)
- https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (#575) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux
- https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ (#430) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
- https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 (#250)
- http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf (#246)
- https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh (#708) - Lateral Movement, Linux, AIX, Solaris, HP-UX
- https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (#231) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
- https://twitter.com/brainsmoke/status/399558997994668033 (#509) - Execution, Linux
- https://n0.lol/ (#227)
- https://tmpout.sh/2/ (#226)
- https://github.com/CiscoCXSecurity/linikatz/issues (#230)
- https://twitter.com/David3141593/status/1575978540868435968 (#532) - Linux
- https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (#436) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing
- https://github.com/milabs/awesome-linux-rootkits (#9) - Persistence, Linux
- https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm
- https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (#683) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux
- https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92 (#247)
- https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, timb-machine#669, Linux
- https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html (#251)
- https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (#197) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm
- https://github.com/CYB3RMX/Qu1cksc0pe (#696) - Defense Evasion, Linux
- https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ (#268)
- https://github.com/evilsocket/ebpf-process-anomaly-detection (#497) - Execution, Linux
- https://tbhaxor.com/hunting-malicious-binaries-in-containers/ (#272)
- https://github.com/sandflysecurity/sandfly-file-decloak (#634) - Defense Evasion, Linux
- https://github.com/marin-m/vmlinux-to-elf (#726) - Defense Evasion, attack:T1601:Modify System Image, Linux
- https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf (#423) - Persistence, Privilege Escalation, Defense Evasion, Credential Access, Collection, Command and Control, Exfiltration, Linux
- https://twitter.com/inversecos/status/1527188391347068928 (#435) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing
- https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570) - Persistence, Defense Evasion, Command and Control, timb-machine#571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
- https://twitter.com/ldsopreload/status/1582780282758828035 (#571) - Persistence, Defense Evasion, Command and Control, timb-machine#570, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
- https://elastic.github.io/security-research/intelligence/2022/03/03.dirty-pipe/article/ (#265)
- https://github.com/elfmaster/avu32 (#273)
- https://github.com/M00NLIG7/ChopChopGo (#674) - Defense Evasion, Linux
- https://youtu.be/16_EAsYAApI (#438) - Linux
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 (#269)
- https://github.com/deepfence/ebpfguard (#697) - Defense Evasion, Linux
- https://github.com/niveb/NoCrypt (#673) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux
- https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ (#274)
- https://github.com/sandflysecurity/sandfly-entropyscan (#632) - Defense Evasion, Linux
- https://elfdigest.com/ (#262)
- https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 (#472) - Linux
- https://github.com/monnappa22/Limon (#258)
- https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 (#278)
- https://github.com/tclahr/uac (#583) - Persistence, Defense Evasion, Linux
- https://github.com/alex-cart/LEAF (#445) - Linux
- https://github.com/falcosecurity/falco (#412) - Linux, Device application sandboxing
- https://github.com/jafarlihi/modreveal (#609) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions, Linux
- https://bazaar.abuse.ch/ (#259)
- https://github.com/ancat/egrets (#218)
- https://github.com/sandflysecurity/sandfly-processdecloak (#633) - Defense Evasion, Linux
- https://tria.ge/ (#263)
- https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ (#275)
- https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449) - Persistence, Defense Evasion, Credential Access, Command and Control, timb-machine#156, timb-machine#418, timb-machine#420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux
- https://github.com/hardenedvault/ved-ebpf (#737) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux
- https://github.com/chainguard-dev/osquery-defense-kit (#574) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux
- https://github.com/NozomiNetworks/upx-recovery-tool (#535) - Defense Evasion, attack:T1027.002:Software Packing, Linux
- https://www.virustotal.com/gui/ (#260)
- https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ (#276)
- https://github.com/threathunters-io/laurel (#581) - Defense Evasion, Linux
- https://github.com/signalblur/impelf (#647) - Defense Evasion, Linux
- https://github.com/sqall01/LSMS (#610) - Defense Evasion, Linux
- https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals (#450) - Persistence, Privilege Escalation, Defense Evasion, Linux
- https://github.com/sourque/louis (#411) - Linux, Device application sandboxing
- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 (#451) - Linux
- https://github.com/chriskaliX/Hades (#514) - Linux
- https://github.com/504ensicsLabs/LiME (#187)
- https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ (#277)
- https://www.rfxn.com/projects/linux-malware-detect/ (#261)
- https://github.com/Gui774ume/ebpfkit-monitor (#467) - Persistence, Defense Evasion, Discovery, Command and Control, Linux
- https://twitter.com/ldsopreload/status/1583178316286029824 (#568) - Persistence, Defense Evasion, Command and Control, timb-machine#569, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
- https://github.com/0xrawsec/kunai (#749) - Defense Evasion, Linux
- https://github.com/snapattack/bpfdoor-scanner (#437) - Persistence, Defense Evasion, Command and Control, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect
- https://twitter.com/timb_machine/status/1523253031382687744 (#421) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#420, DecisiveArchitect, Solaris
- https://github.com/op7ic/unix_collector (#266) - Solaris, Linux, AIX, OS X
- https://github.com/vmware/kernel-event-collector-module (#271) - Carbon Black
- https://github.com/Gui774ume/krie (#498) - Defense Evasion, Privilege Escalation, Persistence, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, attack:T1562.001:Disable or Modify Tools, attack:T1548:Abuse Elevation Control Mechanism, Linux
- https://github.com/avilum/secimport (#748) - Persistence, Defense Evasion, Linux
- https://www.volatilityfoundation.org/releases-vol3 (#457) - Persistence, Defense Evasion, Linux, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
- https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569) - Persistence, Defense Evasion, Command and Control, timb-machine#568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, timb-machine#420, timb-machine#418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
- https://github.com/david942j/seccomp-tools (#590) - Defense Evasion, Linux
- https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (#747) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
- https://www.mandiant.com/sites/default/files/2022-03/wp-linux-endpoint-hardening.pdf (#675) - Defense Evasion, Linux
- https://github.com/archcloudlabs/BSidesRoc2022_Linux_Malware_Analysis_Course (#264)
- https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ (#39) - honeypot, Linux
- https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ (#38) - honeypot, Linux
- https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (#736) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
- https://archive.org/details/HalLinuxForensics (#560) - Defense Evasion, Linux
- https://www.youtube.com/watch?v=Zig-inHOhII (#561) - Defense Evasion, Linux
- https://github.com/rung/threat-matrix-cicd (#10) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Exfiltration, Impact, Linux
- https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html (#559) - Defense Evasion, Linux
- https://github.com/DevinRTK/rtk-eLibrary (#631) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise
- https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX
- https://www.forensicxlab.com/posts/inodes/ (#522) - Defense Evasion, Linux
- https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery (#529) - Linux
- https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (#745) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
- https://github.com/cr0nx/awesome-linux-attack-forensics-purplelabs (#712) - Defense Evasion, Linux
- https://twitter.com/CraigHRowland/status/1593102427276050433 (#587) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Linux
- https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux
- https://redcanary.com/blog/ebpf-for-security/ (#270) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading
- https://github.com/timb-machine/obscure-forensics (#267)
- https://redcanary.com/blog/process-streams/ (#494) - Lateral Movement, Command and Control, Exfiltration, uses:bash, uses:ksh93, attack:T1059:Command and Scripting Interpreter, attack:T1095:Non-Application Layer Protocol, Linux, Enclave deployment
- https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ (#528) - Persistence, Defense Evasion, Linux, Device application sandboxing
- pscan.yara (#287) - Hunts for references to pscan
- luckscan.yara (#286) - Hunts for references to luckscan
- adonunix2.yara (#281) - Hunts for binaries that attack AD on UNIX
- aix.yara (#280) - Hunts for AIX binaries
- ciscotools.yara (#279) - Hunts for references to our tools
- enterpriseapps2.yara (#283) - Hunts for enterprise app binaries
- enterpriseunix2.yara (#282) - Hunts for enterprise UNIX binaries
- unixredflags3.yara (#285) - Hunts for UNIX red flags
- canvasspectre.yara (#284) - Hunts for CANVAS Spectre
- https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (#419) - attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, timb-machine#418, DecisiveArchitect, Linux
- https://github.com/Yara-Rules/rules (#288)