linux-malware

Press/academia

https://securelist.com/top-10-unattributed-apt-mysteries/107676/ (#552) - Metador, Plexing Eagle, wltm, Linux, Solaris, Telecomms
https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf (#24) - various SSH, Bonadan, Kessel, Chandrila
https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 (#622) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (#422) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (#638) - Resource Development, Impact, attack:T1486:Data Encrypted for Impact, #644, uses:CrossCompiled, LockBit, Linux, Internal specialist services
https://reyammer.io/publications/2018_oakland_linuxmalware.pdf (#28)
https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf (#448)
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf (#417) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux
https://en.wikipedia.org/wiki/Linux_malware (#17) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide
https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (#676) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer
http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf (#27)
https://en.wikipedia.org/wiki/Mirai_(malware) (#18) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ (#22) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ (#19) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives (#41) - Impact, BlackCat, #512
https://ieeexplore.ieee.org/document/8418602 (#25)
https://wikileaks.org/vault7/ (#31)
https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html (#34)
https://malpedia.caad.fkie.fraunhofer.de/ (#29)
https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ (#33)
https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ (#35)
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf (#23) - various SSH, Bonadan, Kessel, Chandrila
https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html (#37)
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf (#21) - WINNTI
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (#101) - Defense Evasion, Command and Control, Exfiltration, Impact, attack:T1486:Data Encrypted for Impact, XMRig, Hello Kitty, #546, REvil, DarkSide, BlackMatter, Defray777, ViceSociety, Erebus, GonnaCry, eChoraix, Sysrv, TeamTNT, Mexalz, Omelette, WatchDog, Kinsing, Cobalt Strike, Vermillion Strike, Merlin, #545, #547, RedXOR, #548, ACBackdoor, #549, ELF_Plead, Linux, VMware, Internal enterprise services, Internal specialist services
https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 (#26)
https://rp.os3.nl/ (#30)
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations (#32)
https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ (#40)
https://www.group-ib.com/resources/threat-research/oldgremlin.html (#573) - Impact, OldGremlin, Linux
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf (#20) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux

In the wild

Breach reports

https://bitbucket.org/workspacespain/i-s00n-translated (#799) - Persistence, uses:Leak, uses:Blocklisted, Reptile, APT41, Linux, AIX, Solaris, HP-UX
https://twitter.com/1ZRR4H/status/1560662815400407040 (#507) - Initial Access, Peer2Profit, Linux
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ (#446) - Initial Access, Linux
https://www.freedownloadmanager.org/blog/?p=664 (#765) - Initial Access, Credential Access, #766, Free Download Manager, #816, wltm, Linux
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm (#42) - GoDaddy
https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (#677) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services
http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (#766) - Initial Access, Credential Access, Collection, Command and Control, #765, Free Download Manager, #816, attack:T1071.004:DNS, attack:T1105:Ingress Tool Transfer, attack:T1560.001:Archive via Utility, wltm, Linux

Supply chain attacks

https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (#787) - Initial Access, Discovery, Command and Control, delivery:NPM, attack:T1195.001:Compromise Software Dependencies and Development Tools, attack:T1082:System Information Discovery, Linux
https://github.com/SecurityFail/kompromat (#813) - Credential Access, attack:T1552.004:Private Keys, Linux, HP-UX, AIX, Solaris, Internal specialist services
https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (#816) - Initial Access, Persistence, Credential Access, Command and Control, Free Download Manager, #765, #766, attack:T1053.003:Cron, attack:T1555.005:Password Managers, uses:Non-persistentStorage, wltm, Linux
https://www.webmin.com/exploit.html (#43) - Webmin
https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor (#44) - ProFTPd
canonical/snapcraft.io#651 (#296) - Snapcraft
https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html (#523) - #525, wltm, Linux
https://lwn.net/Articles/371110/ (#291) - e107 CMS
https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ (#543) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux
https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos (#290) - Homebrew
https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ (#47) - PHPMyAdmin
https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (#495) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux
https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 (#46) - Horde Webmail
https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html (#49) - VsFTPd
http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html (#292) - MyBB
https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb (#293) - event-stream
https://news.ycombinator.com/item?id=17501379 (#525) - Linux
https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack (#48) - PHP
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ (#289) - "Octopus Scanner" (Netbeans) attack
https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html (#295) - OpenX
https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (#294) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm
https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ (#45) - UnrealIRCd

Malware reports

https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ (#378) - #cobaltstrike, VermilionStrike
https://blog.polyswarm.io/lightning-framework (#506) - Lightning, /malware/binaries/Lightning, Linux
https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ (#105) - Specter, SideWalk, StageClient
https://www.cisa.gov/news-events/analysis-reports/ar23-209b (#730) - Command and Control, #729, SEASPY, wltm, Linux
http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf (#349) - Moose
https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ (#307) - QNAPCrypt, eCh0raix
https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ (#360) - Rhombus (by malwaremustdie.org)
https://themittenmac.com/tinyshell-under-the-microscope/ (#617) - TSH, TINYSHELL, #481
https://twitter.com/ESETresearch/status/1415542456360263682 (#368) - ?, #FreeBSD
https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ (#92)
https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (#724) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, #710, #711, #814, Linux
https://twitter.com/xnand_/status/1676336329985077249 (#710) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, #711, #724, #814, Linux
https://pastebin.com/iKyaqLTd (#88) - Exaramel, BlackEnergy, #ICS (by malwaremustdie.org)
https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials (#50) - TeamTNT
https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ (#372) - Kessel
https://www.mandiant.com/resources/unc3524-eye-spy-email (#414) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment
https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF (#657) - Command and Control, SNAKE, Linux
https://blog.exatrack.com/melofee/ (#620) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux
https://imgur.com/a/N3BgY (#73) - ChinaZ, GoARM (by malwaremustdie.org)
https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ (#350) - Stantinkos
https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar (#375) - PRISM
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ (#322) - Turian
https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ (#401) - Persistence, Defense Evasion, #530, lib__mdma
https://www.mandiant.com/resources/unc2891-overview (#112) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, #134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, #154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking
https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (#715) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux
https://cujo.com/threat-alert-krane-malware/ (#391) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm
https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ (#548) - Command and Control, Exfiltration, #325, RedXOR, Linux
https://twitter.com/malwrhunterteam/status/1415403132230803460 (#310) - HelloKitty
https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor (#547) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux
https://twitter.com/sethkinghi/status/1397814848549900288 (#717) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT
https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (#618) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, /malware/binaries/Chaos, Linux
https://twitter.com/ESETresearch/status/1382054011264700416 (#335) - TSCookie, #freebsd
https://imgur.com/a/CtHlmBE (#82) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://github.com/akamai/akamai-security-research/tree/main/malware/panchan (#477) - Pan-chan, /malware/binaries/pan-chan, Linux
https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (#405) - attack:T1205.002:Socket Filters, ebpfkit
https://atdotde.blogspot.com/2020/05/high-performance-hackers.html (#377) - HPC
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (#604) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux
https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html (#304) - DarkRadation
https://sansec.io/research/ecommerce-malware-linux-avp (#396) - linux_avp, Comma
https://twitter.com/malwrhunterteam/status/1467264298237972484 (#406) - Cerber
https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf (#493) - Persistence, Command and Control, uses:Go, IPStorm, /malware/binaries/Unix.Trojan.Ipstorm, Linux
https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (#439) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, #129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux
https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ (#759) - Impact, Octo Tempest, BlackCat, Linux, VMware
https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ (#601) - Persistence, Privilege Escalation, OrBit, /malware/binaries/OrBit, Linux
http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm (#113) - NOPEN
https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign (#727) - Initial Access, Command and Control, Impact, XMRig, Linux
https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (#516) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux
https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ (#479) - Rekoobe, APT31, Linux
https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware (#107) - Impact, BlackCat, #512
https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ (#809) - Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Command and Control, AIX, Internal enterprise services
https://imgur.com/a/a6RaZMP (#87) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ (#323) - EvilGnome
https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (#693) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability (#572) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux
https://imgur.com/a/qI5Fvm4 (#83) - STD (by malwaremustdie.org)
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (#625) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux
https://twitter.com/malwaremustd1e/status/1267068856645775360 (#363) - DarkNexus (by malwaremustdie.org)
https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 (#106) - Specter, SideWalk, StageClient, wltm
https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (#544) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Night Sky, Emperor Dragonfly, Bronze Starlight, Linux, VMware
https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ (#306) - QNAPCrypt, eCh0raix
https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html (#58) - Mirai (by malwaremustdie.org)
https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 (#482) - Log4J, /malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86, Linux
https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html (#563) - Command and Control, uses:Go, Alchemist, /malware/binaries/Alchimist, #564, Sysrv?, Linux
https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ (#526) - Metador, wltm, Linux
https://imgur.com/a/Ak9zICq (#367) - Neko (by malwaremustdie.org)
https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ (#56) - LemonDuck
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf (#370) - Kobalos, #bsd, #solaris, #aix
https://asec.ahnlab.com/en/45182/ (#603) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux
https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ (#303) - DarkRadiation
https://twitter.com/IntezerLabs/status/1300403461809491969 (#347) - Dalcs
https://blog.polyswarm.io/darkangels-linux-ransomware (#666) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux
https://twitter.com/Unit42_Intel/status/1653760405792014336 (#695) - Impact, attack:T1486:Data Encrypted for Impact, wltm, BlackSuite, Linux
https://cert.gov.ua/article/4501891 (#651) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial
https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (#790) - Initial Access, Execution, Discovery, Lateral Movement, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1059.004:Unix Shell, attack:T1072:Software Deployment Tools, attack:T1083:File and Directory Discovery, attack:T1082:System Information Discovery, attack:T1485:Data Destruction, BiBi-Linux, Linux
https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html (#383)
https://twitter.com/cyb3rops/status/1523227511551033349 (#425) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #418, DecisiveArchitect, Linux
https://imgur.com/a/H7YuWuj (#356) - SystemTen (by malwaremustdie.org)
https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (#753) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware
https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ (#376) - HPC
https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ (#297) - FreakOut
https://netadr.github.io/blog/a-quick-glimpse-sbz/ (#596) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris
https://vms.drweb.com/virus/?i=21004786 (#433) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ (#327) - TeamTNT, Mimipenguin
https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ (#640) - Initial Access, Command and Control, Impact, Sysrv, Linux
https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ (#313) - FritzFrog
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (#660) - Initial Access, attack:T1480:Execution Guardrails, attack:T1562.006:Indicator Blocking, uses:Non-persistentStorage, BOLDMOVE, wltm, Linux, Collaboration across enterprise boundaries
https://haxrob.net/fastcash-for-linux/ (#815) - Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, attack:T1027.002:Software Packing, uses:Non-persistentStorage, attack:T1027.013:Encrypted/Encoded File, FastCash, #407, #312, #135, wltm, Linux, Banking, Internal specialist services
https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (#588) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux
https://imgur.com/a/LpTN7 (#85) - Elknot (by malwaremustdie.org)
https://news.drweb.com/show/?i=14646&lng=en&c=23 (#602) - Initial Access, Command and Control, WordPressExploit, Linux
https://asec.ahnlab.com/en/55785/ (#733) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.001:Port Knocking, Reptile, TINYSHELL, Rekoobe, Linux
https://blog.polyswarm.io/deadbolt-ransomware (#577) - Impact, Deadbolt, Linux, Consumer
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (#658) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, /malware/binaries/BPFDoor, Linux
https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (#102) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services
https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf (#338) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux
https://asec.ahnlab.com/en/51908/ (#650) - Impact, Defense Evasion, uses:ProcessTreeSpoofingBindMountProc, #550, KONO DIO DA, XMRig, Linux
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ (#636) - Initial Access, Linux
https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ (#503)
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF (#67) - Drovorub
https://twitter.com/tolisec/status/1507854421618839564 (#116) - Impact, KinSing
https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#580) - Command and Control, Torii, Linux
https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ (#314) - Gafgyt
https://twitter.com/malwaremustd1e/status/1265321238383099904 (#317) - Gafgyt (by malwaremustdie.org)
https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ (#369) - Kobalos, #linux, #bsd, #solaris, #aix
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (#510) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, /malware/binaries/Shikitega, Linux
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (#750) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux
https://vms.drweb.com/virus/?i=15389228 (#326) - ?
https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ (#410) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing
https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (#784) - Command and Control, Exfiltration, uses:PHP, attack:T1090:Proxy, attack:T1071.001:Web Protocols, SystemBC, Linux
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (#119) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial
https://twitter.com/IntezerLabs/status/1291355808811409408 (#346) - Carbanak
https://twitter.com/bkMSFT/status/1417823714922610689 (#328) - #329, Zirconium, APT31
https://sysdig.com/blog/ssh-snake/ (#801) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, #791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
https://imgur.com/a/2zRCt (#318) - Gafgyt (by malwaremustdie.org)
https://twitter.com/malwaremustd1e/status/1380637310346096641 (#364) - Ngioweb (by malwaremustdie.org)
http://it.rising.com.cn/fanglesuo/19851.html (#96) - SFile
https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development (#505) - Impact, DarkAngels, wltm, Linux
https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (#427) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://www.lab539.com/blog/linux-malware-detection-with-limacharlie (#728) - Reconnaissance, Initial Access, Execution, Persistence, Linux
https://securelist.com/the-penquin-turla-2/67962/ (#593) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (#586) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT
https://x.com/haxrob/status/1762821513680732222 (#810) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1572:Protocol Tunneling, GTPDOOR, wltm, Linux, Telecomms, Internal specialist services
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ (#371) - Ebury
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (#623) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (#808) - Execution, Persistence, Discovery, Collection, Command and Control, Exfiltration, attack:T1574.006:Dynamic Linker, attack:T1059.004:Unix Shell, attack:T1053.003:Cron, attack:T1559:Inter-Process Communication, attack:T1205.001:Port Knocking, attack:T1001.003:Protocol Impersonation, attack:T1573.002:Asymmetric Cryptography, attack:T1572:Protocol Tunneling, attack:T1560.002:Archive via Library, attack:T1041:Exfiltration Over C2 Channel, attack:T1005:Data from Local System, attack:T1124:System Time Discovery, attack:T1518:Software Discovery, attack:T1071.Application Layer Protocol, uses:BPF, uses:Non-persistentStorage, Pygmy Goat, EarthWorm, Earthwrom, wltm, Linux, Enterprise with satellite facilities
https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ (#459) - Persistence, Defense Evasion, Linux
https://twitter.com/CraigHRowland/status/1422267857988063232 (#354) - ITTS
https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ (#325) - RedXOR
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html (#614) - Command and Control, Persistence, SysUpdate, IronTiger
https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ (#308) - KillDisk
https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (#99) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD
http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc (#386) - sc (similar code to luckscan)
https://imgur.com/a/5vPEc (#74) - ChinaZ (by malwaremustdie.org)
https://cujo.com/iot-malware-journals-prometei-linux/ (#300) - Promotei
https://sansec.io/research/cronrat (#399) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux
https://www.varonis.com/blog/alphv-blackcat-ransomware (#109) - Impact, BlackCat, #512
https://twitter.com/malwaremustd1e/status/1251758225919115264 (#361) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ (#381) - FontOnLake
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html (#336) - PLEAD
https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis (#393) - Conti
https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (#8) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, #134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment
https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ (#395) - uses:Go, Chaos (sebd), /malware/binaries/Chaos
https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ (#114) - HabitsRAT
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html (#54) - VPNFilter
https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ (#344) - NGrok
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (#770) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services
https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ (#98) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm
https://www.akamai.com/blog/security-research/dhpcd-cryptominer-hid-four-years (#578) - Impact, dhcpcd, Linux, IOT
https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ (#298) - RandomEXX
https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d (#508) - Peer2Profit, Linux
https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (#744) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT
https://cybersecurity.att.com/blogs/labs-research/internet-of-termites (#517) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux
https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html (#501) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing
https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html (#398) - Polaris
https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (#803) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, attack:T1070.006:Timestomp, attack:T1070.004:File Deletion, BPFDoor, /malware/binaries/BPFDoor, wltm, Linux
https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf (#551) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services
https://twitter.com/malwrhunterteam/status/1559636227485319168 (#500) - Impact, REvil, wltm, Linux
https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (#643) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux, Solaris
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ (#117) - AcidRain
https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 (#362) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://twitter.com/captainGeech42/status/1657121312425365524 (#661) - Persistence, Defense Evasion, SystemBC, #662, Linux
https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ (#299) - IPStorm, /malware/binaries/Unix.Trojan.Ipstorm
https://twitter.com/timb_machine/status/1450595881732947968 (#66) - #134, LightBasin, UNC1945, Solaris
https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (#64) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, #134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux
https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ (#357) - SystemTen (by malwaremustdie.org)
https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (#442) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, #544, Linux, VMware, Internal enterprise services, Internal specialist services
https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ (#565) - Initial Access, Lateral Movement, Impact, #566, Sysrv, wltm, Linux, Internal enterprise services
https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 (#118) - Impact, BlackCat, #512
https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (#452) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, #460, Symbiote, Linux
https://imgur.com/a/eBF7Mqe (#76) - Haiduc (by malwaremustdie.org) (by malwaremustdie.org)
https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html (#332) - NOTROBIN
https://igor-blue.github.io/2021/03/24/apt1.html (#302)
https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (#814) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:Non-persistentStorage, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, attack:T1037.004:RC Scripts, attack:T1098.004: SSH Authorized Keys, exploit:CVE-2023-35829, #710, #711, #724, Linux
https://imgur.com/a/8mFGk (#70) - httpsd (by malwaremustdie.org)
https://imgur.com/a/lAQ1tMQ (#78) - HelloBot (by malwaremustdie.org)
https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf (#613)
https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ (#471) - HiddenWasp, Linux
https://imgur.com/a/vS7xV (#75) - CarpeDiem (by malwaremustdie.org)
https://twitter.com/CraigHRowland/status/1523266585133457408 (#424) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #418, DecisiveArchitect, Linux
https://unit42.paloaltonetworks.com/alloy-taurus/ (#646) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux
https://www.signalblur.io/through-the-looking-glass (#756) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services
https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ (#470) - Lightning, /malware/binaries/Lightning, Linux
https://twitter.com/IntezerLabs/status/1338480158249013250 (#301) - Promotei
https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (#817) - Resource Development, Persistence, Defense Evasion, attack:T1542.003:Bootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1587.00:Malware, attack:T1587.002Code Signing Certificates, attack:T1106:Native API, attack:T1129:Shared Modules, attack:T1574.006:Dynamic Linker, attack:T1542.003, attack:T1014:Rootkit, attack:T1562:Impair Defenses, attack:T1564:Hide Artifacts, Bootkitty, BCDropper, BCObserver, Linux, Consumer, Internal enterprise services, Enterprise with satellite facilities, Enterprise with contracted services and/or non-employee access
https://imgur.com/a/4YxuSfV (#79) - Cayosin (by malwaremustdie.org)
https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (#723) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux
https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html (#366) - AirDropBot (by malwaremustdie.org)
https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors (#729) - Persistence, Command and Control, SEASPY, #730, SUBMARINE, #731, Linux
https://imgur.com/a/qqgfFXf (#60) - Mirai (by malwaremustdie.org)
https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt (#320) - Gafgyt
https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (#527) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, #510, Shikitega, /malware/binaries/Shikitega, XMRig, Linux
https://imgur.com/a/SSKmu (#77) - Rebirth, Vulcan (by malwaremustdie.org)
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf (#345) - WellMail (APT29)
https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d (#616) - Command and Control, TSH, TINYSHELL, #481
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (#434) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html (#721) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux
https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ (#311) - HelloKitty
https://twitter.com/malwrhunterteam/status/1422972905541996546 (#374) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware
https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ (#478) - #480, Rekoobe, TSH, #481, APT31, Linux
https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware (#639) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux
https://imp0rtp3.wordpress.com/2021/11/25/sowat/ (#400) - Command and Control, #140, #131, SoWaT, APT31, Zirconium
https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (#441) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (#678) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services
https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (#686) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux
https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux (#685) - Impact, RTM Locker, Linux
https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github (#97) - Botenago
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (#95) - Command and Control, Defense Evasion, Persistence, Discovery, attack:T1102:Web Service, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, attack:T1573:Encrypted Traffic, attack:T1053.003:Cron, attack:T1033:System Owner/User Discovery, attack:T1016:System Network Configuration Discovery, attack:T1070.004:File Deletion, uses:RedirectionToNull, delivery:NPM, SysJoker, wltm, Linux
https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ (#342) - Doki
https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery (#488) - Initial Access, Lateral Movement, Impact, RapperBot, /malware/binaries/RapperBot, Linux
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (#407) - Impact, attack:T1567:Financial Theft, #135, FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services
https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ (#351) - PGMiner
https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ (#671) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms
https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#758) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware
https://s.tencent.com/research/report/1177.html (#384)
https://twitter.com/IntezerLabs/status/1272915284148531200 (#341) - Lazarus
https://pastebin.com/Z3sXqDCA (#89) - Mozi (by malwaremustdie.org)
https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ (#319) - Gafgyt
https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ (#324) - WatchDog
https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ (#343) - NGrok
https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (#447) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus
https://twitter.com/ankit_anubhav/status/1490574137370103808 (#483) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, #482, Linux
https://imgur.com/a/53f29O9 (#61) - Mirai (by malwaremustdie.org)
https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ (#315) - Gafgyt
https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ (#408) - Linux
https://asec.ahnlab.com/ko/55070/ (#709) - Command and Control, Defense Evasion, #722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
https://sysdig.com/blog/cloud-defense-in-depth/ (#713) - Initial Access, Lateral Movement, KinSing, Linux
https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (#546) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux
https://twitter.com/malwaremustd1e/status/1237080802581565440 (#359) - Mozi (by malwaremustdie.org)
https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ (#513) - Collection, Impact, Linux
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ (#404) - Hildegard, TeamTNT
https://unit42.paloaltonetworks.com/blackcat-ransomware/ (#108) - Impact, BlackCat, #512
https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ (#120) - CAKETAP, UNC2891, Solaris
https://www.cadosecurity.com/redis-p2pinfect/ (#741) - Initial Access, Linux
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html (#682) - Command and Control, uses:Go, GobRAT, Linux, Telecomms
https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces (#115) - Impact, KinSing
https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (#373) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux
https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ (#402) - Cloud Shovel
https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ (#566) - Impact, XMRig, Sysrv, wltm, Linux
https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (#542) - Defense Evasion, Discovery, Collection, Exfiltration, vertical:Telecomms, attack:T1040:Network Sniffing, uses:Non-persistentStorage, attack:T1070.004:File Deletion, MESSAGETAP, /malware/binaries/MESSAGETAP, APT41, Linux, Telecomms, Internal specialist services
https://imgur.com/a/y5BRx (#86) - r57shell (by malwaremustdie.org)
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits (#392) - Botenago
https://asec.ahnlab.com/en/49769/ (#624) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer
https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (#725) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf (#333) - Cloud Snooper
https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf (#100) - Cyclops Blink
https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html (#57) - Mirai (by malwaremustdie.org)
https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html (#63) - #134, SLAPSTICK, LightBasin, UNC1945, Solaris
https://honeynet.onofri.org/scans/scan13/som/som5.txt (#389) - Luckscan, UNC1945
https://asec.ahnlab.com/en/50316/ (#621) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux
https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html (#55) - CoinMiner
https://blog.xlab.qianxin.com/mirai-tbot-en/ (#788) - Initial Access, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, attack:T1498:Network Denial of Service, attack:T1027:Obfuscated Files or Information, Mirai, TBOT, Linux, IOT
https://sansec.io/research/nginrat (#94) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm
https://threatfabric.com/blogs/vultur-v-for-vnc.html (#379) - Vultur, Brunhilda, #Android
https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ (#444) - EnemyBot, Linux
https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ (#329) - Zirconium, APT31
https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ (#679) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ (#681) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (#655) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux
https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md (#352) - ITTS
https://twitter.com/_larry0/status/1143532888538984448 (#51) - Silex
https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html (#380) - Persistence, Defense Evasion, Impact, KinSing
https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html (#59) - Mirai (by malwaremustdie.org)
https://blog.talosintelligence.com/2018/05/VPNFilter.html (#53) - VPNFilter
https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (#612) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions
https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html (#637) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services
https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ (#91) - Muhstik
https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (#786) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux
https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites (#598) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services
https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ (#71) - SS, Shark (by malwaremustdie.org)
https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (#656) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services
https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (#397) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability (#337) - Impact, Persistence, Impact, KinSing
https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf (#641) - FontOnLake, Linux
https://ultimacybr.co.uk/2023-10-04-Sysrv/ (#767) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux
https://asec.ahnlab.com/en/55229/ (#722) - Defense Evasion, Command and Control, #709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
https://twitter.com/ESETresearch/status/1454100591261667329?s=20 (#390) - Hive
https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w (#394) - NAMO
https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (#111) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap
https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html (#698) - Impact, BlackSuit, Linux
https://twitter.com/malwaremustd1e/status/1264417940742389762 (#316) - Gafgyt (by malwaremustdie.org)
https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (#789) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, #170, Earth Lusca, Linux
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html (#334) - TSCookie
https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ (#68) - Mumblehard
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (#432) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://twitter.com/jhencinski/status/1451592508157345793 (#387) - Impact, XMRig
http://www.thedarkside.nl/honeypot/microbul.html (#388)
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (#468) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, /malware/binaries/OrBit, Linux
https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (#312) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, #135, FastCash, #815, #407, Hidden Cobra, AIX, Banking
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ (#65) - Qemu, #134, LightBasin, UNC1945
https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (#714) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT
https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ (#680) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services
https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ (#339) - Kaiji
https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (#496) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services
https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ (#72) - DDoSTF (by malwaremustdie.org)
https://twitter.com/IntezerLabs/status/1288487307369222145 (#331) - TrickBot
https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (#90) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm
https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ (#348) - Rakos
https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan (#732) - Persistence, Defense Evasion, Command and Control, Linux, Hosting
https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (#692) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware
https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (#700) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, #171, Diamorphine, #217, ZiggyStarTux, #701, Linux, IOT, Consumer
https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (#778) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:k8s, attack:T1140:Deobfuscate/Decode Files or Information, uses:Python, attack:T1611:Escape to Host, attack:T1562.008:Disable or Modify Cloud Logs, attack:T1027.004:Compile After Delivery, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, uses:ProcessTreeSpoofing, attack:T1190:Exploit Public-Facing Application, attack:T1595.002:Vulnerability Scanning, uses:ModifyServerShell, delivery:Redis, uses:Redis, XMRig, Diamorphine, libprocesshider, Pnscan, Zgrab, Masscan, Kiss-A-Dog, TeamTNT, Linux, Cloud hosted services
https://twitter.com/malwaremustd1e/status/1235595880041873408 (#358) - Hajimi (by malwaremustdie.org)
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (#321) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux
https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version (#309) - REvil
https://imgur.com/a/DWKK5 (#84) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux
https://www.group-ib.com/blog/krasue-rat/ (#797) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:AbnormalSignal, attack:T1071:Application Layer Protocol, uses:RTSP, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205:Traffic Signaling, Krasue, Diamorphine, #217, Suterusu, #491, Rooty, #440, Linux
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (#524) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, /malware/binaries/Chaos, Linux
https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers (#382) - Mayhem
https://www.cisa.gov/news-events/analysis-reports/ar23-209a (#731) - Persistence, #729, SUBMARINE, wltm, Linux
https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf (#518) - DarkNexus, Linux
https://twitter.com/billyleonard/status/1458531997576572929 (#480) - Rekoobe, TSH, TINYSHELL, #481, APT31, Linux
https://lab52.io/blog/looking-for-penquins-in-the-wild/ (#594) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (#690) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux
https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (#644) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, /malware/binaries/Multios.Ransomware.Lockbit, Linux
https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ (#549) - ACBackdoor, wltm, Linux
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html (#490) - uses:Go, Manjusaka, Linux
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (#702) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT
https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ (#340) - Kaiji (by malwaremustdie.org)
https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/ (#474) - Linux, FreeBSD
https://imgur.com/a/57uOiTu (#80) - DDoSMan (by malwaremustdie.org)
https://twitter.com/avastthreatlabs/status/1430527767855058949 (#492) - HCRootkit, #491, Linux
https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ (#52) - GodLua
https://twitter.com/IntezerLabs/status/1326880812344676352 (#330) - AgeLocker
https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (#716) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, #717, Linux, IOT
https://www.akamai.com/blog/security/new-p2p-botnet-panchan (#476) - Pan-chan, #477, Linux
https://honeynet.onofri.org/scans/scan13/som/som13.txt (#385) - Luckscan, UNC1945
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ (#110) - b1txor20
https://cyberplace.social/@GossiTheDog/110516069484635011 (#703) - Resource Development, BPFDoor, /malware/binaries/BPFDoor, Linux
https://imgur.com/a/MuHSZtC (#81) - Mandibule (by malwaremustdie.org)
https://blog.talosintelligence.com/lazarus-collectionrat/ (#752) - Command and Control, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, DeimosC2, #751, HiddenCobra, Lazarus, APT38, Linux
https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors (#305) - Tycoon
https://asec.ahnlab.com/en/54647/ (#707) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, #154, Tsunami, Kaiten, 0x333shadow Log Cleaner, #706, ChinaZ, Linux
https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (#720) - Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, attack:T1608:Stage Capabilities, attack:T1053.003:Cron, attack:T1027.002:Software Packing, attack:T1543.002:Systemd Service, attack:T1037.004:RC Scripts, attack:T1574.006:Dynamic Linker Hijacking, attack:T1036.005:Match Legitimate Name or Location, attack:T1190:Exploit Public-Facing Application, attack:T1110:Brute Force, uses:KillCompetition, XMRig, Rocke, Linux
https://twitter.com/ESETresearch/status/1410864752948043778 (#104) - Specter, SideWalk, StageClient
https://pastebin.com/raw/mEape37E (#355) - SystemTen (by malwaremustdie.org)
https://twitter.com/billyleonard/status/1417910729005490177 (#69) - #329, #131, Zirconium, APT31
https://twitter.com/malwaremustd1e/status/1379028201075187716 (#365) - DGAbot (by malwaremustdie.org)
https://zhuanlan.zhihu.com/p/348960748 (#403) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel
https://twitter.com/CraigHRowland/status/1422009387686645761 (#353) - ITTS

Malware samples

Malware binaries

https://samples.vx-underground.org/APTs/2020/2020.11.02/ (#134) - /malware/binaries/UNC1945, LightBasin, UNC1945, Solaris
https://bazaar.abuse.ch/browse/signature/Mirai/ (#127) - Mirai, /malware/binaries/Unix.Exploit.Mirai, /malware/binaries/Unix.Dropper.Mirai, /malware/binaries/Unix.Trojan.Mirai
https://github.com/eset/malware-ioc/tree/master/kobalos (#137) - Kobalos
https://bazaar.abuse.ch/browse/signature/Gafgyt/ (#128) - Gafgyt, /malware/binaries/Unix.Trojan.Gafgyt
https://github.com/tstromberg/malware-menagerie (#795) - Impact, attack:T1496:Resource Hijacking, QubitStrike, StripedFly, Linux
https://github.com/eset/malware-ioc/tree/master/rakos (#132) - Rakos
https://bazaar.abuse.ch/browse/tag/elf/ (#122)
https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection (#131) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
https://samples.vx-underground.org/samples/Families/VermilionStrike/ (#136) - CobaltStrike, VermilionStrike, /malware/binaries/VermilionStrike
https://twitter.com/nunohaien/status/1261281420791742464 (#125)
https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection (#126) - wltm
https://github.com/hardenedvault/bootkit-samples (#103)
https://bazaar.abuse.ch/browse/signature/XorDDoS/ (#129) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, /malware/binaries/Unix.Trojan.Xorddos, /malware/binaries/Unix.Malware.Xorddos, Linux
https://github.com/x0rz/EQGRP (#138)
https://github.com/AngelGuyu/spirit (#757) - Persistence, Defense Evasion, Spirit, Gwisin, Linux
https://github.com/MalwareSamples/Linux-Malware-Samples (#123)
https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (#418) - Persistence, Defense Evasion, Command and Control, #419, #424, #425, #426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, /malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64, Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux
https://bazaar.abuse.ch/browse/tag/blackcat/ (#512) - Impact, #118, #109, #108, #107, #41, BlackCat, /malware/binaries/BlackCat, Linux
https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ (#139) - Polaris, /malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64
https://github.com/darrenmartyn/malware_samples (#530) - Execution, Persistence, Defense Evasion, Discovery, uses:ProcessTreeSpoofing, uses:RedirectionToNull, attack:T1546.004:Unix Shell, attack:T1574.006:Dynamic Linker Hijacking, attack:T1057:Process Discovery, attack:T1036.005:Match Legitimate Name or Location, lib__mdma, Linux
https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d/ (#751) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, /malware/binaries/Unix.Backdoor.DeimosC2, Linux
https://github.com/blackorbird/APT_REPORT (#124)
https://tria.ge/s?q=tag%3alinux (#121)
https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection (#141) - Linikatz
https://samples.vx-underground.org/samples/Families/Fastcash/ (#135) - Impact, FastCash, /malware/binaries/FastCash, #312, #815, #407, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services, Enclave deployment
https://bazaar.abuse.ch/sample/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ (#140) - SoWaT, /malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips, APT31, Zirconium
https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (#420) - Persistence, Defense Evasion, Command and Control, #421, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, /malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Solaris
https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (#662) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, #661, SystemBC, /malware/binaries/SystemBC, Linux
https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 (#133) - WellMail, wltm, APT29
https://github.com/Caprico1/kinsing (#454) - Persistence, Impact, KinSing, Linux
https://samples.vx-underground.org/APTs/2021/2021.10.11/ (#409) - FontOnLake, /malware/binaries/FontOnLake, Linux
https://bazaar.abuse.ch/browse/tag/Symbiote/ (#460) - Persistence, Defense Evasion, Command and Control, #452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, /malware/binaries/Symbiote, Symbiote, Linux

Malware source

https://github.com/shadow1ng/fscan (#564) - Initial Access, Lateral Movement, uses:Go, Alchimist, fscan, /malware/binaries/Alchimist/UPX/fscan, Linux
https://github.com/0x27/linux.mirai (#142) - Mirai
https://github.com/chokepoint/Jynx2 (#531) - Persistence, Defense Evasion, Linux
https://gitlab.com/rav7teif/linux.wifatch (#144) - Initial Access, Persistence, Command and Control, Lateral Movement, Linux.Wifatch
https://github.com/NexusBots/Umbreon-Rootkit (#149) - Umbreon Rootkit
https://github.com/0x27/sebd-0.2 (#148) - sebd 0.2 source code (a fix of 0.1)
https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (#706) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX
https://pastebin.com/jkndLHQf (#145) - FinFisher
http://www.afn.org/~afn28925/wipe.c (#153) - UNC2891
https://github.com/HeapAllocate/sterben (#150) - sterben
https://github.com/chenkaie/junkcode/blob/master/xhide.c (#775) - Defense Evasion, uses:ProcessTreeSpoofing, XHide, Linux
https://pastebin.com/kmmJuuQP (#802) - Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, uses:ProcessTreeSpoofing, BPFDoor, /malware/binaries/BPFDoor, Unix.Backdoor.RedMenshen, Linux
https://github.com/gianlucaborello/libprocesshider (#776) - Defense Evasion, uses:ProcessTreeSpoofing, attack:T1574.006:Dynamic Linker Hijacking, libprocesshider, Linux
https://github.com/isdrupter/ziggystartux (#701) - Impact, Linux
https://github.com/Kabot/mig-logcleaner-resurrected (#154) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, MIG Logcleaner, UNC2891, Linux, Solaris, BSD
https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (#711) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, #710, #724, #814, Linux
https://github.com/arialdomartini/morris-worm (#694) - Initial Access, Execution, Discovery, Lateral Movement
https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (#152) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, UNC2891
https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux (#143)
https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c (#147) - pscan (similar code to luckscan)
https://pastebin.com/raw/kmmJuuQP (#426) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #418, DecisiveArchitect, Linux

Malware PoCs

https://github.com/MegaManSec/SSH-Snake (#791) - Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
https://github.com/chokepoint/azazel (#191)
https://github.com/m0nad/Diamorphine (#217) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Diamorphine, Linux
https://github.com/liamg/memit (#200)
https://github.com/codewhitesec/apollon (#734) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
https://github.com/timb-machine-mirrors/phath0m-JadedWraith (#165)
https://github.com/compilepeace/KAAL_BHAIRAV (#202)
https://github.com/EvelynSubarrow/IridiumScorpion (#183)
https://github.com/aviat/passe-partout (#704) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX
https://github.com/QuokkaLight/rkduck (#667) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux
https://github.com/elfmaster/saruman (#220)
https://packetstormsecurity.com/files/author/3859/ (#553) - Persistence, Defense Evasion, uses:DTrace, SInAR, /malware/pocs/SInAR, Archim, Solaris, Internal specialist services, Device application sandboxing
https://github.com/gaffe23/linux-inject (#210)
https://github.com/elfmaster/linker_preloading_virus (#211)
https://github.com/reveng007/reveng_rtkit (#669) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/schrodyn/bad_UDP (#453) - Linux
https://github.com/mufeedvh/moonwalk (#208)
https://github.com/alexander-pick/apinject (#608) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux
https://github.com/h3xduck/TripleCross (#465) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux
https://github.com/guitmz/midrashim (#664) - Persistence, attack:T1577:Compromise Application Executable, Linux
https://github.com/stealth/devpops (#192) - DevPops by stealth (not really malicious, has guard rails)
https://packetstormsecurity.com/files/22121/cd00r.c.html (#597) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux
https://github.com/X-C3LL/memdlopen-lib (#605) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux
https://github.com/f0rb1dd3n/Reptile (#171)
https://github.com/blendin/3snake (#189)
https://github.com/elfmaster/kprobe_rootkit (#223)
https://github.com/trustedsec/ELFLoader (#416) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
https://github.com/ixty/mandibule (#170)
https://github.com/h3xduck/Umbra (#668) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1095:Non-Application Layer Protocol, attack:T1486:Data Encrypted for Impact, attacK:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/noptrix/fbkit (#684) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205.002:Socket Filters, attack:T1548.001:Setuid and Setgid, FreeBSD
https://github.com/airman604/jdbc-backdoor (#607) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services
https://github.com/tarcisio-marinho/GonnaCry (#486) - Impact, Linux
https://www.guitmz.com/linux-nasty-elf-virus/ (#642) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux
https://github.com/citronneur/pamspy (#466) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux
https://github.com/therealdreg/enyelkm (#456) - Persistence, Defense Evasion, Linux
https://github.com/zephrax/linux-pam-backdoor (#181) - Credential Access, Persistence, Defense Evasion, attack:T1556.003:Pluggable Authentication Modules, Linux
https://github.com/guitmz/go-liora (#663) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux
https://github.com/EvelynSubarrow/BismuthScorpion (#182)
https://github.com/sad0p/d0zer (#782) - Execution, Persistence, uses:Go, attack:T1625:Hijack Execution Flow, attack:T1204:Malicious File, Linux
https://github.com/wunderwuzzi23/Offensive-BPF (#469) - Credential Access, attack:T1205.002:Socket Filters, Linux
https://github.com/jermeyyy/rooty (#440) - Persistence, Defense Evasion, #439, attack:T1547.006:Kernel Modules and Extensions, XorDDoS, Linux, Consumer, Cloud hosted services, Device application sandboxing
https://github.com/ONsec-Lab/scripts/tree/master/pam_steal (#195)
https://github.com/yaoyumeng/adore-ng (#458) - Persistence, Defense Evasion, Linux
https://github.com/Gui774ume/ebpfkit (#151) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux
https://github.com/Eterna1/puszek-rootkit (#670) - Persistence, Defense Evasion, Credential Access, Discovery, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1040:Network Sniffing, Linux
https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 (#198)
https://github.com/mav8557/Father (#606) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux
https://github.com/timb-machine-mirrors/sar5430-coolkid (#629) - Persistence, Defense Evasion, Linux
https://github.com/roddux/santa (#207)
https://github.com/SafeBreach-Labs/backdoros (#213)
https://github.com/R3tr074/brokepkg (#777) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:ProcessTreeSpoofing, uses:AbnormalSignal, uses:TamperCredStruct, uses:PortHiding, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1573:Encrypted Channel, attack:T1205:Traffic Signaling, BrokePkg, Linux
https://github.com/io-tl/degu-lib (#413) - Linux
https://github.com/m1m1x/memdlopen (#175) - Defense Evasion, attack:T1620:Reflective Code Loading
https://github.com/rek7/fireELF (#159)
https://github.com/kris-nova/boopkit (#221)
https://github.com/arget13/DDexec (#222)
https://github.com/toffan/binfmt_misc (#431) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
https://github.com/0x1CA3/parasite (#201) - wltm
https://github.com/mempodippy/vlany (#174)
https://github.com/nurupo/rootkit (#172)
https://github.com/vfsfitvnm/intruducer (#209)
https://github.com/croemheld/lkm-rootkit (#628) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux
https://github.com/fbkcs/msf-elf-in-memory-execution (#203)
https://hckng.org/articles/perljam-elf64-virus.html (#735) - Persistence, attack:T1554:Compromise Client Software Binary, attack:T1505:Server Software Component, uses:Perl, Linux, AIX, Solaris, HP-UX
https://github.com/elfmaster/dt_infect (#219)
https://github.com/SilentVoid13/Silent_Packer (#783) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://github.com/mncoppola/suterusu (#491) - Persistence, Defense Evasion, wltm, Linux
https://github.com/jtripper/parasite (#169)
https://github.com/nnsee/fileless-elf-exec (#193) - Defense Evasion, attack:T1620:Reflective Code Loading
https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (#739) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, #734, #740, Linux
https://github.com/elfmaster/skeksi_virus (#224)
https://github.com/codewhitesec/daphne (#740) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
https://github.com/timb-machine-mirrors/ripmeep-memory-injector (#160)

Offensive research

Not necessarily malicious code (see Linikatz and unix-privesc-check =)) but interesting capabilities...

Offensive tools

https://github.com/creaktive/tsh (#481) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux
https://github.com/ropnop/kerbrute (#176)
https://github.com/TarlogicSecurity/tickey (#184)
https://github.com/anko/xkbcat (#691) - Credential Access, Collection, attack:T1056.001:Keylogging, Linux, AIX, Solaris, HP-UX, Consumer, Internal enterprise services
https://github.com/alichtman/malware-techniques (#199)
https://github.com/liamg/siphon (#576) - Discovery, Collection, Linux
https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ (#188)
https://github.com/airbus-seclab/nbutools (#689) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services
https://github.com/AlessandroZ/LaZagne (#155)
https://github.com/NetDirect/nfsshell (#164)
https://github.com/FiloSottile/age (#166)
https://github.com/redcode-labs/Bashark (#168)
https://github.com/rebootuser/LinEnum (#158)
https://github.com/CiscoCXSecurity/linikatz (#156) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, #141
https://github.com/SkyperTHC/bpf-keylogger (#781) - Credential Access, Collection, uses:eBPF, attack:T1417.001:Keylogging, Linux
https://github.com/MatheuZSecurity/D3m0n1z3dShell (#773) - Persistence, Linux
https://github.com/DavidBuchanan314/stelf-loader (#738) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux
https://github.com/CiscoCXSecurity/sudo-parser (#163) - Privilege Escalation
https://github.com/naksyn/Pyramid (#630) - Persistence, Command and Control, Linux
https://github.com/liamg/traitor (#687) - Privilege Escalation, Linux
https://github.com/sosdave/KeyTabExtract (#206)
https://github.com/DeimosC2/DeimosC2 (#652) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, /malware/binaries/Unix.Backdoor.DeimosC2, Linux
https://github.com/mnagel/gnome-keyring-dumper (#186)
https://github.com/io-tl/Mara (#487) - Linux
https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/ (#585) - Execution, Persistence, Linux, Cloud hosted services
https://github.com/timb-machine-mirrors/CoolerVoid-casper-fs (#216)
https://github.com/netifera/netifera (#194)
https://github.com/vbpf/ebpf-samples (#215) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing
https://github.com/namazso/linux_injector (#599) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux
https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz (#146) - Reconnaissance, pscan (similar code to luckscan)
https://github.com/dsnezhkov/zombieant (#793) - Persistence, Privilege Escalation, Defense Evasion, attack:T1562:Impair Defenses, attack:T1574.006:Dynamic Linker Hijacking, Linux
https://github.com/hackerschoice/ssh-key-backdoor (#672) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX
https://github.com/eeriedusk/nysm (#761) - Persistence, Linux
https://github.com/pmorjan/kmod (#654) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux
https://github.com/DavidBuchanan314/dlinject (#485) - Linux
https://github.com/NetSPI/sshkey-grab (#619) - Credential Access, attack:T1552.004:Private Keys, attack:T1003.007:Proc Filesystem, attack:T1055.009:Proc Memory, Linux, Enhanced identity governance
https://github.com/JonathonReinhart/nosecmem (#180)
https://github.com/oldboy21/LDAP-Password-Hunter (#167)
https://github.com/huntergregal/mimipenguin (#185)
https://github.com/milabs/khook (#212)
https://github.com/89luca89/pakkero (#718) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://github.com/fireeye/SSSDKCMExtractor (#520) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
https://github.com/DavidBuchanan314/monomorph (#534) - Defense Evasion, Linux
https://github.com/metac0rtex/SSH-Key-Brute-Forcer (#489) - Initial Access, Lateral Movement, Linux, Enclave deployment
https://github.com/t3l3machus/Villain (#591) - Command and Control, Linux
https://github.com/pathtofile/bad-bpf (#205) - uses:BPF
https://github.com/controlplaneio/truffleproc (#537) - Privilege Escalation, Credential Access, Linux
https://github.com/Ne0nd0g/merlin (#545) - Command and Control, Exfiltration, uses:Go, Merlin, Linux
https://github.com/NixOS/patchelf (#443) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux, Device application sandboxing
https://github.com/TH3xACE/SUDO_KILLER (#162) - Privilege Escalation
https://github.com/zMarch/Orc (#161)
https://github.com/stealth/injectso (#589) - Defense Evasion, Linux
https://github.com/sevagas/swap_digger (#515) - Credential Access, Linux
https://github.com/akawashiro/sloader (#521) - Defense Evasion, Linux
https://github.com/timb-machine-mirrors/adamcaudill-EquationGroupLeak/tree/master/Linux (#173)
https://github.com/grisuno/LazyOwn (#812) - Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Discovery, Collection, Command and Control, Linux
https://github.com/Idov31/Sandman (#582) - Persistence, Command and Control, Linux
https://github.com/willshiao/node-bash-obfuscate (#190)
https://github.com/guitmz/memrun (#592) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, Linux
https://github.com/Frissi0n/GTFONow (#771) - Privilege Escalation, attack:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/CiscoCXSecurity/enum4linux (#178)
https://github.com/nicocha30/ligolo-ng (#699) - Command and Control, Exfiltration, Linux
https://gtfobins.github.io/ (#179)
https://chromium.googlesource.com/linux-syscall-support/ (#533) - Linux
https://github.com/aojea/netkat (#464) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux
https://github.com/blacklanternsecurity/KCMTicketFormatter (#519) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
https://github.com/ropnop/windapsearch (#177)
https://github.com/IvanGlinkin/AutoSUID (#204)
https://github.com/ciscocxsecurity/unix-privesc-check (#157) - Privilege Escalation
https://github.com/elfmaster/maya (#504) - Defense Evasion, Linux, Device application sandboxing

Offensive techniques

https://sonarsource.github.io/argument-injection-vectors/ (#627) - Initial Access, Execution
https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh (#708) - Lateral Movement, Linux, AIX, Solaris, HP-UX
https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (#772) - Persistence, Defense Evasion, Credential Access, attack:T1556.003:Pluggable Authentication Modules, Linux
https://twitter.com/David3141593/status/1575978540868435968 (#532) - Linux
https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (#550) - Defense Evasion, attack:T1562:Impair Defenses, Linux
https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (#461) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm
https://rp.os3.nl/2016-2017/p97/presentation.pdf (#235)
https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 (#250)
https://rushter.com/blog/public-ssh-keys/ (#754) - Initial Access, Discovery, Lateral Movement, attack:T1018:Remote System Discovery, attack:T1199:Trusted Relationship, attack:T1021.004:SSH, Linux, AIX, Solaris, HP-UX
https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (#254) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
http://shell-storm.org/api/?s=arm (#243)
https://twitter.com/HuskyHacksMK/status/1578413641669308416 (#541) - Defense Evasion, Linux, AIX, Solaris, HP-UX
https://n0.lol/ (#227)
https://twitter.com/Alh4zr3d/status/1577649651376791552 (#540) - Defense Evasion, Linux, AIX, Solaris, HP-UX
https://www.form3.tech/engineering/content/bypassing-ebpf-tools (#584) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://packetstormsecurity.com/files/34013/0x4553-Static_Infecting.html (#255)
https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html (#611) - Defense Evasion
https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (#683) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux
https://github.com/CiscoCXSecurity/linikatz/issues (#230)
https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ (#239)
https://rp.os3.nl/2016-2017/p59/presentation.pdf (#233)
https://tmpout.sh/2/ (#226)
https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium (#428) - Persistence, Linux, Device application sandboxing
https://grugq.github.io/docs/ul_exec.txt (#463) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm
https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html (#251)
https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (#653) - Initial Access, Credential Access, attack:T1110:Brute Force, attack:T1078:Valid Accounts, Linux, AIX, Solaris, HP-UX, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services
https://rp.os3.nl/2016-2017/p59/report.pdf (#232)
http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf (#246)
https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (#241) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (#240) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
https://blog.fbkcs.ru/en/elf-in-memory-execution/ (#249)
https://www.guitmz.com/running-elf-from-memory/ (#252)
https://grugq.github.io/docs/subversiveld.pdf (#473) - Linux
https://www.cs.dartmouth.edu/~sergey/cs258/2010/spainhower_DT.pdf (#555) - Persistence, Defense Evasion, uses:DTrace, SInAR, #553, #554, Archim, Solaris, Internal specialist services, Device application sandboxing
https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (#800) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, #791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
https://www.blackhat.com/presentations/bh-dc-08/Beauchamp-Weston/Whitepaper/bh-dc-08-beauchamp-weston-WP.pdf (#556) - Persistence, Defense Evasion, uses:DTrace, Solaris, Internal specialist services, Device application sandboxing
https://www.tarlogic.com/blog/how-to-attack-kerberos/ (#229)
http://www.ouah.org/LKM_HACKING.html (#257) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
https://github.com/0xor0ne/debugoff (#755) - Defense Evasion, uses:Rust, attack:T1622:Debugger Evasion, Linux
https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (#436) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing
https://c3media.vsos.ethz.ch/congress/2004/papers/057%20SUN%20Bloody%20Daft%20Solaris%20Mechanisms.pdf (#554) - Persistence, Defense Evasion, uses:DTrace, SInAR, #553, Archim, Solaris, Internal specialist services, Device application sandboxing
https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (#231) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ (#430) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
https://github.com/elfmaster/scop_virus_paper (#253)
https://github.com/milabs/awesome-linux-rootkits (#9) - Persistence, Linux
https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ (#238)
https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ (#236)
https://sysdig.com/blog/ebpf-offensive-capabilities/ (#768) - Persistence, Defense Evasion, uses:eBPF, Linux
https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf (#245)
https://tmpout.sh/1/ (#225)
http://hick.org/code/skape/papers/needle.txt (#557) - Persistence, Defense Evasion, Linux
https://twitter.com/brainsmoke/status/399558997994668033 (#509) - Execution, Linux
https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (#705) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, #669, Linux
https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf (#248)
https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (#575) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux
https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (#462) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm
https://rp.os3.nl/2016-2017/p97/report.pdf (#234)
https://github.com/hakivvi/ermir (#579) - Initial Access, Lateral Movement, Linux, Internal enterprise services
https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (#567) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
http://lists.openstack.org/pipermail/openstack/2013-December/004138.html (#244)
https://github.com/rapid7/ssh-badkeys (#538) - Initial Access, Linux, AIX, Solaris, HP-UX
https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ (#558) - Persistence, Defense Evasion, Linux
microsoft/SysmonForLinux#83 (#648) - Defense Evasion, Linux
https://gtfoargs.github.io/ (#626) - Initial Access, Execution
https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92 (#247)
http://www.hick.org/code/skape/papers/remote-library-injection.pdf (#455) - Persistence, Linux
https://twitter.com/Alh4zr3d/status/1578406155453276160 (#539) - Defense Evasion, Linux, AIX, Solaris, HP-UX
https://vxug.fakedoma.in/papers.html (#228)
https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (#665) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer
https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ (#562) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris
http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (#242) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (#197) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm
https://devilinside.me/blogs/becoming-rat-your-system (#256)
https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ (#635) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services
https://www.archcloudlabs.com/projects/debuginfod/ (#796) - Command and Control, Exfiltration, attack:T1071:Application Layer Protocol, attack:T1567:Exfiltration Over Web Service, Linux
https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ (#475) - Linux
http://www.nth-dimension.org.uk/downloads.php?id=77 (#237)
https://sysdig.com/blog/containers-read-only-fileless-malware/ (#415) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing

Defensive research

Defensive tools

https://github.com/sourque/louis (#411) - Linux, Device application sandboxing
https://github.com/sqall01/LSMS (#610) - Defense Evasion, Linux
https://youtu.be/16_EAsYAApI (#438) - Linux
https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ (#277)
https://github.com/NozomiNetworks/upx-recovery-tool (#535) - Defense Evasion, attack:T1027.002:Software Packing, Linux
https://github.com/Achiefs/fim (#779) - Credential Access, Defense Evasion, Persistence, attack:T1556.003:Pluggable Authentication Modules, attack:T1562.012:Disable or Modify Linux Audit System, attack:T1601:Modify System Image, Linux
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf (#423) - Persistence, Privilege Escalation, Defense Evasion, Credential Access, Collection, Command and Control, Exfiltration, Linux
https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (#449) - Persistence, Defense Evasion, Credential Access, Command and Control, #156, #418, #420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux
https://github.com/chriskaliX/Hades (#514) - Linux
https://github.com/0xrawsec/kunai (#749) - Defense Evasion, Linux
https://github.com/chainguard-dev/osquery-defense-kit (#574) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux
https://bazaar.abuse.ch/ (#259)
https://elastic.github.io/security-research/intelligence/2022/03/03.dirty-pipe/article/ (#265)
https://github.com/tstromberg/sunlight (#794) - Defense Evasion, uses:eBPF, Linux
https://github.com/stratosphereips/StratosphereLinuxIPS (#811) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux
https://github.com/sandflysecurity/sandfly-entropyscan (#632) - Defense Evasion, Linux
https://github.com/M00NLIG7/ChopChopGo (#674) - Defense Evasion, Linux
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ (#275)
https://tbhaxor.com/hunting-malicious-binaries-in-containers/ (#272)
https://github.com/monnappa22/Limon (#258)
https://github.com/CYB3RMX/Qu1cksc0pe (#696) - Defense Evasion, Linux
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ (#274)
https://github.com/sandflysecurity/sandfly-processdecloak (#633) - Defense Evasion, Linux
https://github.com/signalblur/impelf (#647) - Defense Evasion, Linux
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ (#276)
https://github.com/hardenedvault/ved-ebpf (#737) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux
https://github.com/elfmaster/avu32 (#273)
https://www.rfxn.com/projects/linux-malware-detect/ (#261)
https://github.com/ancat/egrets (#218)
https://github.com/deepfence/ebpfguard (#697) - Defense Evasion, Linux
https://github.com/avilum/secimport (#748) - Persistence, Defense Evasion, Linux
https://github.com/niveb/NoCrypt (#673) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux
https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ (#268)
https://github.com/sandflysecurity/sandfly-file-decloak (#634) - Defense Evasion, Linux
https://www.virustotal.com/gui/ (#260)
https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 (#472) - Linux
https://www.volatilityfoundation.org/releases-vol3 (#457) - Persistence, Defense Evasion, Linux, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
https://github.com/alex-cart/LEAF (#445) - Linux
https://tria.ge/ (#263)
https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals (#450) - Persistence, Privilege Escalation, Defense Evasion, Linux
https://github.com/evilsocket/ebpf-process-anomaly-detection (#497) - Execution, Linux
https://github.com/snapattack/bpfdoor-scanner (#437) - Persistence, Defense Evasion, Command and Control, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect
https://github.com/marin-m/vmlinux-to-elf (#726) - Defense Evasion, attack:T1601:Modify System Image, Linux
https://github.com/Gui774ume/ebpfkit-monitor (#467) - Persistence, Defense Evasion, Discovery, Command and Control, Linux
https://github.com/tclahr/uac (#583) - Persistence, Defense Evasion, Linux
https://github.com/vmware/kernel-event-collector-module (#271) - Carbon Black
https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 (#451) - Linux
https://github.com/jafarlihi/modreveal (#609) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions, Linux
https://twitter.com/ldsopreload/status/1583178316286029824 (#568) - Persistence, Defense Evasion, Command and Control, #569, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://github.com/david942j/seccomp-tools (#590) - Defense Evasion, Linux
https://twitter.com/ldsopreload/status/1582780282758828035 (#571) - Persistence, Defense Evasion, Command and Control, #570, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://github.com/Gui774ume/krie (#498) - Defense Evasion, Privilege Escalation, Persistence, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, attack:T1562.001:Disable or Modify Tools, attack:T1548:Abuse Elevation Control Mechanism, Linux
https://github.com/threathunters-io/laurel (#581) - Defense Evasion, Linux
https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (#570) - Persistence, Defense Evasion, Command and Control, #571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://twitter.com/inversecos/status/1527188391347068928 (#435) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing
https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 (#278)
https://github.com/nikhilh-20/ELFEN (#764) - Defense Evasion, Linux
https://elfdigest.com/ (#262)
https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (#569) - Persistence, Defense Evasion, Command and Control, #568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, #420, #418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
https://github.com/falcosecurity/falco (#412) - Linux, Device application sandboxing
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 (#269)
https://twitter.com/timb_machine/status/1523253031382687744 (#421) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #420, DecisiveArchitect, Solaris
https://github.com/504ensicsLabs/LiME (#187)
https://github.com/op7ic/unix_collector (#266) - Solaris, Linux, AIX, OS X

Defensive techniques

https://archive.org/details/HalLinuxForensics (#560) - Defense Evasion, Linux
https://www.youtube.com/watch?v=Zig-inHOhII (#561) - Defense Evasion, Linux
https://github.com/rung/threat-matrix-cicd (#10) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Exfiltration, Impact, Linux
https://github.com/archcloudlabs/BSidesRoc2022_Linux_Malware_Analysis_Course (#264)
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html (#559) - Defense Evasion, Linux
https://www.forensicxlab.com/posts/inodes/ (#522) - Defense Evasion, Linux
https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html (#774) - Defense Evasion, Linux
https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (#745) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (#499) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux
https://sandflysecurity.com/blog/detecting-evasive-linux-backdoors-presentation/ (#760) - Persistence, Defense Evasion, Command and Control, Linux
https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (#747) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (#719) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX
https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery (#529) - Linux
https://www.mandiant.com/sites/default/files/2022-03/wp-linux-endpoint-hardening.pdf (#675) - Defense Evasion, Linux
https://redcanary.com/blog/process-streams/ (#494) - Lateral Movement, Command and Control, Exfiltration, uses:bash, uses:ksh93, attack:T1059:Command and Scripting Interpreter, attack:T1095:Non-Application Layer Protocol, Linux, Enclave deployment
https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ (#39) - honeypot, Linux
https://twitter.com/CraigHRowland/status/1593102427276050433 (#587) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Linux
https://github.com/cr0nx/awesome-linux-attack-forensics-purplelabs (#712) - Defense Evasion, Linux
https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (#736) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
https://redcanary.com/blog/ebpf-for-security/ (#270) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading
https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ (#528) - Persistence, Defense Evasion, Linux, Device application sandboxing
https://github.com/timb-machine/obscure-forensics (#267)
https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ (#38) - honeypot, Linux
https://github.com/DevinRTK/rtk-eLibrary (#631) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise
https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/ (#762) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux

Defensive Yara

Personal rules

canvasspectre.yara (#284) - Hunts for CANVAS Spectre
enterpriseapps2.yara (#283) - Hunts for enterprise app binaries
aix.yara (#280) - Hunts for AIX binaries
pscan.yara (#287) - Hunts for references to pscan
adonunix2.yara (#281) - Hunts for binaries that attack AD on UNIX
unixredflags3.yara (#285) - Hunts for UNIX red flags
enterpriseunix2.yara (#282) - Hunts for enterprise UNIX binaries
luckscan.yara (#286) - Hunts for references to luckscan
ciscotools.yara (#279) - Hunts for references to our tools

Other rules

https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (#419) - attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, #418, DecisiveArchitect, Linux
https://github.com/Yara-Rules/rules (#288)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

linux-malware

Press/academia

In the wild

Breach reports

Supply chain attacks

Malware reports

Malware samples

Malware binaries

Malware source

Malware PoCs

Offensive research

Offensive tools

Offensive techniques

Defensive research

Defensive tools

Defensive techniques

Defensive Yara

Personal rules

Other rules

About

Releases

Packages

Contributors 8

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 703 Commits
.github		.github
articles		articles
defensive		defensive
doc		doc
intel		intel
malware		malware
offensive		offensive
src		src
.gitmodules		.gitmodules
ATT&CK.md		ATT&CK.md
COPYING		COPYING
README.md		README.md

License

timb-machine/linux-malware

Folders and files

Latest commit

History

Repository files navigation

linux-malware

Press/academia

In the wild

Breach reports

Supply chain attacks

Malware reports

Malware samples

Malware binaries

Malware source

Malware PoCs

Offensive research

Offensive tools

Offensive techniques

Defensive research

Defensive tools

Defensive techniques

Defensive Yara

Personal rules

Other rules

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 8

Languages

Packages