diff --git a/ATT&CK.md b/ATT&CK.md
index e69de29b..b5806054 100644
--- a/ATT&CK.md
+++ b/ATT&CK.md
@@ -0,0 +1,2000 @@
+## Credential Access
+
+T1556.003: Pluggable Authentication Modules
+
+* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/zephrax/linux-pam-backdoor (https://github.com/timb-machine/linux-malware/issues/181), citable: False
+* https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (https://github.com/timb-machine/linux-malware/issues/772), citable: False
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/Achiefs/fim (https://github.com/timb-machine/linux-malware/issues/779), citable: False
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1056.001: Keylogging
+
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/anko/xkbcat (https://github.com/timb-machine/linux-malware/issues/691), citable: False
+
+T1003: OS Credential Dumping
+
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False
+
+T1552.005: Cloud Instance Metadata API
+
+missing from ATT&CK
+
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1110.002: Password Cracking
+
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1003.007: Proc Filesystem
+
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True
+* https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1555.005: Password Managers
+
+* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False
+
+T1040: Network Sniffing
+
+* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False
+* https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (https://github.com/timb-machine/linux-malware/issues/542), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1558: Steal or Forge Kerberos Tickets
+
+* https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf (https://github.com/timb-machine/linux-malware/issues/241), citable: False
+* https://github.com/fireeye/SSSDKCMExtractor (https://github.com/timb-machine/linux-malware/issues/520), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html (https://github.com/timb-machine/linux-malware/issues/240), citable: False
+* https://github.com/blacklanternsecurity/KCMTicketFormatter (https://github.com/timb-machine/linux-malware/issues/519), citable: False
+* https://github.com/CiscoCXSecurity/linikatz (https://github.com/timb-machine/linux-malware/issues/156), citable: False
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False
+
+T1555: Credentials from Password Stores
+
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1552: Unsecured Credentials
+
+* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True
+
+T1552.004: Private Keys
+
+* https://github.com/SecurityFail/kompromat (https://github.com/timb-machine/linux-malware/issues/813), citable: False
+* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False
+* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1110.003: Password Spraying
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True
+* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True
+* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1649: Steal or Forge Authentication Certificates
+
+* https://github.com/aviat/passe-partout (https://github.com/timb-machine/linux-malware/issues/704), citable: False
+
+T1552.003: Bash History
+
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1212: Exploitation for Credential Access
+
+* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True
+
+T1110: Brute Force
+
+* https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (https://github.com/timb-machine/linux-malware/issues/700), citable: True
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1003.008: /etc/passwd and /etc/shadow
+
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1556: Modify Authentication Process
+
+* https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (https://github.com/timb-machine/linux-malware/issues/700), citable: True
+
+## Execution
+
+T1129: Shared Modules
+
+missing from ATT&CK
+
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1053.003: Cron
+
+* https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (https://github.com/timb-machine/linux-malware/issues/662), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True
+* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1106: Native API
+
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1610: Deploy Container
+
+missing from ATT&CK
+
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1053.001: At (Linux)
+
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1059: Command and Scripting Interpreter
+
+* https://redcanary.com/blog/process-streams/ (https://github.com/timb-machine/linux-malware/issues/494), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1204: User Execution
+
+* https://github.com/sad0p/d0zer (https://github.com/timb-machine/linux-malware/issues/782), citable: False
+* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False
+
+T1072: Software Deployment Tools
+
+* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True
+
+T1059.004: Unix Shell
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1559: Inter-Process Communication
+
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1569: System Services
+
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+
+T1569.002: Service Execution
+
+missing from ATT&CK
+
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+
+## Impact
+
+T1486: Data Encrypted for Impact
+
+* https://blog.polyswarm.io/darkangels-linux-ransomware (https://github.com/timb-machine/linux-malware/issues/666), citable: True
+* https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (https://github.com/timb-machine/linux-malware/issues/496), citable: True
+* https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (https://github.com/timb-machine/linux-malware/issues/753), citable: True
+* https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection (https://github.com/timb-machine/linux-malware/issues/644), citable: True
+* https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ (https://github.com/timb-machine/linux-malware/issues/656), citable: True
+* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False
+* https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html (https://github.com/timb-machine/linux-malware/issues/102), citable: True
+* https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies (https://github.com/timb-machine/linux-malware/issues/758), citable: True
+* https://www.signalblur.io/through-the-looking-glass (https://github.com/timb-machine/linux-malware/issues/756), citable: True
+* https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf (https://github.com/timb-machine/linux-malware/issues/101), citable: False
+* https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html (https://github.com/timb-machine/linux-malware/issues/442), citable: True
+* https://twitter.com/malwrhunterteam/status/1422972905541996546 (https://github.com/timb-machine/linux-malware/issues/374), citable: True
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True
+* https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html (https://github.com/timb-machine/linux-malware/issues/546), citable: True
+* https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ (https://github.com/timb-machine/linux-malware/issues/638), citable: False
+* https://twitter.com/Unit42_Intel/status/1653760405792014336 (https://github.com/timb-machine/linux-malware/issues/695), citable: True
+* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group (https://github.com/timb-machine/linux-malware/issues/544), citable: True
+
+T1499: Endpoint Denial of Service
+
+* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True
+* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True
+* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (https://github.com/timb-machine/linux-malware/issues/676), citable: False
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1496: Resource Hijacking
+
+* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True
+* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://ultimacybr.co.uk/2023-10-04-Sysrv/ (https://github.com/timb-machine/linux-malware/issues/767), citable: True
+* https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+* https://github.com/tstromberg/malware-menagerie (https://github.com/timb-machine/linux-malware/issues/795), citable: False
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1565.002: Transmitted Data Manipulation
+
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+
+T1485: Data Destruction
+
+* https://cert.gov.ua/article/4501891 (https://github.com/timb-machine/linux-malware/issues/651), citable: True
+* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True
+* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (https://github.com/timb-machine/linux-malware/issues/786), citable: True
+
+T1498: Network Denial of Service
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True
+* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True
+* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (https://github.com/timb-machine/linux-malware/issues/676), citable: False
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True
+* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1490: Inhibit System Recovery
+
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True
+
+T1561.001: Disk Content Wipe
+
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True
+* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (https://github.com/timb-machine/linux-malware/issues/786), citable: True
+
+T1529: System Shutdown/Reboot
+
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True
+
+## Persistence
+
+T1205.002: Socket Filters
+
+* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False
+* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True
+* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False
+* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False
+* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False
+* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/wunderwuzzi23/Offensive-BPF (https://github.com/timb-machine/linux-malware/issues/469), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False
+* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False
+* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False
+* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False
+* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False
+* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (https://github.com/timb-machine/linux-malware/issues/152), citable: False
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True
+* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False
+* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True
+* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False
+* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False
+
+T1037: Boot or Logon Initialization Scripts
+
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True
+
+T1556.003: Pluggable Authentication Modules
+
+* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://github.com/zephrax/linux-pam-backdoor (https://github.com/timb-machine/linux-malware/issues/181), citable: False
+* https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (https://github.com/timb-machine/linux-malware/issues/772), citable: False
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True
+* https://github.com/Achiefs/fim (https://github.com/timb-machine/linux-malware/issues/779), citable: False
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1543: Create or Modify System Process
+
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+
+T1133: External Remote Services
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1542.003: Bootkit
+
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+
+T1053.003: Cron
+
+* https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (https://github.com/timb-machine/linux-malware/issues/662), citable: False
+* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True
+* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1098.003: Additional Cloud Roles
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1205: Traffic Signaling
+
+* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False
+* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False
+* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False
+* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False
+* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True
+* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False
+* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False
+
+T1525: Implant Internal Image
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1505.003: Web Shell
+
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (https://github.com/timb-machine/linux-malware/issues/373), citable: True
+
+T1078.001: Default Accounts
+
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1574.006: Dynamic Linker Hijacking
+
+* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True
+* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False
+* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False
+* https://github.com/dsnezhkov/zombieant (https://github.com/timb-machine/linux-malware/issues/793), citable: False
+* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True
+* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/namazso/linux_injector (https://github.com/timb-machine/linux-malware/issues/599), citable: False
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://github.com/mav8557/Father (https://github.com/timb-machine/linux-malware/issues/606), citable: False
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1053.001: At (Linux)
+
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1098.004: SSH Authorized Keys
+
+* https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (https://github.com/timb-machine/linux-malware/issues/700), citable: True
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True
+
+T1205.001: Port Knocking
+
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1554: Compromise Client Software Binary
+
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True
+* https://hckng.org/articles/perljam-elf64-virus.html (https://github.com/timb-machine/linux-malware/issues/735), citable: False
+
+T1136.003: Cloud Account
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1098: Account Manipulation
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1547.006: Kernel Modules and Extensions
+
+* https://github.com/pmorjan/kmod (https://github.com/timb-machine/linux-malware/issues/654), citable: False
+* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (https://github.com/timb-machine/linux-malware/issues/683), citable: False (TACTICS OR TECHNIQUES WRONG)
+* http://www.ouah.org/LKM_HACKING.html (https://github.com/timb-machine/linux-malware/issues/257), citable: False
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True
+* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True
+* https://github.com/jermeyyy/rooty (https://github.com/timb-machine/linux-malware/issues/440), citable: False
+* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (https://github.com/timb-machine/linux-malware/issues/612), citable: True
+* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False
+* https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False
+* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False
+* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False
+* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False
+* https://github.com/m0nad/Diamorphine (https://github.com/timb-machine/linux-malware/issues/217), citable: False
+* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False
+* https://twitter.com/CraigHRowland/status/1593102427276050433 (https://github.com/timb-machine/linux-malware/issues/587), citable: False
+* https://github.com/jafarlihi/modreveal (https://github.com/timb-machine/linux-malware/issues/609), citable: False
+* https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (https://github.com/timb-machine/linux-malware/issues/254), citable: False
+* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (https://github.com/timb-machine/linux-malware/issues/111), citable: True
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True
+* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (https://github.com/timb-machine/linux-malware/issues/750), citable: True
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1574: Hijack Execution Flow
+
+* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False
+* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False
+
+T1078: Valid Accounts
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1546.004: Unix Shell Configuration Modification
+
+* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True
+* https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (https://github.com/timb-machine/linux-malware/issues/655), citable: True
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+
+T1100: Web Shell
+
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1505: Server Software Component
+
+* https://hckng.org/articles/perljam-elf64-virus.html (https://github.com/timb-machine/linux-malware/issues/735), citable: False
+
+T1037.004: RC Scripts
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+
+T1543.002: Systemd Service
+
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1136: Create Account
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1574.002: DLL Side-Loading
+
+missing from ATT&CK
+
+* https://github.com/airman604/jdbc-backdoor (https://github.com/timb-machine/linux-malware/issues/607), citable: False
+
+T1078.004: Cloud Accounts
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1556: Modify Authentication Process
+
+* https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (https://github.com/timb-machine/linux-malware/issues/700), citable: True
+
+## Privilege Escalation
+
+T1037: Boot or Logon Initialization Scripts
+
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1543: Create or Modify System Process
+
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+
+T1053.003: Cron
+
+* https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ (https://github.com/timb-machine/linux-malware/issues/662), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ (https://github.com/timb-machine/linux-malware/issues/816), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True
+* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1055: Process Injection
+
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1611: Escape to Host
+
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+
+T1078.001: Default Accounts
+
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1574.006: Dynamic Linker Hijacking
+
+* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True
+* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/dsnezhkov/zombieant (https://github.com/timb-machine/linux-malware/issues/793), citable: False
+* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/namazso/linux_injector (https://github.com/timb-machine/linux-malware/issues/599), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://github.com/mav8557/Father (https://github.com/timb-machine/linux-malware/issues/606), citable: False
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1053.001: At (Linux)
+
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1548: Abuse Elevation Control Mechanism
+
+* https://github.com/Frissi0n/GTFONow (https://github.com/timb-machine/linux-malware/issues/771), citable: False
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False
+* https://twitter.com/ankit_anubhav/status/1490574137370103808 (https://github.com/timb-machine/linux-malware/issues/483), citable: True
+
+T1548.001: Setuid and Setgid
+
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False
+* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1134.004: Parent PID Spoofing
+
+missing from ATT&CK
+
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1547.006: Kernel Modules and Extensions
+
+* https://github.com/pmorjan/kmod (https://github.com/timb-machine/linux-malware/issues/654), citable: False
+* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html (https://github.com/timb-machine/linux-malware/issues/683), citable: False (TACTICS OR TECHNIQUES WRONG)
+* http://www.ouah.org/LKM_HACKING.html (https://github.com/timb-machine/linux-malware/issues/257), citable: False
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/jermeyyy/rooty (https://github.com/timb-machine/linux-malware/issues/440), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 (https://github.com/timb-machine/linux-malware/issues/612), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/niveb/NoCrypt (https://github.com/timb-machine/linux-malware/issues/673), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False
+* https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False
+* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False
+* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False
+* https://github.com/m0nad/Diamorphine (https://github.com/timb-machine/linux-malware/issues/217), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False
+* https://twitter.com/CraigHRowland/status/1593102427276050433 (https://github.com/timb-machine/linux-malware/issues/587), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/jafarlihi/modreveal (https://github.com/timb-machine/linux-malware/issues/609), citable: False
+* https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm (https://github.com/timb-machine/linux-malware/issues/254), citable: False
+* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html (https://github.com/timb-machine/linux-malware/issues/111), citable: True
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True
+* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ (https://github.com/timb-machine/linux-malware/issues/750), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1574: Hijack Execution Flow
+
+* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False
+* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False
+* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False
+
+T1078: Valid Accounts
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1055.012: Process Hollowing
+
+missing from ATT&CK
+
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1068: Exploitation for Privilege Escalation
+
+* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False
+* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False
+* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False
+
+T1546.004: Unix Shell Configuration Modification
+
+* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (https://github.com/timb-machine/linux-malware/issues/655), citable: True
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+
+T1100: Web Shell
+
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1055.009: Proc Memory
+
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+* https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1037.004: RC Scripts
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+
+T1543.002: Systemd Service
+
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ (https://github.com/timb-machine/linux-malware/issues/618), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1574.002: DLL Side-Loading
+
+missing from ATT&CK
+
+* https://github.com/airman604/jdbc-backdoor (https://github.com/timb-machine/linux-malware/issues/607), citable: False
+
+T1055.008: Ptrace System Calls
+
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1078.004: Cloud Accounts
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+## Lateral Movement
+
+T1021.005: VNC
+
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+T1021.004: SSH
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True
+* https://rushter.com/blog/public-ssh-keys/ (https://github.com/timb-machine/linux-malware/issues/754), citable: False
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False
+* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True
+* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1563.001: SSH Hijacking
+
+* https://github.com/aviat/passe-partout (https://github.com/timb-machine/linux-malware/issues/704), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1021.002: SMB/Windows Admin Shares
+
+missing from ATT&CK
+
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+T1021: Remote Services
+
+* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1072: Software Deployment Tools
+
+* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True
+
+## Defense Evasion
+
+T1205.002: Socket Filters
+
+* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False
+* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True
+* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False
+* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False
+* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False
+* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True
+* https://github.com/wunderwuzzi23/Offensive-BPF (https://github.com/timb-machine/linux-malware/issues/469), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False
+* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False
+* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False
+* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False
+* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False
+* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False
+* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (https://github.com/timb-machine/linux-malware/issues/152), citable: False
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True
+* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False
+* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True
+* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False
+* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False
+
+T1027.009: Embedded Payloads
+
+* https://asec.ahnlab.com/en/45182/ (https://github.com/timb-machine/linux-malware/issues/603), citable: True
+
+T1556.003: Pluggable Authentication Modules
+
+* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://github.com/zephrax/linux-pam-backdoor (https://github.com/timb-machine/linux-malware/issues/181), citable: False
+* https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement (https://github.com/timb-machine/linux-malware/issues/772), citable: False
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True
+* https://github.com/Achiefs/fim (https://github.com/timb-machine/linux-malware/issues/779), citable: False
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1014: Rootkit
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False
+* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False
+* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False
+* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1578: Modify Cloud Compute Infrastructure
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1542.003: Bootkit
+
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+
+T1036.005: Match Legitimate Name or Location
+
+* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True
+* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False
+* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True
+* https://asec.ahnlab.com/ko/55070/ (https://github.com/timb-machine/linux-malware/issues/709), citable: True
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+* https://asec.ahnlab.com/en/55229/ (https://github.com/timb-machine/linux-malware/issues/722), citable: True
+
+T1564: Hide Artifacts
+
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+
+T1070.002: Clear Linux or Mac System Logs
+
+* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True
+* https://github.com/Kabot/mig-logcleaner-resurrected (https://github.com/timb-machine/linux-malware/issues/154), citable: False
+* https://asec.ahnlab.com/en/54647/ (https://github.com/timb-machine/linux-malware/issues/707), citable: True
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+* https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html (https://github.com/timb-machine/linux-malware/issues/706), citable: False
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1202: Indirect Command Execution
+
+missing from ATT&CK
+
+* https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (https://github.com/timb-machine/linux-malware/issues/197), citable: False
+* https://sysdig.com/blog/containers-read-only-fileless-malware/ (https://github.com/timb-machine/linux-malware/issues/415), citable: False
+
+T1140: Deobfuscate/Decode Files or Information
+
+* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True
+* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True
+* https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp (https://github.com/timb-machine/linux-malware/issues/721), citable: True
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+
+T1562: Impair Defenses
+
+* https://github.com/dsnezhkov/zombieant (https://github.com/timb-machine/linux-malware/issues/793), citable: False
+* https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 (https://github.com/timb-machine/linux-malware/issues/550), citable: False
+* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html (https://github.com/timb-machine/linux-malware/issues/575), citable: False
+* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (https://github.com/timb-machine/linux-malware/issues/739), citable: False
+* https://github.com/codewhitesec/daphne (https://github.com/timb-machine/linux-malware/issues/740), citable: False
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+* https://github.com/codewhitesec/apollon (https://github.com/timb-machine/linux-malware/issues/734), citable: False
+* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True
+
+T1036: Masquerading
+
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False
+* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True
+* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False
+* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False
+* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True
+* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False
+* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False
+* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True
+* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False
+* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False
+* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True
+
+T1055: Process Injection
+
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False
+* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False
+
+T1205: Traffic Signaling
+
+* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True
+* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False
+* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False
+* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False
+* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False
+* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False
+* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True
+* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False
+* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False
+
+T1218: System Binary Proxy Execution
+
+* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False
+
+T1070.006: Timestomp
+
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True
+
+T1620: Reflective Code Loading
+
+* https://github.com/m1m1x/memdlopen (https://github.com/timb-machine/linux-malware/issues/175), citable: False
+* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False
+* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False
+* https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ (https://github.com/timb-machine/linux-malware/issues/747), citable: False
+* https://redcanary.com/blog/ebpf-for-security/ (https://github.com/timb-machine/linux-malware/issues/270), citable: False
+* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True
+* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False
+* https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 (https://github.com/timb-machine/linux-malware/issues/197), citable: False
+* https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (https://github.com/timb-machine/linux-malware/issues/495), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf (https://github.com/timb-machine/linux-malware/issues/436), citable: False
+* https://sysdig.com/blog/containers-read-only-fileless-malware/ (https://github.com/timb-machine/linux-malware/issues/415), citable: False
+* https://github.com/X-C3LL/memdlopen-lib (https://github.com/timb-machine/linux-malware/issues/605), citable: False
+* https://github.com/nnsee/fileless-elf-exec (https://github.com/timb-machine/linux-malware/issues/193), citable: False
+* https://www.form3.tech/engineering/content/bypassing-ebpf-tools (https://github.com/timb-machine/linux-malware/issues/584), citable: False
+* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False
+* https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ (https://github.com/timb-machine/linux-malware/issues/736), citable: False
+* http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf (https://github.com/timb-machine/linux-malware/issues/242), citable: False
+* https://github.com/trustedsec/ELFLoader (https://github.com/timb-machine/linux-malware/issues/416), citable: False
+* https://blog.aquasec.com/detecting-ebpf-malware-with-tracee (https://github.com/timb-machine/linux-malware/issues/745), citable: False
+* https://github.com/guitmz/memrun (https://github.com/timb-machine/linux-malware/issues/592), citable: False
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False
+* https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf (https://github.com/timb-machine/linux-malware/issues/231), citable: False
+* https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html (https://github.com/timb-machine/linux-malware/issues/567), citable: False
+
+T1497.003: Time Based Evasion
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1599.001: Network Address Translation Traversal
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1562.004: Disable or Modify System Firewall
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+
+T1610: Deploy Container
+
+missing from ATT&CK
+
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1078.001: Default Accounts
+
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1574.006: Dynamic Linker Hijacking
+
+* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True
+* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False
+* https://github.com/NixOS/patchelf (https://github.com/timb-machine/linux-malware/issues/443), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/dsnezhkov/zombieant (https://github.com/timb-machine/linux-malware/issues/793), citable: False
+* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ (https://github.com/timb-machine/linux-malware/issues/770), citable: True
+* https://github.com/gianlucaborello/libprocesshider (https://github.com/timb-machine/linux-malware/issues/776), citable: False
+* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True
+* https://github.com/namazso/linux_injector (https://github.com/timb-machine/linux-malware/issues/599), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://github.com/mav8557/Father (https://github.com/timb-machine/linux-malware/issues/606), citable: False
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1222: File and Directory Permissions Modification
+
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1548: Abuse Elevation Control Mechanism
+
+* https://github.com/Frissi0n/GTFONow (https://github.com/timb-machine/linux-malware/issues/771), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False
+* https://twitter.com/ankit_anubhav/status/1490574137370103808 (https://github.com/timb-machine/linux-malware/issues/483), citable: True
+
+T1548.001: Setuid and Setgid
+
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False
+* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True
+* https://www.mandiant.com/resources/unc2891-overview (https://github.com/timb-machine/linux-malware/issues/112), citable: True
+
+T1562.006: Indicator Blocking
+
+* https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (https://github.com/timb-machine/linux-malware/issues/660), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1070: Indicator Removal
+
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False
+* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False
+* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False
+* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False
+* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False
+* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False
+
+T1036.004: Masquerade Task or Service
+
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+
+T1480: Execution Guardrails
+
+* https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ (https://github.com/timb-machine/linux-malware/issues/753), citable: True
+* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True
+* https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw (https://github.com/timb-machine/linux-malware/issues/660), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1205.001: Port Knocking
+
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1562.003: Impair Command History Logging
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True
+
+T1134.004: Parent PID Spoofing
+
+missing from ATT&CK
+
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False
+* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False
+
+T1562.001: Disable or Modify Tools
+
+* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ (https://github.com/timb-machine/linux-malware/issues/739), citable: False
+* https://github.com/codewhitesec/daphne (https://github.com/timb-machine/linux-malware/issues/740), citable: False
+* https://github.com/codewhitesec/apollon (https://github.com/timb-machine/linux-malware/issues/734), citable: False
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True
+
+T1601: Modify System Image
+
+missing from ATT&CK
+
+* https://github.com/marin-m/vmlinux-to-elf (https://github.com/timb-machine/linux-malware/issues/726), citable: False
+* https://github.com/Achiefs/fim (https://github.com/timb-machine/linux-malware/issues/779), citable: False
+
+T1574: Hijack Execution Flow
+
+* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf (https://github.com/timb-machine/linux-malware/issues/499), citable: False
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+* https://github.com/Gui774ume/krie (https://github.com/timb-machine/linux-malware/issues/498), citable: False
+* https://github.com/hardenedvault/ved-ebpf (https://github.com/timb-machine/linux-malware/issues/737), citable: False
+* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False
+
+T1078: Valid Accounts
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False
+* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True
+* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1055.012: Process Hollowing
+
+missing from ATT&CK
+
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False
+* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False
+
+T1027: Obfuscated Files or Information
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (https://github.com/timb-machine/linux-malware/issues/789), citable: True
+* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sansec.io/research/nginrat (https://github.com/timb-machine/linux-malware/issues/94), citable: True
+* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False
+* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True
+* https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp (https://github.com/timb-machine/linux-malware/issues/588), citable: True
+* https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True
+* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True
+* https://github.com/trustedsec/ELFLoader (https://github.com/timb-machine/linux-malware/issues/416), citable: False
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True
+* https://netadr.github.io/blog/a-quick-glimpse-sbz/ (https://github.com/timb-machine/linux-malware/issues/596), citable: True
+
+T1036.003: Rename System Utilities
+
+* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ (https://github.com/timb-machine/linux-malware/issues/719), citable: False
+
+T1027.004: Compile After Delivery
+
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+
+T1562.008: Disable Cloud Logs
+
+missing from ATT&CK
+
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+
+T1578.002: Create Cloud Instance
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1055.009: Proc Memory
+
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+* https://github.com/NetSPI/sshkey-grab (https://github.com/timb-machine/linux-malware/issues/619), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1070.004: File Deletion
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (https://github.com/timb-machine/linux-malware/issues/495), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True
+* https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (https://github.com/timb-machine/linux-malware/issues/542), citable: True
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True
+
+T1027.002: Software Packing
+
+* https://github.com/NozomiNetworks/upx-recovery-tool (https://github.com/timb-machine/linux-malware/issues/535), citable: False
+* https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (https://github.com/timb-machine/linux-malware/issues/625), citable: True
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://github.com/89luca89/pakkero (https://github.com/timb-machine/linux-malware/issues/718), citable: False
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True
+* https://github.com/SilentVoid13/Silent_Packer (https://github.com/timb-machine/linux-malware/issues/783), citable: False
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+T1622: Debugger Evasion
+
+* https://github.com/0xor0ne/debugoff (https://github.com/timb-machine/linux-malware/issues/755), citable: False
+
+T1574.002: DLL Side-Loading
+
+missing from ATT&CK
+
+* https://github.com/airman604/jdbc-backdoor (https://github.com/timb-machine/linux-malware/issues/607), citable: False
+
+T1055.008: Ptrace System Calls
+
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False
+* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False
+
+T1027.007: Dynamic API Resolution
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1564.001: Hidden Files and Directories
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False
+* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False
+* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html (https://github.com/timb-machine/linux-malware/issues/705), citable: False
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False
+* https://github.com/reveng007/reveng_rtkit (https://github.com/timb-machine/linux-malware/issues/669), citable: False
+* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True
+* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False
+* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True
+
+T1078.004: Cloud Accounts
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1480.001: Environmental Keying
+
+* https://twitter.com/sethkinghi/status/1397814848549900288 (https://github.com/timb-machine/linux-malware/issues/717), citable: True
+* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True
+* https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (https://github.com/timb-machine/linux-malware/issues/714), citable: True
+
+T1556: Modify Authentication Process
+
+* https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (https://github.com/timb-machine/linux-malware/issues/700), citable: True
+
+## Exfiltration
+
+T1567: Exfiltration Over Web Service
+
+* https://www.archcloudlabs.com/projects/debuginfod/ (https://github.com/timb-machine/linux-malware/issues/796), citable: False
+* https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf (https://github.com/timb-machine/linux-malware/issues/407), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://haxrob.net/fastcash-for-linux/ (https://github.com/timb-machine/linux-malware/issues/815), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf (https://github.com/timb-machine/linux-malware/issues/312), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1020: Automated Exfiltration
+
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+
+T1048.001: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1041: Exfiltration Over C2 Channel
+
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1048: Exfiltration Over Alternative Protocol
+
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/DeimosC2/DeimosC2 (https://github.com/timb-machine/linux-malware/issues/652), citable: False
+* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True
+* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (https://github.com/timb-machine/linux-malware/issues/751), citable: False
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol
+
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc (https://github.com/timb-machine/linux-malware/issues/786), citable: True
+
+## Discovery
+
+T1033: System Owner/User Discovery
+
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True
+
+T1613: Container and Resource Discovery
+
+missing from ATT&CK
+
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1069: Permission Groups Discovery
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1069.003: Cloud Groups
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1087.002: Domain Account
+
+* https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ (https://github.com/timb-machine/linux-malware/issues/635), citable: False
+
+T1007: System Service Discovery
+
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1040: Network Sniffing
+
+* https://github.com/Eterna1/puszek-rootkit (https://github.com/timb-machine/linux-malware/issues/670), citable: False
+* https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages (https://github.com/timb-machine/linux-malware/issues/542), citable: True
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+T1082: System Information Discovery
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True
+* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (https://github.com/timb-machine/linux-malware/issues/789), citable: True
+* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True
+* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (https://github.com/timb-machine/linux-malware/issues/787), citable: False
+* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ (https://github.com/timb-machine/linux-malware/issues/468), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1497.003: Time Based Evasion
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1580: Cloud Infrastructure Discovery
+
+missing from ATT&CK
+
+* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1016: System Network Configuration Discovery
+
+* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (https://github.com/timb-machine/linux-malware/issues/119), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1083: File and Directory Discovery
+
+* https://www.guitmz.com/linux-nasty-elf-virus/ (https://github.com/timb-machine/linux-malware/issues/642), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1619: Cloud Storage Object Discovery
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1057: Process Discovery
+
+* https://www.guitmz.com/linux-nasty-elf-virus/ (https://github.com/timb-machine/linux-malware/issues/642), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://github.com/darrenmartyn/malware_samples (https://github.com/timb-machine/linux-malware/issues/530), citable: False
+* https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ (https://github.com/timb-machine/linux-malware/issues/700), citable: True
+* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True
+* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux (https://github.com/timb-machine/linux-malware/issues/510), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines (https://github.com/timb-machine/linux-malware/issues/527), citable: True
+
+T1526: Cloud Service Discovery
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1018: Remote System Discovery
+
+* https://rushter.com/blog/public-ssh-keys/ (https://github.com/timb-machine/linux-malware/issues/754), citable: False
+* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+T1046: Network Service Discovery
+
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+T1518: Software Discovery
+
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1622: Debugger Evasion
+
+* https://github.com/0xor0ne/debugoff (https://github.com/timb-machine/linux-malware/issues/755), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1124: System Time Discovery
+
+missing from ATT&CK
+
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+## Collection
+
+T1560.001: Archive via Utility
+
+* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (https://github.com/timb-machine/linux-malware/issues/766), citable: False
+
+T1056.001: Keylogging
+
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/anko/xkbcat (https://github.com/timb-machine/linux-malware/issues/691), citable: False
+
+T1602: Data from Configuration Repository
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1005: Data from Local System
+
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1560.002: Archive via Library
+
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1213.003: Code Repositories
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1602.001: SNMP (MIB Dump)
+
+missing from ATT&CK
+
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+## Resource Development
+
+T1583.008: Malvertising
+
+missing from ATT&CK
+
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True
+* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False
+* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True
+* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True
+* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True
+
+T1587.001: Malware
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True
+
+T1587.002: Code Signing Certificates
+
+missing from ATT&CK
+
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ (https://github.com/timb-machine/linux-malware/issues/817), citable: True
+
+T1608.001: Upload Malware
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1583.001: Domains
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1608.002: Upload Tool
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1588.001: Malware
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1584: Compromise Infrastructure
+
+missing from ATT&CK
+
+* https://www.mandiant.com/resources/unc3524-eye-spy-email (https://github.com/timb-machine/linux-malware/issues/414), citable: True
+
+T1608: Stage Capabilities
+
+missing from ATT&CK
+
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True
+* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False
+* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True
+* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True
+
+T1588.002: Tool
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1585: Establish Accounts
+
+missing from ATT&CK
+
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True
+* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False
+* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True
+* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True
+* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True
+
+T1588: Obtain Capabilities
+
+missing from ATT&CK
+
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware (https://github.com/timb-machine/linux-malware/issues/814), citable: True
+* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc (https://github.com/timb-machine/linux-malware/issues/711), citable: False
+* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ (https://github.com/timb-machine/linux-malware/issues/724), citable: True
+* https://twitter.com/xnand_/status/1676336329985077249 (https://github.com/timb-machine/linux-malware/issues/710), citable: True
+* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant (https://github.com/timb-machine/linux-malware/issues/686), citable: True
+
+## Reconnaissance
+
+T1590.002: DNS
+
+missing from ATT&CK
+
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1594: Search Victim-Owned Websites
+
+missing from ATT&CK
+
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+
+T1589: Gather Victim Identity Information
+
+missing from ATT&CK
+
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+
+T1595.002: Vulnerability Scanning
+
+missing from ATT&CK
+
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+
+T1595: Active Scanning
+
+missing from ATT&CK
+
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1590: Gather Victim Network Information
+
+missing from ATT&CK
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1593: Search Open Websites/Domains
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
+T1592.002: Software
+
+missing from ATT&CK
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1589.001: Credentials
+
+missing from ATT&CK
+
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+
+## Command and Control
+
+T1205.002: Socket Filters
+
+* https://github.com/h3xduck/TripleCross (https://github.com/timb-machine/linux-malware/issues/465), citable: False
+* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html (https://github.com/timb-machine/linux-malware/issues/397), citable: True
+* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False
+* https://packetstormsecurity.com/files/22121/cd00r.c.html (https://github.com/timb-machine/linux-malware/issues/597), citable: False
+* https://github.com/vbpf/ebpf-samples (https://github.com/timb-machine/linux-malware/issues/215), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/citronneur/pamspy (https://github.com/timb-machine/linux-malware/issues/466), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://github.com/snapattack/bpfdoor-scanner (https://github.com/timb-machine/linux-malware/issues/437), citable: False
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False
+* https://vms.drweb.com/virus/?i=21004786 (https://github.com/timb-machine/linux-malware/issues/433), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/wunderwuzzi23/Offensive-BPF (https://github.com/timb-machine/linux-malware/issues/469), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/Gui774ume/ebpfkit (https://github.com/timb-machine/linux-malware/issues/151), citable: False
+* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False
+* https://twitter.com/inversecos/status/1527188391347068928 (https://github.com/timb-machine/linux-malware/issues/435), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False
+* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False
+* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True
+* https://github.com/noptrix/fbkit (https://github.com/timb-machine/linux-malware/issues/684), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar (https://github.com/timb-machine/linux-malware/issues/419), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://packetstormsecurity.com/files/23336/Slx2k001.txt.html (https://github.com/timb-machine/linux-malware/issues/152), citable: False
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True
+* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool (https://github.com/timb-machine/linux-malware/issues/405), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False
+* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True
+* https://github.com/aojea/netkat (https://github.com/timb-machine/linux-malware/issues/464), citable: False
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf (https://github.com/timb-machine/linux-malware/issues/449), citable: False
+* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False
+
+T1132.001: Standard Encoding
+
+* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True
+
+T1071.004: DNS
+
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered (https://github.com/timb-machine/linux-malware/issues/693), citable: True
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (https://github.com/timb-machine/linux-malware/issues/766), citable: False
+
+T1573.001: Symmetric Cryptography
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://asec.ahnlab.com/ko/55070/ (https://github.com/timb-machine/linux-malware/issues/709), citable: True
+* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True
+* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True
+* https://asec.ahnlab.com/en/55229/ (https://github.com/timb-machine/linux-malware/issues/722), citable: True
+
+T1071: Application Layer Protocol
+
+* https://www.archcloudlabs.com/projects/debuginfod/ (https://github.com/timb-machine/linux-malware/issues/796), citable: False
+* https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (https://github.com/timb-machine/linux-malware/issues/625), citable: True
+* https://x.com/haxrob/status/1762821513680732222 (https://github.com/timb-machine/linux-malware/issues/810), citable: True
+* https://github.com/DeimosC2/DeimosC2 (https://github.com/timb-machine/linux-malware/issues/652), citable: False
+* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (https://github.com/timb-machine/linux-malware/issues/751), citable: False
+* https://blog.talosintelligence.com/lazarus-collectionrat/ (https://github.com/timb-machine/linux-malware/issues/752), citable: True
+* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True
+* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True
+
+T1205: Traffic Signaling
+
+* https://twitter.com/timb_machine/status/1523253031382687744 (https://github.com/timb-machine/linux-malware/issues/421), citable: False
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 (https://github.com/timb-machine/linux-malware/issues/422), citable: False
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html (https://github.com/timb-machine/linux-malware/issues/725), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://twitter.com/ldsopreload/status/1583178316286029824 (https://github.com/timb-machine/linux-malware/issues/568), citable: False
+* https://twitter.com/ldsopreload/status/1582780282758828035 (https://github.com/timb-machine/linux-malware/issues/571), citable: False
+* https://pastebin.com/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/802), citable: False
+* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False
+* https://twitter.com/CraigHRowland/status/1523266585133457408 (https://github.com/timb-machine/linux-malware/issues/424), citable: True
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (https://github.com/timb-machine/linux-malware/issues/452), citable: True
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ (https://github.com/timb-machine/linux-malware/issues/434), citable: True
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac (https://github.com/timb-machine/linux-malware/issues/569), citable: False
+* https://twitter.com/cyb3rops/status/1523227511551033349 (https://github.com/timb-machine/linux-malware/issues/425), citable: True
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf (https://github.com/timb-machine/linux-malware/issues/427), citable: True
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ (https://github.com/timb-machine/linux-malware/issues/441), citable: True
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ (https://github.com/timb-machine/linux-malware/issues/432), citable: True
+* https://pastebin.com/raw/kmmJuuQP (https://github.com/timb-machine/linux-malware/issues/426), citable: False
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 (https://github.com/timb-machine/linux-malware/issues/803), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection (https://github.com/timb-machine/linux-malware/issues/420), citable: False
+* https://www.group-ib.com/blog/krasue-rat/ (https://github.com/timb-machine/linux-malware/issues/797), citable: True
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection (https://github.com/timb-machine/linux-malware/issues/418), citable: False
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ (https://github.com/timb-machine/linux-malware/issues/460), citable: False
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace (https://github.com/timb-machine/linux-malware/issues/570), citable: False
+
+T1572: Protocol Tunneling
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://x.com/haxrob/status/1762821513680732222 (https://github.com/timb-machine/linux-malware/issues/810), citable: True
+* https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ (https://github.com/timb-machine/linux-malware/issues/690), citable: True
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1092: Communication Through Removable Media
+
+* https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (https://github.com/timb-machine/linux-malware/issues/625), citable: True
+
+T1090.002: External Proxy
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True
+
+T1090: Proxy
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html (https://github.com/timb-machine/linux-malware/issues/789), citable: True
+* https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (https://github.com/timb-machine/linux-malware/issues/784), citable: True
+
+T1102: Web Service
+
+* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True
+* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass (https://github.com/timb-machine/linux-malware/issues/692), citable: True
+
+T1205.001: Port Knocking
+
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://asec.ahnlab.com/en/55785/ (https://github.com/timb-machine/linux-malware/issues/733), citable: True
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1071.002: File Transfer Protocols
+
+* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+T1090.003: Multi-hop Proxy
+
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1001: Data Obfuscation
+
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+
+T1571: Non-Standard Port
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1573: Encrypted Channel
+
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False
+* https://github.com/DeimosC2/DeimosC2 (https://github.com/timb-machine/linux-malware/issues/652), citable: False
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game (https://github.com/timb-machine/linux-malware/issues/658), citable: True
+* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ (https://github.com/timb-machine/linux-malware/issues/716), citable: True
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ (https://github.com/timb-machine/linux-malware/issues/643), citable: True
+* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True
+* https://github.com/R3tr074/brokepkg (https://github.com/timb-machine/linux-malware/issues/777), citable: False
+* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d (https://github.com/timb-machine/linux-malware/issues/751), citable: False
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True
+* https://blog.talosintelligence.com/lazarus-collectionrat/ (https://github.com/timb-machine/linux-malware/issues/752), citable: True
+* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True
+
+T1573.002: Asymmetric Cryptography
+
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf (https://github.com/timb-machine/linux-malware/issues/99), citable: True
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1095: Non-Application Layer Protocol
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://asec.ahnlab.com/en/50316/ (https://github.com/timb-machine/linux-malware/issues/621), citable: True
+* https://redcanary.com/blog/process-streams/ (https://github.com/timb-machine/linux-malware/issues/494), citable: False
+* https://github.com/QuokkaLight/rkduck (https://github.com/timb-machine/linux-malware/issues/667), citable: False
+* https://github.com/croemheld/lkm-rootkit (https://github.com/timb-machine/linux-malware/issues/628), citable: False
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://github.com/h3xduck/Umbra (https://github.com/timb-machine/linux-malware/issues/668), citable: False
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True (TACTICS OR TECHNIQUES WRONG)
+
+T1001.003: Protocol Impersonation
+
+* https://sansec.io/research/cronrat (https://github.com/timb-machine/linux-malware/issues/399), citable: True
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf (https://github.com/timb-machine/linux-malware/issues/808), citable: True
+
+T1132: Data Encoding
+
+* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en (https://github.com/timb-machine/linux-malware/issues/447), citable: True
+* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1132.002: Non-Standard Encoding
+
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+
+T1071.001: Web Protocols
+
+* https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf (https://github.com/timb-machine/linux-malware/issues/625), citable: True
+* https://blog.exatrack.com/melofee/ (https://github.com/timb-machine/linux-malware/issues/620), citable: True
+* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ (https://github.com/timb-machine/linux-malware/issues/516), citable: True
+* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ (https://github.com/timb-machine/linux-malware/issues/95), citable: True
+* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html (https://github.com/timb-machine/linux-malware/issues/321), citable: True
+* https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server (https://github.com/timb-machine/linux-malware/issues/784), citable: True
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ (https://github.com/timb-machine/linux-malware/issues/64), citable: True
+* https://unit42.paloaltonetworks.com/alloy-taurus/ (https://github.com/timb-machine/linux-malware/issues/646), citable: True
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1105: Ingress Tool Transfer
+
+* https://cujo.com/threat-alert-krane-malware/ (https://github.com/timb-machine/linux-malware/issues/391), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True
+* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet (https://github.com/timb-machine/linux-malware/issues/623), citable: True
+* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ (https://github.com/timb-machine/linux-malware/issues/766), citable: False
+
+T1090.001: Internal Proxy
+
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks (https://github.com/timb-machine/linux-malware/issues/8), citable: True
+
+## Initial Access
+
+T1133: External Remote Services
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1195.001: Compromise Software Dependencies and Development Tools
+
+* https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices (https://github.com/timb-machine/linux-malware/issues/294), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero (https://github.com/timb-machine/linux-malware/issues/495), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ (https://github.com/timb-machine/linux-malware/issues/787), citable: False
+
+T1566.001: Spearphishing Attachment
+
+* https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ (https://github.com/timb-machine/linux-malware/issues/655), citable: True
+
+T1190: Exploit Public-Facing Application
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True
+* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group (https://github.com/timb-machine/linux-malware/issues/790), citable: True
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ (https://github.com/timb-machine/linux-malware/issues/90), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 (https://github.com/timb-machine/linux-malware/issues/702), citable: True
+* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads (https://github.com/timb-machine/linux-malware/issues/723), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ (https://github.com/timb-machine/linux-malware/issues/714), citable: True
+* https://spectrum.ieee.org/amp/mirai-botnet-2659993631 (https://github.com/timb-machine/linux-malware/issues/676), citable: False
+* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ (https://github.com/timb-machine/linux-malware/issues/524), citable: True
+* https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal (https://github.com/timb-machine/linux-malware/issues/665), citable: False
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+* https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers (https://github.com/timb-machine/linux-malware/issues/720), citable: True
+* https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ (https://github.com/timb-machine/linux-malware/issues/373), citable: True
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ (https://github.com/timb-machine/linux-malware/issues/778), citable: True
+* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack (https://github.com/timb-machine/linux-malware/issues/715), citable: True
+
+T1078.001: Default Accounts
+
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware (https://github.com/timb-machine/linux-malware/issues/586), citable: True
+* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 (https://github.com/timb-machine/linux-malware/issues/604), citable: True
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot (https://github.com/timb-machine/linux-malware/issues/744), citable: True
+
+T1199: Trusted Relationship
+
+* https://rushter.com/blog/public-ssh-keys/ (https://github.com/timb-machine/linux-malware/issues/754), citable: False
+
+T1078: Valid Accounts
+
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ (https://github.com/timb-machine/linux-malware/issues/788), citable: True
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ (https://github.com/timb-machine/linux-malware/issues/678), citable: True
+* https://asec.ahnlab.com/en/49769/ (https://github.com/timb-machine/linux-malware/issues/624), citable: True
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ (https://github.com/timb-machine/linux-malware/issues/439), citable: True
+* https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph (https://github.com/timb-machine/linux-malware/issues/800), citable: False (TACTICS OR TECHNIQUES WRONG)
+* https://sysdig.com/blog/ssh-snake/ (https://github.com/timb-machine/linux-malware/issues/801), citable: True (TACTICS OR TECHNIQUES WRONG)
+* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 (https://github.com/timb-machine/linux-malware/issues/653), citable: False
+* https://bazaar.abuse.ch/browse/signature/XorDDoS/ (https://github.com/timb-machine/linux-malware/issues/129), citable: False
+* https://github.com/MegaManSec/SSH-Snake (https://github.com/timb-machine/linux-malware/issues/791), citable: False (TACTICS OR TECHNIQUES WRONG)
+
+T1078.004: Cloud Accounts
+
+missing from ATT&CK
+
+* https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ (https://github.com/timb-machine/linux-malware/issues/677), citable: False
+
diff --git a/README.md b/README.md
index f8c1c49f..9e826ee0 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,3 @@
-E: we have a duplicate: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group
-E: we have a duplicate: https://twitter.com/Unit42_Intel/status/1653760405792014336
 # [linux-malware](https://en.wikipedia.org/wiki/Linux_malware)
 
 ![](https://img.shields.io/github/last-commit/timb-machine/linux-malware?style=for-the-badge) ![](https://img.shields.io/badge/src-public-white)
@@ -12,545 +10,553 @@ E: we have a duplicate: https://twitter.com/Unit42_Intel/status/1653760405792014
 
 ## Press/academia
 
-* https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf ([#20](https://github.com/timb-machine/linux-malware/issues/20)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux
-* https://www.group-ib.com/resources/threat-research/oldgremlin.html ([#573](https://github.com/timb-machine/linux-malware/issues/573)) - Impact, OldGremlin, Linux
-* https://en.wikipedia.org/wiki/Linux_malware ([#17](https://github.com/timb-machine/linux-malware/issues/17)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide
-* https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html ([#37](https://github.com/timb-machine/linux-malware/issues/37))
-* https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf ([#24](https://github.com/timb-machine/linux-malware/issues/24)) - various SSH, Bonadan, Kessel, Chandrila
-* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 ([#422](https://github.com/timb-machine/linux-malware/issues/422)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
-* https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html ([#34](https://github.com/timb-machine/linux-malware/issues/34))
+* https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ ([#35](https://github.com/timb-machine/linux-malware/issues/35))
 * https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations ([#32](https://github.com/timb-machine/linux-malware/issues/32))
+* https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ ([#33](https://github.com/timb-machine/linux-malware/issues/33))
 * https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf ([#21](https://github.com/timb-machine/linux-malware/issues/21)) - WINNTI
-* https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf ([#23](https://github.com/timb-machine/linux-malware/issues/23)) - various SSH, Bonadan, Kessel, Chandrila
-* https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 ([#26](https://github.com/timb-machine/linux-malware/issues/26))
-* https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives ([#41](https://github.com/timb-machine/linux-malware/issues/41)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
+* https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ ([#22](https://github.com/timb-machine/linux-malware/issues/22)) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
+* https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ ([#19](https://github.com/timb-machine/linux-malware/issues/19)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
+* https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf ([#448](https://github.com/timb-machine/linux-malware/issues/448))
+* http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf ([#27](https://github.com/timb-machine/linux-malware/issues/27))
+* https://rp.os3.nl/ ([#30](https://github.com/timb-machine/linux-malware/issues/30))
+* https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 ([#422](https://github.com/timb-machine/linux-malware/issues/422)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
+* https://ieeexplore.ieee.org/document/8418602 ([#25](https://github.com/timb-machine/linux-malware/issues/25))
+* https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html ([#34](https://github.com/timb-machine/linux-malware/issues/34))
+* https://www.group-ib.com/resources/threat-research/oldgremlin.html ([#573](https://github.com/timb-machine/linux-malware/issues/573)) - Impact, OldGremlin, Linux
+* https://wikileaks.org/vault7/ ([#31](https://github.com/timb-machine/linux-malware/issues/31))
+* https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf ([#24](https://github.com/timb-machine/linux-malware/issues/24)) - various SSH, Bonadan, Kessel, Chandrila
 * https://spectrum.ieee.org/amp/mirai-botnet-2659993631 ([#676](https://github.com/timb-machine/linux-malware/issues/676)) - Initial Access, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1498:Network Denial of Service, attack:T1499:Endpoint Denial of Service, Mirai, Linux, Consumer
+* https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ ([#40](https://github.com/timb-machine/linux-malware/issues/40))
+* https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 ([#26](https://github.com/timb-machine/linux-malware/issues/26))
+* https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf ([#417](https://github.com/timb-machine/linux-malware/issues/417)) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux
 * https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf ([#101](https://github.com/timb-machine/linux-malware/issues/101)) - Defense Evasion, Command and Control, Exfiltration, Impact, attack:T1486:Data Encrypted for Impact, XMRig, Hello Kitty, https://github.com/timb-machine/linux-malware/issues/546, REvil, DarkSide, BlackMatter, Defray777, ViceSociety, Erebus, GonnaCry, eChoraix, Sysrv, TeamTNT, Mexalz, Omelette, WatchDog, Kinsing, Cobalt Strike, Vermillion Strike, Merlin, https://github.com/timb-machine/linux-malware/issues/545, https://github.com/timb-machine/linux-malware/issues/547, RedXOR, https://github.com/timb-machine/linux-malware/issues/548, ACBackdoor, https://github.com/timb-machine/linux-malware/issues/549, ELF_Plead, Linux, VMware, Internal enterprise services, Internal specialist services
-* https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 ([#622](https://github.com/timb-machine/linux-malware/issues/622)) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux
-* https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ ([#35](https://github.com/timb-machine/linux-malware/issues/35))
-* https://rp.os3.nl/ ([#30](https://github.com/timb-machine/linux-malware/issues/30))
+* https://en.wikipedia.org/wiki/Mirai_(malware) ([#18](https://github.com/timb-machine/linux-malware/issues/18)) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai
 * https://reyammer.io/publications/2018_oakland_linuxmalware.pdf ([#28](https://github.com/timb-machine/linux-malware/issues/28))
+* https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 ([#622](https://github.com/timb-machine/linux-malware/issues/622)) - Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Linux
+* https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf ([#20](https://github.com/timb-machine/linux-malware/issues/20)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, LaZagne, Dalcs, Mirai, Gafgyt, Tsunami, IPStorm, Wellmess, FritzFrog, Linux
 * https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ ([#638](https://github.com/timb-machine/linux-malware/issues/638)) - Resource Development, Impact, attack:T1486:Data Encrypted for Impact, https://github.com/timb-machine/linux-malware/issues/644, uses:CrossCompiled, LockBit, Linux, Internal specialist services
-* https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ ([#33](https://github.com/timb-machine/linux-malware/issues/33))
-* https://wikileaks.org/vault7/ ([#31](https://github.com/timb-machine/linux-malware/issues/31))
-* https://en.wikipedia.org/wiki/Mirai_(malware) ([#18](https://github.com/timb-machine/linux-malware/issues/18)) - Initial Access, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Impact, Mirai
 * https://securelist.com/top-10-unattributed-apt-mysteries/107676/ ([#552](https://github.com/timb-machine/linux-malware/issues/552)) - Metador, Plexing Eagle, wltm, Linux, Solaris, Telecomms
-* https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf ([#448](https://github.com/timb-machine/linux-malware/issues/448))
-* https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf ([#417](https://github.com/timb-machine/linux-malware/issues/417)) - LootRat, PLEAD, TSCookie, RotaJakiro1, Red Djinn, Red Nue, Scarlet Joke, Ocean Lotus, APT32, Linux
-* https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ ([#40](https://github.com/timb-machine/linux-malware/issues/40))
-* https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ ([#22](https://github.com/timb-machine/linux-malware/issues/22)) - AgeLocker, WellMail, TrickBot, IPStorm, Turla, QNAPCrypt, Carbanak
-* http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf ([#27](https://github.com/timb-machine/linux-malware/issues/27))
-* https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ ([#19](https://github.com/timb-machine/linux-malware/issues/19)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact
 * https://malpedia.caad.fkie.fraunhofer.de/ ([#29](https://github.com/timb-machine/linux-malware/issues/29))
-* https://ieeexplore.ieee.org/document/8418602 ([#25](https://github.com/timb-machine/linux-malware/issues/25))
+* https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives ([#41](https://github.com/timb-machine/linux-malware/issues/41)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
+* https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf ([#23](https://github.com/timb-machine/linux-malware/issues/23)) - various SSH, Bonadan, Kessel, Chandrila
+* https://en.wikipedia.org/wiki/Linux_malware ([#17](https://github.com/timb-machine/linux-malware/issues/17)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, DarkSide
+* https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html ([#37](https://github.com/timb-machine/linux-malware/issues/37))
 
 ## In the wild
 
 ### Breach reports
 
-* https://www.freedownloadmanager.org/blog/?p=664 ([#765](https://github.com/timb-machine/linux-malware/issues/765)) - Initial Access, https://github.com/timb-machine/linux-malware/issues/766, Linux
-* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ ([#766](https://github.com/timb-machine/linux-malware/issues/766)) - Initial Access, https://github.com/timb-machine/linux-malware/issues/765, Linux
-* https://twitter.com/1ZRR4H/status/1560662815400407040 ([#507](https://github.com/timb-machine/linux-malware/issues/507)) - Initial Access, Peer2Profit, Linux
 * https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ ([#446](https://github.com/timb-machine/linux-malware/issues/446)) - Initial Access, Linux
 * https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm ([#42](https://github.com/timb-machine/linux-malware/issues/42)) - GoDaddy
-* https://github.com/mttaggart/I-S00N ([#799](https://github.com/timb-machine/linux-malware/issues/799)) - Persistence, Reptile, APT41, Linux, AIX, Solaris, HP-UX
 * https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ ([#677](https://github.com/timb-machine/linux-malware/issues/677)) - Reconnaissance, Initial Access, Persistence, Defense Evasion, Discovery, Collection, Impact, attack:T1593:Search Open Websites/Domains, attack:T1190:Exploit Public-Facing Application, attack:T1078.004:Cloud Accounts, attack:T1526:Cloud Service Discovery, attack:T1619:Cloud Storage Object Discovery, attack:T1069:Permission Groups Discovery, attack:T1069.003:Cloud Groups, attack:T1602:Data from Configuration Repository, attack:T1213.003:Code Repositories, attack:T1098:Account Manipulation, attack:T1098.003:Additional Cloud Roles, attack:T1136:Create Account, attack:T1136.003:Cloud Account, attack:T1036:Masquerading, attack:T1021.004:SSH, attack:T1578:Modify Cloud Compute Infrastructure, attack:T1578.002:Create Cloud Instance, attack:T1525:Implant Internal Image, attack:T1496:Resource Hijacking, GUI-vil, Linux, Hosting, Cloud hosted services
+* https://www.freedownloadmanager.org/blog/?p=664 ([#765](https://github.com/timb-machine/linux-malware/issues/765)) - Initial Access, Credential Access, https://github.com/timb-machine/linux-malware/issues/766, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/816, wltm, Linux
+* https://bitbucket.org/workspacespain/i-s00n-translated ([#799](https://github.com/timb-machine/linux-malware/issues/799)) - Persistence, uses:Leak, uses:Blocklisted, Reptile, APT41, Linux, AIX, Solaris, HP-UX
+* https://twitter.com/1ZRR4H/status/1560662815400407040 ([#507](https://github.com/timb-machine/linux-malware/issues/507)) - Initial Access, Peer2Profit, Linux
+* http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ ([#766](https://github.com/timb-machine/linux-malware/issues/766)) - Initial Access, Credential Access, Collection, Command and Control, https://github.com/timb-machine/linux-malware/issues/765, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/816, attack:T1071.004:DNS, attack:T1105:Ingress Tool Transfer, attack:T1560.001:Archive via Utility, wltm, Linux
 
 ### Supply chain attacks
 
-* https://lwn.net/Articles/371110/ ([#291](https://github.com/timb-machine/linux-malware/issues/291)) - e107 CMS
-* https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ ([#45](https://github.com/timb-machine/linux-malware/issues/45)) - UnrealIRCd
-* https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ ([#47](https://github.com/timb-machine/linux-malware/issues/47)) - PHPMyAdmin
 * http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html ([#292](https://github.com/timb-machine/linux-malware/issues/292)) - MyBB
-* https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ ([#543](https://github.com/timb-machine/linux-malware/issues/543)) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux
-* https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html ([#49](https://github.com/timb-machine/linux-malware/issues/49)) - VsFTPd
 * https://github.com/canonical-websites/snapcraft.io/issues/651 ([#296](https://github.com/timb-machine/linux-malware/issues/296)) - Snapcraft
-* https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack ([#48](https://github.com/timb-machine/linux-malware/issues/48)) - PHP
-* https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ ([#787](https://github.com/timb-machine/linux-malware/issues/787)) - Initial Access, Discovery, Command and Control, uses:npm, attack:T1195.001:Compromise Software Dependencies and Development Tools, attack:T1082:System Information Discovery, Linux
-* https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html ([#523](https://github.com/timb-machine/linux-malware/issues/523)) - https://github.com/timb-machine/linux-malware/issues/525, wltm, Linux
-* https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ ([#289](https://github.com/timb-machine/linux-malware/issues/289)) - "Octopus Scanner" (Netbeans) attack
-* https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor ([#44](https://github.com/timb-machine/linux-malware/issues/44)) - ProFTPd
-* https://www.webmin.com/exploit.html ([#43](https://github.com/timb-machine/linux-malware/issues/43)) - Webmin
 * https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html ([#295](https://github.com/timb-machine/linux-malware/issues/295)) - OpenX
-* https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 ([#46](https://github.com/timb-machine/linux-malware/issues/46)) - Horde Webmail
-* https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos ([#290](https://github.com/timb-machine/linux-malware/issues/290)) - Homebrew
+* https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb ([#293](https://github.com/timb-machine/linux-malware/issues/293)) - event-stream
 * https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices ([#294](https://github.com/timb-machine/linux-malware/issues/294)) - Impact, delivery:NPM, uses:JavaScript, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm
+* https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack ([#48](https://github.com/timb-machine/linux-malware/issues/48)) - PHP
+* https://github.com/SecurityFail/kompromat ([#813](https://github.com/timb-machine/linux-malware/issues/813)) - Credential Access, attack:T1552.004:Private Keys, Linux, HP-UX, AIX, Solaris, Internal specialist services
+* https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos ([#290](https://github.com/timb-machine/linux-malware/issues/290)) - Homebrew
+* https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ ([#816](https://github.com/timb-machine/linux-malware/issues/816)) - Initial Access, Persistence, Credential Access, Command and Control, Free Download Manager, https://github.com/timb-machine/linux-malware/issues/765, https://github.com/timb-machine/linux-malware/issues/766, attack:T1053.003:Cron, attack:T1555.005:Password Managers, uses:Non-persistentStorage, wltm, Linux
 * https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero ([#495](https://github.com/timb-machine/linux-malware/issues/495)) - Impact, delivery:PyPI, uses:Python, attack:T1620:Reflective Code Loading, attack:T1070.004:File Deletion, attack:T1195.001:Compromise Software Dependencies and Development Tools, wltm, Linux
+* https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 ([#46](https://github.com/timb-machine/linux-malware/issues/46)) - Horde Webmail
+* https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor ([#44](https://github.com/timb-machine/linux-malware/issues/44)) - ProFTPd
 * https://news.ycombinator.com/item?id=17501379 ([#525](https://github.com/timb-machine/linux-malware/issues/525)) - Linux
-* https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb ([#293](https://github.com/timb-machine/linux-malware/issues/293)) - event-stream
+* https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ ([#543](https://github.com/timb-machine/linux-malware/issues/543)) - Initial Access, Command and Control, Impact, Tsunami, Kaiten, Linux
+* https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html ([#523](https://github.com/timb-machine/linux-malware/issues/523)) - https://github.com/timb-machine/linux-malware/issues/525, wltm, Linux
+* https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html ([#49](https://github.com/timb-machine/linux-malware/issues/49)) - VsFTPd
+* https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ ([#787](https://github.com/timb-machine/linux-malware/issues/787)) - Initial Access, Discovery, Command and Control, delivery:NPM, attack:T1195.001:Compromise Software Dependencies and Development Tools, attack:T1082:System Information Discovery, Linux
+* https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ ([#289](https://github.com/timb-machine/linux-malware/issues/289)) - "Octopus Scanner" (Netbeans) attack
+* https://lwn.net/Articles/371110/ ([#291](https://github.com/timb-machine/linux-malware/issues/291)) - e107 CMS
+* https://www.webmin.com/exploit.html ([#43](https://github.com/timb-machine/linux-malware/issues/43)) - Webmin
+* https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ ([#47](https://github.com/timb-machine/linux-malware/issues/47)) - PHPMyAdmin
+* https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ ([#45](https://github.com/timb-machine/linux-malware/issues/45)) - UnrealIRCd
 
 ### Malware reports
 
-* https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery ([#488](https://github.com/timb-machine/linux-malware/issues/488)) - Initial Access, Lateral Movement, Impact, RapperBot, [/malware/binaries/RapperBot](../../tree/main/malware/binaries/RapperBot), Linux
-* https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ ([#565](https://github.com/timb-machine/linux-malware/issues/565)) - Initial Access, Lateral Movement, Impact, https://github.com/timb-machine/linux-malware/issues/566, Sysrv, wltm, Linux, Internal enterprise services
-* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 ([#803](https://github.com/timb-machine/linux-malware/issues/803)) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, attack:T1070.006:Timestomp, attack:T1070.004:File Deletion, BPFDoor, [/malware/binaries/BPFDoor](https://github.com/timb-machine/linux-malware/tree/main/malware/binaries/BPFDoor), wltm, Linux
-* https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits ([#392](https://github.com/timb-machine/linux-malware/issues/392)) - Botenago
-* https://twitter.com/_larry0/status/1143532888538984448 ([#51](https://github.com/timb-machine/linux-malware/issues/51)) - Silex
-* https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ([#404](https://github.com/timb-machine/linux-malware/issues/404)) - Hildegard, TeamTNT
-* http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf ([#349](https://github.com/timb-machine/linux-malware/issues/349)) - Moose
-* https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ ([#373](https://github.com/timb-machine/linux-malware/issues/373)) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux
-* https://twitter.com/IntezerLabs/status/1272915284148531200 ([#341](https://github.com/timb-machine/linux-malware/issues/341)) - Lazarus
-* https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ ([#120](https://github.com/timb-machine/linux-malware/issues/120)) - CAKETAP, UNC2891, Solaris
+* https://zhuanlan.zhihu.com/p/348960748 ([#403](https://github.com/timb-machine/linux-malware/issues/403)) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel
+* https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors ([#729](https://github.com/timb-machine/linux-malware/issues/729)) - Persistence, Command and Control, SEASPY, https://github.com/timb-machine/linux-malware/issues/730, SUBMARINE, https://github.com/timb-machine/linux-malware/issues/731, Linux
+* https://blog.polyswarm.io/darkangels-linux-ransomware ([#666](https://github.com/timb-machine/linux-malware/issues/666)) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux
+* https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ ([#344](https://github.com/timb-machine/linux-malware/issues/344)) - NGrok
+* https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ ([#526](https://github.com/timb-machine/linux-malware/issues/526)) - Metador, wltm, Linux
+* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks ([#8](https://github.com/timb-machine/linux-malware/issues/8)) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, https://github.com/timb-machine/linux-malware/issues/134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment
+* https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ ([#314](https://github.com/timb-machine/linux-malware/issues/314)) - Gafgyt
+* https://twitter.com/CraigHRowland/status/1422267857988063232 ([#354](https://github.com/timb-machine/linux-malware/issues/354)) - ITTS
+* https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html ([#698](https://github.com/timb-machine/linux-malware/issues/698)) - Impact, BlackSuit, Linux
+* https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html ([#563](https://github.com/timb-machine/linux-malware/issues/563)) - Command and Control, uses:Go, Alchemist, [/malware/binaries/Alchimist](../../tree/main/malware/binaries/Alchimist), https://github.com/timb-machine/linux-malware/issues/564, Sysrv?, Linux
+* https://cert.gov.ua/article/4501891 ([#651](https://github.com/timb-machine/linux-malware/issues/651)) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial
+* https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ ([#307](https://github.com/timb-machine/linux-malware/issues/307)) - QNAPCrypt, eCh0raix
+* https://imgur.com/a/a6RaZMP ([#87](https://github.com/timb-machine/linux-malware/issues/87)) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
+* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf ([#345](https://github.com/timb-machine/linux-malware/issues/345)) - WellMail (APT29)
+* https://imgur.com/a/Ak9zICq ([#367](https://github.com/timb-machine/linux-malware/issues/367)) - Neko (by malwaremustdie.org)
+* https://twitter.com/billyleonard/status/1458531997576572929 ([#480](https://github.com/timb-machine/linux-malware/issues/480)) - Rekoobe, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux
+* https://imgur.com/a/qqgfFXf ([#60](https://github.com/timb-machine/linux-malware/issues/60)) - Mirai (by malwaremustdie.org)
+* https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ ([#297](https://github.com/timb-machine/linux-malware/issues/297)) - FreakOut
+* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html ([#397](https://github.com/timb-machine/linux-malware/issues/397)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon
+* https://threatfabric.com/blogs/vultur-v-for-vnc.html ([#379](https://github.com/timb-machine/linux-malware/issues/379)) - Vultur, Brunhilda, #Android
+* https://www.cadosecurity.com/redis-p2pinfect/ ([#741](https://github.com/timb-machine/linux-malware/issues/741)) - Initial Access, Linux
+* https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability ([#337](https://github.com/timb-machine/linux-malware/issues/337)) - Impact, Persistence, Impact, KinSing
+* https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ ([#402](https://github.com/timb-machine/linux-malware/issues/402)) - Cloud Shovel
+* https://twitter.com/billyleonard/status/1417910729005490177 ([#69](https://github.com/timb-machine/linux-malware/issues/69)) - https://github.com/timb-machine/linux-malware/issues/329, https://github.com/timb-machine/linux-malware/issues/131, Zirconium, APT31
+* https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ ([#325](https://github.com/timb-machine/linux-malware/issues/325)) - RedXOR
+* https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ ([#56](https://github.com/timb-machine/linux-malware/issues/56)) - LemonDuck
+* https://securelist.com/the-penquin-turla-2/67962/ ([#593](https://github.com/timb-machine/linux-malware/issues/593)) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
+* https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ ([#376](https://github.com/timb-machine/linux-malware/issues/376)) - HPC
+* https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ ([#395](https://github.com/timb-machine/linux-malware/issues/395)) - uses:Go, Chaos (sebd), [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos)
+* https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf ([#625](https://github.com/timb-machine/linux-malware/issues/625)) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux
+* https://sansec.io/research/ecommerce-malware-linux-avp ([#396](https://github.com/timb-machine/linux-malware/issues/396)) - linux_avp, Comma
+* https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ ([#348](https://github.com/timb-machine/linux-malware/issues/348)) - Rakos
+* https://twitter.com/tolisec/status/1507854421618839564 ([#116](https://github.com/timb-machine/linux-malware/issues/116)) - Impact, KinSing
+* https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ([#496](https://github.com/timb-machine/linux-malware/issues/496)) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services
+* https://blog.exatrack.com/melofee/ ([#620](https://github.com/timb-machine/linux-malware/issues/620)) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux
+* https://news.drweb.com/show/?i=14646&lng=en&c=23 ([#602](https://github.com/timb-machine/linux-malware/issues/602)) - Initial Access, Command and Control, WordPressExploit, Linux
+* https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html ([#55](https://github.com/timb-machine/linux-malware/issues/55)) - CoinMiner
+* https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ ([#350](https://github.com/timb-machine/linux-malware/issues/350)) - Stantinkos
+* https://twitter.com/malwaremustd1e/status/1379028201075187716 ([#365](https://github.com/timb-machine/linux-malware/issues/365)) - DGAbot (by malwaremustdie.org)
+* https://x.com/haxrob/status/1762821513680732222 ([#810](https://github.com/timb-machine/linux-malware/issues/810)) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1572:Protocol Tunneling, GTPDOOR, wltm, Linux, Telecomms, Internal specialist services
+* https://blog.xlab.qianxin.com/mirai-tbot-en/ ([#788](https://github.com/timb-machine/linux-malware/issues/788)) - Initial Access, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, attack:T1498:Network Denial of Service, attack:T1027:Obfuscated Files or Information, Mirai, TBOT, Linux, IOT
+* https://twitter.com/sethkinghi/status/1397814848549900288 ([#717](https://github.com/timb-machine/linux-malware/issues/717)) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT
+* https://asec.ahnlab.com/en/50316/ ([#621](https://github.com/timb-machine/linux-malware/issues/621)) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux
+* https://imgur.com/a/2zRCt ([#318](https://github.com/timb-machine/linux-malware/issues/318)) - Gafgyt (by malwaremustdie.org)
+* https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html ([#59](https://github.com/timb-machine/linux-malware/issues/59)) - Mirai (by malwaremustdie.org)
+* https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html ([#58](https://github.com/timb-machine/linux-malware/issues/58)) - Mirai (by malwaremustdie.org)
+* https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ ([#753](https://github.com/timb-machine/linux-malware/issues/753)) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware
+* https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html ([#501](https://github.com/timb-machine/linux-malware/issues/501)) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing
+* https://twitter.com/timb_machine/status/1450595881732947968 ([#66](https://github.com/timb-machine/linux-malware/issues/66)) - https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945, Solaris
+* https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ ([#601](https://github.com/timb-machine/linux-malware/issues/601)) - Persistence, Privilege Escalation, OrBit, [/malware/binaries/OrBit](../../tree/main/malware/binaries/OrBit), Linux
+* https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 ([#118](https://github.com/timb-machine/linux-malware/issues/118)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
+* https://cybersecurity.att.com/blogs/labs-research/internet-of-termites ([#517](https://github.com/timb-machine/linux-malware/issues/517)) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux
+* https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf ([#407](https://github.com/timb-machine/linux-malware/issues/407)) - Impact, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services
+* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF ([#67](https://github.com/timb-machine/linux-malware/issues/67)) - Drovorub
+* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html ([#789](https://github.com/timb-machine/linux-malware/issues/789)) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, https://github.com/timb-machine/linux-malware/issues/170, Earth Lusca, Linux
+* https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html ([#490](https://github.com/timb-machine/linux-malware/issues/490)) - uses:Go, Manjusaka, Linux
+* https://pastebin.com/raw/mEape37E ([#355](https://github.com/timb-machine/linux-malware/issues/355)) - SystemTen (by malwaremustdie.org)
 * https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ ([#700](https://github.com/timb-machine/linux-malware/issues/700)) - Persistence, Defense Evasion, Credential Access, Discovery, Impact, attack:T1110:Brute Force, uses:SHC, attack:T1057:Process Discovery, attack::T1003.008:/etc/passwd and /etc/shadow, attack:T1098.004:SSH Authorized Keys, attack:T1556:Modify Authentication Process, Reptile, https://github.com/timb-machine/linux-malware/issues/171, Diamorphine, https://github.com/timb-machine/linux-malware/issues/217, ZiggyStarTux, https://github.com/timb-machine/linux-malware/issues/701, Linux, IOT, Consumer
+* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game ([#658](https://github.com/timb-machine/linux-malware/issues/658)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Linux
+* https://twitter.com/ESETresearch/status/1415542456360263682 ([#368](https://github.com/timb-machine/linux-malware/issues/368)) - ?, #FreeBSD
+* https://www.akamai.com/blog/security/new-p2p-botnet-panchan ([#476](https://github.com/timb-machine/linux-malware/issues/476)) - Pan-chan, https://github.com/timb-machine/linux-malware/issues/477, Linux
+* https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign ([#727](https://github.com/timb-machine/linux-malware/issues/727)) - Initial Access, Command and Control, Impact, XMRig, Linux
+* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ ([#716](https://github.com/timb-machine/linux-malware/issues/716)) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, https://github.com/timb-machine/linux-malware/issues/717, Linux, IOT
+* https://twitter.com/malwaremustd1e/status/1251758225919115264 ([#361](https://github.com/timb-machine/linux-malware/issues/361)) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
+* https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ ([#548](https://github.com/timb-machine/linux-malware/issues/548)) - Command and Control, Exfiltration, https://github.com/timb-machine/linux-malware/issues/325, RedXOR, Linux
+* https://imgur.com/a/y5BRx ([#86](https://github.com/timb-machine/linux-malware/issues/86)) - r57shell (by malwaremustdie.org)
+* https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf ([#613](https://github.com/timb-machine/linux-malware/issues/613))
+* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf ([#99](https://github.com/timb-machine/linux-malware/issues/99)) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD
+* https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d ([#616](https://github.com/timb-machine/linux-malware/issues/616)) - Command and Control, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481
+* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group ([#790](https://github.com/timb-machine/linux-malware/issues/790)) - Initial Access, Execution, Discovery, Lateral Movement, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1059.004:Unix Shell, attack:T1072:Software Deployment Tools, attack:T1083:File and Directory Discovery, attack:T1082:System Information Discovery, attack:T1485:Data Destruction, BiBi-Linux, Linux
+* https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits ([#392](https://github.com/timb-machine/linux-malware/issues/392)) - Botenago
+* https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers ([#382](https://github.com/timb-machine/linux-malware/issues/382)) - Mayhem
+* https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ ([#303](https://github.com/timb-machine/linux-malware/issues/303)) - DarkRadiation
+* https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ ([#339](https://github.com/timb-machine/linux-malware/issues/339)) - Kaiji
+* https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection ([#644](https://github.com/timb-machine/linux-malware/issues/644)) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, [/malware/binaries/Multios.Ransomware.Lockbit](../../tree/main/malware/binaries/Multios.Ransomware.Lockbit), Linux
+* https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ ([#444](https://github.com/timb-machine/linux-malware/issues/444)) - EnemyBot, Linux
+* https://sansec.io/research/cronrat ([#399](https://github.com/timb-machine/linux-malware/issues/399)) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux
+* https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ ([#401](https://github.com/timb-machine/linux-malware/issues/401)) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/530, lib__mdma
+* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ ([#770](https://github.com/timb-machine/linux-malware/issues/770)) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services
+* https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ ([#656](https://github.com/timb-machine/linux-malware/issues/656)) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services
+* https://twitter.com/IntezerLabs/status/1291355808811409408 ([#346](https://github.com/timb-machine/linux-malware/issues/346)) - Carbanak
+* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ ([#678](https://github.com/timb-machine/linux-malware/issues/678)) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services
+* https://cujo.com/threat-alert-krane-malware/ ([#391](https://github.com/timb-machine/linux-malware/issues/391)) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm
+* https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ ([#311](https://github.com/timb-machine/linux-malware/issues/311)) - HelloKitty
 * https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ ([#91](https://github.com/timb-machine/linux-malware/issues/91)) - Muhstik
-* https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware ([#107](https://github.com/timb-machine/linux-malware/issues/107)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
-* https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html ([#102](https://github.com/timb-machine/linux-malware/issues/102)) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services
-* https://www.cisa.gov/news-events/analysis-reports/ar23-209a ([#731](https://github.com/timb-machine/linux-malware/issues/731)) - Persistence, https://github.com/timb-machine/linux-malware/issues/729, SUBMARINE, wltm, Linux
+* https://twitter.com/malwaremustd1e/status/1265321238383099904 ([#317](https://github.com/timb-machine/linux-malware/issues/317)) - Gafgyt (by malwaremustdie.org)
+* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 ([#612](https://github.com/timb-machine/linux-malware/issues/612)) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions
+* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ ([#90](https://github.com/timb-machine/linux-malware/issues/90)) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm
+* https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ ([#371](https://github.com/timb-machine/linux-malware/issues/371)) - Ebury
+* https://haxrob.net/fastcash-for-linux/ ([#815](https://github.com/timb-machine/linux-malware/issues/815)) - Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, attack:T1027.002:Software Packing, uses:Non-persistentStorage, attack:T1027.013:Encrypted/Encoded File, FastCash, https://github.com/timb-machine/linux-malware/issues/407, https://github.com/timb-machine/linux-malware/issues/312, https://github.com/timb-machine/linux-malware/issues/135, wltm, Linux, Banking, Internal specialist services
+* https://imgur.com/a/CtHlmBE ([#82](https://github.com/timb-machine/linux-malware/issues/82)) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
+* https://vms.drweb.com/virus/?i=21004786 ([#433](https://github.com/timb-machine/linux-malware/issues/433)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
+* https://asec.ahnlab.com/ko/55070/ ([#709](https://github.com/timb-machine/linux-malware/issues/709)) - Command and Control, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
+* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 ([#702](https://github.com/timb-machine/linux-malware/issues/702)) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT
+* https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery ([#488](https://github.com/timb-machine/linux-malware/issues/488)) - Initial Access, Lateral Movement, Impact, RapperBot, [/malware/binaries/RapperBot](../../tree/main/malware/binaries/RapperBot), Linux
+* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ ([#643](https://github.com/timb-machine/linux-malware/issues/643)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, Linux, Solaris
+* https://twitter.com/ESETresearch/status/1454100591261667329?s=20 ([#390](https://github.com/timb-machine/linux-malware/issues/390)) - Hive
+* https://www.varonis.com/blog/alphv-blackcat-ransomware ([#109](https://github.com/timb-machine/linux-malware/issues/109)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
+* http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf ([#349](https://github.com/timb-machine/linux-malware/issues/349)) - Moose
+* http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm ([#113](https://github.com/timb-machine/linux-malware/issues/113)) - NOPEN
+* https://imgur.com/a/DWKK5 ([#84](https://github.com/timb-machine/linux-malware/issues/84)) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux
+* https://github.com/akamai/akamai-security-research/tree/main/malware/panchan ([#477](https://github.com/timb-machine/linux-malware/issues/477)) - Pan-chan, [/malware/binaries/pan-chan](../../tree/main/malware/binaries/pan-chan), Linux
+* https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt ([#320](https://github.com/timb-machine/linux-malware/issues/320)) - Gafgyt
+* https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ ([#98](https://github.com/timb-machine/linux-malware/issues/98)) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm
+* https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 ([#106](https://github.com/timb-machine/linux-malware/issues/106)) - Specter, SideWalk, StageClient, wltm
+* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered ([#693](https://github.com/timb-machine/linux-malware/issues/693)) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux
+* https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ ([#360](https://github.com/timb-machine/linux-malware/issues/360)) - Rhombus (by malwaremustdie.org)
+* https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ ([#565](https://github.com/timb-machine/linux-malware/issues/565)) - Initial Access, Lateral Movement, Impact, https://github.com/timb-machine/linux-malware/issues/566, Sysrv, wltm, Linux, Internal enterprise services
+* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads ([#723](https://github.com/timb-machine/linux-malware/issues/723)) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux
+* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ ([#516](https://github.com/timb-machine/linux-malware/issues/516)) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux
+* https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ ([#372](https://github.com/timb-machine/linux-malware/issues/372)) - Kessel
 * https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ ([#351](https://github.com/timb-machine/linux-malware/issues/351)) - PGMiner
-* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ ([#468](https://github.com/timb-machine/linux-malware/issues/468)) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, [/malware/binaries/OrBit](../../tree/main/malware/binaries/OrBit), Linux
-* https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ ([#549](https://github.com/timb-machine/linux-malware/issues/549)) - ACBackdoor, wltm, Linux
-* https://www.trendmicro.com/en_us/research/16/i/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems.html ([#397](https://github.com/timb-machine/linux-malware/issues/397)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1574.006:Dynamic Linker Hijacking, attack:T1205.002:Socket Filtering, Umbreon
-* https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game ([#658](https://github.com/timb-machine/linux-malware/issues/658)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Linux
-* https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp ([#588](https://github.com/timb-machine/linux-malware/issues/588)) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux
 * https://pastebin.com/iKyaqLTd ([#88](https://github.com/timb-machine/linux-malware/issues/88)) - Exaramel, BlackEnergy, #ICS (by malwaremustdie.org)
-* https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis ([#393](https://github.com/timb-machine/linux-malware/issues/393)) - Conti
-* https://twitter.com/IntezerLabs/status/1326880812344676352 ([#330](https://github.com/timb-machine/linux-malware/issues/330)) - AgeLocker
-* https://twitter.com/malwrhunterteam/status/1559636227485319168 ([#500](https://github.com/timb-machine/linux-malware/issues/500)) - Impact, REvil, wltm, Linux
+* https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials ([#50](https://github.com/timb-machine/linux-malware/issues/50)) - TeamTNT
+* https://s.tencent.com/research/report/1177.html ([#384](https://github.com/timb-machine/linux-malware/issues/384))
+* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ ([#459](https://github.com/timb-machine/linux-malware/issues/459)) - Persistence, Defense Evasion, Linux
+* https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware ([#814](https://github.com/timb-machine/linux-malware/issues/814)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:Non-persistentStorage, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, attack:T1037.004:RC Scripts, attack:T1098.004: SSH Authorized Keys, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/724, Linux
+* https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html ([#637](https://github.com/timb-machine/linux-malware/issues/637)) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services
+* http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc ([#386](https://github.com/timb-machine/linux-malware/issues/386)) - sc (similar code to luckscan)
+* https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html ([#57](https://github.com/timb-machine/linux-malware/issues/57)) - Mirai (by malwaremustdie.org)
+* https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ ([#105](https://github.com/timb-machine/linux-malware/issues/105)) - Specter, SideWalk, StageClient
+* https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ ([#479](https://github.com/timb-machine/linux-malware/issues/479)) - Rekoobe, APT31, Linux
+* https://blog.talosintelligence.com/2018/06/vpnfilter-update.html ([#54](https://github.com/timb-machine/linux-malware/issues/54)) - VPNFilter
 * https://twitter.com/malwaremustd1e/status/1380637310346096641 ([#364](https://github.com/timb-machine/linux-malware/issues/364)) - Ngioweb (by malwaremustdie.org)
-* https://twitter.com/malwrhunterteam/status/1467264298237972484 ([#406](https://github.com/timb-machine/linux-malware/issues/406)) - Cerber
-* https://asec.ahnlab.com/en/55229/ ([#722](https://github.com/timb-machine/linux-malware/issues/722)) - Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
-* https://sansec.io/research/ecommerce-malware-linux-avp ([#396](https://github.com/timb-machine/linux-malware/issues/396)) - linux_avp, Comma
-* https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ([#636](https://github.com/timb-machine/linux-malware/issues/636)) - Initial Access, Linux
-* https://twitter.com/sethkinghi/status/1397814848549900288 ([#717](https://github.com/timb-machine/linux-malware/issues/717)) - Defense Evasion, attack:T1480.001:Environmental Keying, AVrecon, Linux, IOT
+* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ ([#471](https://github.com/timb-machine/linux-malware/issues/471)) - HiddenWasp, Linux
+* https://asec.ahnlab.com/en/49769/ ([#624](https://github.com/timb-machine/linux-malware/issues/624)) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer
+* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf ([#312](https://github.com/timb-machine/linux-malware/issues/312)) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, https://github.com/timb-machine/linux-malware/issues/815, https://github.com/timb-machine/linux-malware/issues/407, Hidden Cobra, AIX, Banking
+* https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ ([#319](https://github.com/timb-machine/linux-malware/issues/319)) - Gafgyt
+* https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ ([#327](https://github.com/timb-machine/linux-malware/issues/327)) - TeamTNT, Mimipenguin
+* https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d ([#508](https://github.com/timb-machine/linux-malware/issues/508)) - Peer2Profit, Linux
+* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html ([#725](https://github.com/timb-machine/linux-malware/issues/725)) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris
 * https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ ([#92](https://github.com/timb-machine/linux-malware/issues/92))
-* https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ ([#526](https://github.com/timb-machine/linux-malware/issues/526)) - Metador, wltm, Linux
-* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ ([#95](https://github.com/timb-machine/linux-malware/issues/95)) - Command and Control, Defense Evasion, Persistence, Discovery, attack:T1102:Web Service, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, attack:T1573:Encrypted Traffic, attack:T1053.003:Cron, attack:T1033:System Owner/User Discovery, attack:T1016:System Network Configuration Discovery, attack:T1070.004:File Deletion, uses:RedirectionToNull, delivery:NPM, SysJoker, wltm, Linux
-* https://imp0rtp3.wordpress.com/2021/11/25/sowat/ ([#400](https://github.com/timb-machine/linux-malware/issues/400)) - Command and Control, https://github.com/timb-machine/linux-malware/issues/140, https://github.com/timb-machine/linux-malware/issues/131, SoWaT, APT31, Zirconium
-* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en ([#447](https://github.com/timb-machine/linux-malware/issues/447)) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus
-* https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites ([#598](https://github.com/timb-machine/linux-malware/issues/598)) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services
-* https://imgur.com/a/DWKK5 ([#84](https://github.com/timb-machine/linux-malware/issues/84)) - Persistence, Command and Control, Tsunami, Kaiten (by malwaremustdie.org), Linux
-* https://www.lab539.com/blog/linux-malware-detection-with-limacharlie ([#728](https://github.com/timb-machine/linux-malware/issues/728)) - Reconnaissance, Initial Access, Execution, Persistence, Linux
-* https://twitter.com/jhencinski/status/1451592508157345793 ([#387](https://github.com/timb-machine/linux-malware/issues/387)) - Impact, XMRig
-* https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html ([#501](https://github.com/timb-machine/linux-malware/issues/501)) - Initial Access, Command and Control, uses:MiMi, uses:ElectronJS, rshell, wltm, Iron Tiger, Emissary Panda, APT27, Bronze Union, LuckyMouse, Linux, Collaboration across enterprise boundaries, Device application sandboxing
-* https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development ([#505](https://github.com/timb-machine/linux-malware/issues/505)) - Impact, DarkAngels, wltm, Linux
-* https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces ([#115](https://github.com/timb-machine/linux-malware/issues/115)) - Impact, KinSing
-* https://twitter.com/ESETresearch/status/1410864752948043778 ([#104](https://github.com/timb-machine/linux-malware/issues/104)) - Specter, SideWalk, StageClient
-* https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en ([#580](https://github.com/timb-machine/linux-malware/issues/580)) - Command and Control, Torii, Linux
-* https://threatfabric.com/blogs/vultur-v-for-vnc.html ([#379](https://github.com/timb-machine/linux-malware/issues/379)) - Vultur, Brunhilda, #Android
+* https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html ([#102](https://github.com/timb-machine/linux-malware/issues/102)) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, Linux, VMware, Internal enterprise services, Internal specialist services
+* https://imgur.com/a/53f29O9 ([#61](https://github.com/timb-machine/linux-malware/issues/61)) - Mirai (by malwaremustdie.org)
+* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux ([#510](https://github.com/timb-machine/linux-malware/issues/510)) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, [/malware/binaries/Shikitega](../../tree/main/malware/binaries/Shikitega), Linux
+* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ ([#439](https://github.com/timb-machine/linux-malware/issues/439)) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, https://github.com/timb-machine/linux-malware/issues/129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux
+* https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf ([#641](https://github.com/timb-machine/linux-malware/issues/641)) - FontOnLake, Linux
+* https://sansec.io/research/nginrat ([#94](https://github.com/timb-machine/linux-malware/issues/94)) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm
 * https://imgur.com/a/LpTN7 ([#85](https://github.com/timb-machine/linux-malware/issues/85)) - Elknot (by malwaremustdie.org)
-* https://sysdig.com/blog/cloud-defense-in-depth/ ([#713](https://github.com/timb-machine/linux-malware/issues/713)) - Initial Access, Lateral Movement, KinSing, Linux
-* https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html ([#59](https://github.com/timb-machine/linux-malware/issues/59)) - Mirai (by malwaremustdie.org)
-* https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ ([#110](https://github.com/timb-machine/linux-malware/issues/110)) - b1txor20
-* https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf ([#333](https://github.com/timb-machine/linux-malware/issues/333)) - Cloud Snooper
-* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ ([#432](https://github.com/timb-machine/linux-malware/issues/432)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
-* https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors ([#305](https://github.com/timb-machine/linux-malware/issues/305)) - Tycoon
-* https://cujo.com/iot-malware-journals-prometei-linux/ ([#300](https://github.com/timb-machine/linux-malware/issues/300)) - Promotei
+* https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ ([#324](https://github.com/timb-machine/linux-malware/issues/324)) - WatchDog
+* https://unit42.paloaltonetworks.com/blackcat-ransomware/ ([#108](https://github.com/timb-machine/linux-malware/issues/108)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
 * https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ ([#503](https://github.com/timb-machine/linux-malware/issues/503))
-* https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf ([#493](https://github.com/timb-machine/linux-malware/issues/493)) - Persistence, Command and Control, uses:Go, IPStorm, [/malware/binaries/Unix.Trojan.Ipstorm](../../tree/main/malware/binaries/Unix.Trojan.Ipstorm), Linux
-* https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ ([#325](https://github.com/timb-machine/linux-malware/issues/325)) - RedXOR
-* https://blog.talosintelligence.com/2018/06/vpnfilter-update.html ([#54](https://github.com/timb-machine/linux-malware/issues/54)) - VPNFilter
-* https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ ([#566](https://github.com/timb-machine/linux-malware/issues/566)) - Impact, XMRig, Sysrv, wltm, Linux
-* https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ ([#369](https://github.com/timb-machine/linux-malware/issues/369)) - Kobalos, #linux, #bsd, #solaris, #aix
-* https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ ([#68](https://github.com/timb-machine/linux-malware/issues/68)) - Mumblehard
-* https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ ([#479](https://github.com/timb-machine/linux-malware/issues/479)) - Rekoobe, APT31, Linux
+* https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ ([#714](https://github.com/timb-machine/linux-malware/issues/714)) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT
+* https://blog.polyswarm.io/deadbolt-ransomware ([#577](https://github.com/timb-machine/linux-malware/issues/577)) - Impact, Deadbolt, Linux, Consumer
+* https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ ([#680](https://github.com/timb-machine/linux-malware/issues/680)) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services
+* https://imgur.com/a/N3BgY ([#73](https://github.com/timb-machine/linux-malware/issues/73)) - ChinaZ, GoARM (by malwaremustdie.org)
+* https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ ([#114](https://github.com/timb-machine/linux-malware/issues/114)) - HabitsRAT
+* https://twitter.com/malwaremustd1e/status/1235595880041873408 ([#358](https://github.com/timb-machine/linux-malware/issues/358)) - Hajimi (by malwaremustdie.org)
+* https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ ([#308](https://github.com/timb-machine/linux-malware/issues/308)) - KillDisk
+* https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis ([#393](https://github.com/timb-machine/linux-malware/issues/393)) - Conti
+* https://sysdig.com/blog/ssh-snake/ ([#801](https://github.com/timb-machine/linux-malware/issues/801)) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, https://github.com/timb-machine/linux-malware/issues/791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
+* https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces ([#115](https://github.com/timb-machine/linux-malware/issues/115)) - Impact, KinSing
+* https://imgur.com/a/57uOiTu ([#80](https://github.com/timb-machine/linux-malware/issues/80)) - DDoSMan (by malwaremustdie.org)
+* https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ ([#72](https://github.com/timb-machine/linux-malware/issues/72)) - DDoSTF (by malwaremustdie.org)
+* https://twitter.com/IntezerLabs/status/1326880812344676352 ([#330](https://github.com/timb-machine/linux-malware/issues/330)) - AgeLocker
+* https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ ([#655](https://github.com/timb-machine/linux-malware/issues/655)) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux
+* https://twitter.com/malwaremustd1e/status/1264417940742389762 ([#316](https://github.com/timb-machine/linux-malware/issues/316)) - Gafgyt (by malwaremustdie.org)
+* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ ([#724](https://github.com/timb-machine/linux-malware/issues/724)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/814, Linux
+* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ ([#524](https://github.com/timb-machine/linux-malware/issues/524)) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos), Linux
+* https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github ([#97](https://github.com/timb-machine/linux-malware/issues/97)) - Botenago
+* https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ ([#95](https://github.com/timb-machine/linux-malware/issues/95)) - Command and Control, Defense Evasion, Persistence, Discovery, attack:T1102:Web Service, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, attack:T1573:Encrypted Traffic, attack:T1053.003:Cron, attack:T1033:System Owner/User Discovery, attack:T1016:System Network Configuration Discovery, attack:T1070.004:File Deletion, uses:RedirectionToNull, delivery:NPM, SysJoker, wltm, Linux
+* https://blogs.jpcert.or.jp/en/2023/05/gobrat.html ([#682](https://github.com/timb-machine/linux-malware/issues/682)) - Command and Control, uses:Go, GobRAT, Linux, Telecomms
+* https://twitter.com/IntezerLabs/status/1288487307369222145 ([#331](https://github.com/timb-machine/linux-malware/issues/331)) - TrickBot
 * https://asec.ahnlab.com/en/55785/ ([#733](https://github.com/timb-machine/linux-malware/issues/733)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1547.006:Kernel Modules and Extensions, attack:T1205.001:Port Knocking, Reptile, TINYSHELL, Rekoobe, Linux
-* https://blog.polyswarm.io/darkangels-linux-ransomware ([#666](https://github.com/timb-machine/linux-malware/issues/666)) - Impact, attack:T1486:Data Encrypted for Impact, DarkAngels, wltm, Linux
-* https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf ([#312](https://github.com/timb-machine/linux-malware/issues/312)) - Persistence, Impact, Defense Evasion, Privilege Escalation, attack:T1565.002:Transmitted Data Manipulation, attack:T1055:Process Injection, attack:T1055.009:Proc Memory, attack:T1564.001:Hidden Files and Directories, attack:T1574:Hijack Execution Flow, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, Hidden Cobra, AIX, Banking
-* https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 ([#362](https://github.com/timb-machine/linux-malware/issues/362)) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
-* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines ([#527](https://github.com/timb-machine/linux-malware/issues/527)) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, https://github.com/timb-machine/linux-malware/issues/510, Shikitega, [/malware/binaries/Shikitega](../../tree/main/malware/binaries/Shikitega), XMRig, Linux
-* https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ ([#313](https://github.com/timb-machine/linux-malware/issues/313)) - FritzFrog
-* https://ultimacybr.co.uk/2023-10-04-Sysrv/ ([#767](https://github.com/timb-machine/linux-malware/issues/767)) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux
-* https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ ([#395](https://github.com/timb-machine/linux-malware/issues/395)) - uses:Go, Chaos (sebd), [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos)
-* https://igor-blue.github.io/2021/03/24/apt1.html ([#302](https://github.com/timb-machine/linux-malware/issues/302))
-* https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware ([#639](https://github.com/timb-machine/linux-malware/issues/639)) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux
-* https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux ([#510](https://github.com/timb-machine/linux-malware/issues/510)) - Execution, Persistence, Defense Evasion, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, Shikitega, [/malware/binaries/Shikitega](../../tree/main/malware/binaries/Shikitega), Linux
+* https://twitter.com/captainGeech42/status/1657121312425365524 ([#661](https://github.com/timb-machine/linux-malware/issues/661)) - Persistence, Defense Evasion, SystemBC, https://github.com/timb-machine/linux-malware/issues/662, Linux
+* https://cujo.com/iot-malware-journals-prometei-linux/ ([#300](https://github.com/timb-machine/linux-malware/issues/300)) - Promotei
+* https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version ([#309](https://github.com/timb-machine/linux-malware/issues/309)) - REvil
+* https://twitter.com/_larry0/status/1143532888538984448 ([#51](https://github.com/timb-machine/linux-malware/issues/51)) - Silex
+* https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ ([#679](https://github.com/timb-machine/linux-malware/issues/679)) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
+* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ ([#618](https://github.com/timb-machine/linux-malware/issues/618)) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos), Linux
+* https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ([#758](https://github.com/timb-machine/linux-malware/issues/758)) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware
 * https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ ([#381](https://github.com/timb-machine/linux-malware/issues/381)) - FontOnLake
-* https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/ ([#303](https://github.com/timb-machine/linux-malware/issues/303)) - DarkRadiation
-* https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ ([#378](https://github.com/timb-machine/linux-malware/issues/378)) - #cobaltstrike, VermilionStrike
-* https://twitter.com/cyb3rops/status/1523227511551033349 ([#425](https://github.com/timb-machine/linux-malware/issues/425)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
-* https://www.sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ ([#402](https://github.com/timb-machine/linux-malware/issues/402)) - Cloud Shovel
-* https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials ([#50](https://github.com/timb-machine/linux-malware/issues/50)) - TeamTNT
 * http://www.thedarkside.nl/honeypot/microbul.html ([#388](https://github.com/timb-machine/linux-malware/issues/388))
-* https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d ([#508](https://github.com/timb-machine/linux-malware/issues/508)) - Peer2Profit, Linux
-* https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ ([#299](https://github.com/timb-machine/linux-malware/issues/299)) - IPStorm, [/malware/binaries/Unix.Trojan.Ipstorm](../../tree/main/malware/binaries/Unix.Trojan.Ipstorm)
-* https://vms.drweb.com/virus/?i=15389228 ([#326](https://github.com/timb-machine/linux-malware/issues/326)) - ?
-* https://zhuanlan.zhihu.com/p/348960748 ([#403](https://github.com/timb-machine/linux-malware/issues/403)) - Impact, Command and Control, Lateral Movement, Persistence, Cloud Shovel
-* https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ ([#410](https://github.com/timb-machine/linux-malware/issues/410)) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing
-* https://twitter.com/CraigHRowland/status/1422267857988063232 ([#354](https://github.com/timb-machine/linux-malware/issues/354)) - ITTS
-* https://imgur.com/a/CtHlmBE ([#82](https://github.com/timb-machine/linux-malware/issues/82)) - Persistence, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
-* https://imgur.com/a/Ak9zICq ([#367](https://github.com/timb-machine/linux-malware/issues/367)) - Neko (by malwaremustdie.org)
-* https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html ([#332](https://github.com/timb-machine/linux-malware/issues/332)) - NOTROBIN
-* https://imgur.com/a/qqgfFXf ([#60](https://github.com/timb-machine/linux-malware/issues/60)) - Mirai (by malwaremustdie.org)
-* https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 ([#118](https://github.com/timb-machine/linux-malware/issues/118)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
-* https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html ([#614](https://github.com/timb-machine/linux-malware/issues/614)) - Command and Control, Persistence, SysUpdate, IronTiger
-* https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ ([#680](https://github.com/timb-machine/linux-malware/issues/680)) - Initial Access, Persistence, Androxgh0st, wltm, Linux, Cloud hosted services
-* https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html ([#789](https://github.com/timb-machine/linux-malware/issues/789)) - Defense Evasion, Discovery, Command and Control, attack:T1090:Proxy, uses:ProcessTreeSpoofing, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, SprySOCKS, Mandibule, https://github.com/timb-machine/linux-malware/issues/170, Earth Lusca, Linux
-* https://twitter.com/malwrhunterteam/status/1415403132230803460 ([#310](https://github.com/timb-machine/linux-malware/issues/310)) - HelloKitty
-* https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf ([#625](https://github.com/timb-machine/linux-malware/issues/625)) - Defense Evasion, Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1092:Communication Through Removable Media, attack:T1027.002:Software Packing, KEYPLUG, RedGolf, Linux
-* https://cert.gov.ua/article/4501891 ([#651](https://github.com/timb-machine/linux-malware/issues/651)) - Impact, attack:T1485:Data Destruction, Sandworm, Linux, Industrial
-* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ ([#750](https://github.com/timb-machine/linux-malware/issues/750)) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux
-* https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html ([#725](https://github.com/timb-machine/linux-malware/issues/725)) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, DecisiveArchitect, Linux, Solaris
-* https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ ([#52](https://github.com/timb-machine/linux-malware/issues/52)) - GodLua
-* https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github ([#97](https://github.com/timb-machine/linux-malware/issues/97)) - Botenago
-* https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ ([#640](https://github.com/timb-machine/linux-malware/issues/640)) - Initial Access, Command and Control, Impact, Sysrv, Linux
-* https://www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf ([#641](https://github.com/timb-machine/linux-malware/issues/641)) - FontOnLake, Linux
-* https://twitter.com/malwaremustd1e/status/1264417940742389762 ([#316](https://github.com/timb-machine/linux-malware/issues/316)) - Gafgyt (by malwaremustdie.org)
-* https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ ([#342](https://github.com/timb-machine/linux-malware/issues/342)) - Doki
-* https://sansec.io/research/nginrat ([#94](https://github.com/timb-machine/linux-malware/issues/94)) - Defense Evasion, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, attack:T1574.006:Dynamic Linker Hijacking, attack:T1027:Obfuscated Files or Information, uses:ProcessTreeSpoofing, NginRAT, wltm
-* https://s.tencent.com/research/report/1177.html ([#384](https://github.com/timb-machine/linux-malware/issues/384))
-* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf ([#427](https://github.com/timb-machine/linux-malware/issues/427)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
-* https://vms.drweb.com/virus/?i=21004786 ([#433](https://github.com/timb-machine/linux-malware/issues/433)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
-* https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf ([#345](https://github.com/timb-machine/linux-malware/issues/345)) - WellMail (APT29)
-* https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ ([#753](https://github.com/timb-machine/linux-malware/issues/753)) - Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, attack:T1480:Execution Guardrails, wltm, Monti, Linux, VMware
-* https://pastebin.com/Z3sXqDCA ([#89](https://github.com/timb-machine/linux-malware/issues/89)) - Mozi (by malwaremustdie.org)
-* https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ ([#323](https://github.com/timb-machine/linux-malware/issues/323)) - EvilGnome
-* https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/ ([#350](https://github.com/timb-machine/linux-malware/issues/350)) - Stantinkos
-* https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ ([#308](https://github.com/timb-machine/linux-malware/issues/308)) - KillDisk
-* https://unit42.paloaltonetworks.com/alloy-taurus/ ([#646](https://github.com/timb-machine/linux-malware/issues/646)) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux
-* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ ([#452](https://github.com/timb-machine/linux-malware/issues/452)) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, https://github.com/timb-machine/linux-malware/issues/460, Symbiote, Linux
-* https://atdotde.blogspot.com/2020/05/high-performance-hackers.html ([#377](https://github.com/timb-machine/linux-malware/issues/377)) - HPC
 * https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html ([#63](https://github.com/timb-machine/linux-malware/issues/63)) - https://github.com/timb-machine/linux-malware/issues/134, SLAPSTICK, LightBasin, UNC1945, Solaris
-* https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 ([#482](https://github.com/timb-machine/linux-malware/issues/482)) - Log4J, [/malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86](../../blob/main/malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86), Linux
-* https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf ([#370](https://github.com/timb-machine/linux-malware/issues/370)) - Kobalos, #bsd, #solaris, #aix
-* https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ ([#690](https://github.com/timb-machine/linux-malware/issues/690)) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux
+* https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html ([#721](https://github.com/timb-machine/linux-malware/issues/721)) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux
+* https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp ([#588](https://github.com/timb-machine/linux-malware/issues/588)) - Persistence, Defense Evasion, Command and Control, attack:T1027:Obfuscated Files or Information, caja, wltm, Linux
+* https://www.signalblur.io/through-the-looking-glass ([#756](https://github.com/timb-machine/linux-malware/issues/756)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services
+* https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor ([#547](https://github.com/timb-machine/linux-malware/issues/547)) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux
+* https://imgur.com/a/lAQ1tMQ ([#78](https://github.com/timb-machine/linux-malware/issues/78)) - HelloBot (by malwaremustdie.org)
 * https://twitter.com/bkMSFT/status/1417823714922610689 ([#328](https://github.com/timb-machine/linux-malware/issues/328)) - https://github.com/timb-machine/linux-malware/issues/329, Zirconium, APT31
+* https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ ([#329](https://github.com/timb-machine/linux-malware/issues/329)) - Zirconium, APT31
+* https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ ([#65](https://github.com/timb-machine/linux-malware/issues/65)) - Qemu, https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945
+* https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ ([#817](https://github.com/timb-machine/linux-malware/issues/817)) - Resource Development, Persistence, Defense Evasion, attack:T1542.003:Bootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1587.00:Malware, attack:T1587.002Code Signing Certificates, attack:T1106:Native API, attack:T1129:Shared Modules, attack:T1574.006:Dynamic Linker, attack:T1542.003, attack:T1014:Rootkit, attack:T1562:Impair Defenses, attack:T1564:Hide Artifacts, Bootkitty, BCDropper, BCObserver, Linux, Consumer, Internal enterprise services, Enterprise with satellite facilities, Enterprise with contracted services and/or non-employee access
+* https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ([#636](https://github.com/timb-machine/linux-malware/issues/636)) - Initial Access, Linux
+* http://it.rising.com.cn/fanglesuo/19851.html ([#96](https://github.com/timb-machine/linux-malware/issues/96)) - SFile
+* https://imp0rtp3.wordpress.com/2021/11/25/sowat/ ([#400](https://github.com/timb-machine/linux-malware/issues/400)) - Command and Control, https://github.com/timb-machine/linux-malware/issues/140, https://github.com/timb-machine/linux-malware/issues/131, SoWaT, APT31, Zirconium
+* https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ ([#343](https://github.com/timb-machine/linux-malware/issues/343)) - NGrok
+* https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html ([#366](https://github.com/timb-machine/linux-malware/issues/366)) - AirDropBot (by malwaremustdie.org)
+* https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ ([#68](https://github.com/timb-machine/linux-malware/issues/68)) - Mumblehard
+* https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ ([#299](https://github.com/timb-machine/linux-malware/issues/299)) - IPStorm, [/malware/binaries/Unix.Trojan.Ipstorm](../../tree/main/malware/binaries/Unix.Trojan.Ipstorm)
+* https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ ([#357](https://github.com/timb-machine/linux-malware/issues/357)) - SystemTen (by malwaremustdie.org)
+* https://honeynet.onofri.org/scans/scan13/som/som5.txt ([#389](https://github.com/timb-machine/linux-malware/issues/389)) - Luckscan, UNC1945
+* https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF ([#657](https://github.com/timb-machine/linux-malware/issues/657)) - Command and Control, SNAKE, Linux
+* https://imgur.com/a/qI5Fvm4 ([#83](https://github.com/timb-machine/linux-malware/issues/83)) - STD (by malwaremustdie.org)
+* https://twitter.com/CraigHRowland/status/1523266585133457408 ([#424](https://github.com/timb-machine/linux-malware/issues/424)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
+* https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html ([#442](https://github.com/timb-machine/linux-malware/issues/442)) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, https://github.com/timb-machine/linux-malware/issues/544, Linux, VMware, Internal enterprise services, Internal specialist services
+* https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware ([#107](https://github.com/timb-machine/linux-malware/issues/107)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
 * https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages ([#542](https://github.com/timb-machine/linux-malware/issues/542)) - Defense Evasion, Discovery, Collection, Exfiltration, vertical:Telecomms, attack:T1040:Network Sniffing, uses:Non-persistentStorage, attack:T1070.004:File Deletion, MESSAGETAP, [/malware/binaries/MESSAGETAP](../../tree/main/malware/binaries/MESSAGETAP), APT41, Linux, Telecomms, Internal specialist services
-* https://imgur.com/a/lAQ1tMQ ([#78](https://github.com/timb-machine/linux-malware/issues/78)) - HelloBot (by malwaremustdie.org)
-* https://twitter.com/CraigHRowland/status/1422009387686645761 ([#353](https://github.com/timb-machine/linux-malware/issues/353)) - ITTS
-* https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ ([#724](https://github.com/timb-machine/linux-malware/issues/724)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/711, Linux
-* https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html ([#304](https://github.com/timb-machine/linux-malware/issues/304)) - DarkRadation
-* https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ ([#716](https://github.com/timb-machine/linux-malware/issues/716)) - Defense Evasion, Credential Access, Discovery, Command and Control, attack:T1110.003:Password Spraying, attack:T1057:Process Discovery, attack:T1082:System Information Discovery, attack:T1480.001:Environmental Keying, attack:T1573:Encrypted Channel, AVrecon, https://github.com/timb-machine/linux-malware/issues/717, Linux, IOT
-* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass ([#692](https://github.com/timb-machine/linux-malware/issues/692)) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware
-* https://www.mandiant.com/resources/unc2891-overview ([#112](https://github.com/timb-machine/linux-malware/issues/112)) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, https://github.com/timb-machine/linux-malware/issues/134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking
-* https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ ([#516](https://github.com/timb-machine/linux-malware/issues/516)) - Resource Development, Discovery, Command and Control, attack:T1587.001:Malware, attack:T1016:System Network Configuration Discovery, attack:T1071.001:Web Protocols, attack:T1573.001:Symmetric Cryptography, SideWalk, wltm, SparklingGoblin, Linux
-* https://twitter.com/malwaremustd1e/status/1235595880041873408 ([#358](https://github.com/timb-machine/linux-malware/issues/358)) - Hajimi (by malwaremustdie.org)
-* https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ ([#327](https://github.com/timb-machine/linux-malware/issues/327)) - TeamTNT, Mimipenguin
-* https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d ([#616](https://github.com/timb-machine/linux-malware/issues/616)) - Command and Control, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481
-* https://twitter.com/captainGeech42/status/1657121312425365524 ([#661](https://github.com/timb-machine/linux-malware/issues/661)) - Persistence, Defense Evasion, SystemBC, https://github.com/timb-machine/linux-malware/issues/662, Linux
-* https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ ([#117](https://github.com/timb-machine/linux-malware/issues/117)) - AcidRain
-* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 ([#604](https://github.com/timb-machine/linux-malware/issues/604)) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux
-* https://imgur.com/a/vS7xV ([#75](https://github.com/timb-machine/linux-malware/issues/75)) - CarpeDiem (by malwaremustdie.org)
-* https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ ([#444](https://github.com/timb-machine/linux-malware/issues/444)) - EnemyBot, Linux
-* https://imgur.com/a/SSKmu ([#77](https://github.com/timb-machine/linux-malware/issues/77)) - Rebirth, Vulcan (by malwaremustdie.org)
+* https://imgur.com/a/5vPEc ([#74](https://github.com/timb-machine/linux-malware/issues/74)) - ChinaZ (by malwaremustdie.org)
+* https://www.mandiant.com/resources/unc3524-eye-spy-email ([#414](https://github.com/timb-machine/linux-malware/issues/414)) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment
+* https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ ([#809](https://github.com/timb-machine/linux-malware/issues/809)) - Initial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Command and Control, AIX, Internal enterprise services
+* https://www.intezer.com/blog/research/new-linux-threat-symbiote/ ([#452](https://github.com/timb-machine/linux-malware/issues/452)) - Persistence, Defense Evasion, Command and Control, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, https://github.com/timb-machine/linux-malware/issues/460, Symbiote, Linux
+* https://twitter.com/malwrhunterteam/status/1422972905541996546 ([#374](https://github.com/timb-machine/linux-malware/issues/374)) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware
+* https://twitter.com/malwaremustd1e/status/1237080802581565440 ([#359](https://github.com/timb-machine/linux-malware/issues/359)) - Mozi (by malwaremustdie.org)
+* https://twitter.com/avastthreatlabs/status/1430527767855058949 ([#492](https://github.com/timb-machine/linux-malware/issues/492)) - HCRootkit, https://github.com/timb-machine/linux-malware/issues/491, Linux
 * https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ ([#298](https://github.com/timb-machine/linux-malware/issues/298)) - RandomEXX
+* https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ ([#369](https://github.com/timb-machine/linux-malware/issues/369)) - Kobalos, #linux, #bsd, #solaris, #aix
+* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ ([#434](https://github.com/timb-machine/linux-malware/issues/434)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
+* https://www.lab539.com/blog/linux-malware-detection-with-limacharlie ([#728](https://github.com/timb-machine/linux-malware/issues/728)) - Reconnaissance, Initial Access, Execution, Persistence, Linux
+* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool ([#405](https://github.com/timb-machine/linux-malware/issues/405)) - attack:T1205.002:Socket Filters, ebpfkit
 * https://twitter.com/ESETresearch/status/1382054011264700416 ([#335](https://github.com/timb-machine/linux-malware/issues/335)) - TSCookie, #freebsd
-* https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w ([#394](https://github.com/timb-machine/linux-malware/issues/394)) - NAMO
-* https://twitter.com/malwaremustd1e/status/1267068856645775360 ([#363](https://github.com/timb-machine/linux-malware/issues/363)) - DarkNexus (by malwaremustdie.org)
-* https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ ([#655](https://github.com/timb-machine/linux-malware/issues/655)) - Initial Access, Persistence, Privilege Escalation, attack:T1566.001:Spearphishing Attachment, attack:T1546.004:Unix Shell Configuration Modification, uses:RedirectionToNull, uses:Go, wltm, OdicLoader, SimplexTea, Lazarus, Linux
-* https://blog.polyswarm.io/lightning-framework ([#506](https://github.com/timb-machine/linux-malware/issues/506)) - Lightning, [/malware/binaries/Lightning](../../tree/main/malware/binaries/Lightning), Linux
-* https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf ([#518](https://github.com/timb-machine/linux-malware/issues/518)) - DarkNexus, Linux
-* https://blog.xlab.qianxin.com/mirai-tbot-en/ ([#788](https://github.com/timb-machine/linux-malware/issues/788)) - Initial Access, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, attack:T1498:Network Denial of Service, attack:T1027:Obfuscated Files or Information, Mirai, TBOT, Linux, IOT
-* https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ ([#681](https://github.com/timb-machine/linux-malware/issues/681)) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
-* https://media.defense.gov/2023/May/09/2003218554/-1/-1/1/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF ([#657](https://github.com/timb-machine/linux-malware/issues/657)) - Command and Control, SNAKE, Linux
-* https://twitter.com/malwaremustd1e/status/1237080802581565440 ([#359](https://github.com/timb-machine/linux-malware/issues/359)) - Mozi (by malwaremustdie.org)
-* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ ([#322](https://github.com/timb-machine/linux-malware/issues/322)) - Turian
-* https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ([#496](https://github.com/timb-machine/linux-malware/issues/496)) - Impact, attack:T1486:Data Encrypted for Impact, region:South Korea, vertical:Pharmaceutical, Gwisin, wltm, Linux, VMware, Industrial, Internal specialist services
-* https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF ([#67](https://github.com/timb-machine/linux-malware/issues/67)) - Drovorub
-* https://imgur.com/a/MuHSZtC ([#81](https://github.com/timb-machine/linux-malware/issues/81)) - Mandibule (by malwaremustdie.org)
+* https://twitter.com/ESETresearch/status/1410864752948043778 ([#104](https://github.com/timb-machine/linux-malware/issues/104)) - Specter, SideWalk, StageClient
+* https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ ([#640](https://github.com/timb-machine/linux-malware/issues/640)) - Initial Access, Command and Control, Impact, Sysrv, Linux
 * https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers ([#720](https://github.com/timb-machine/linux-malware/issues/720)) - Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, attack:T1608:Stage Capabilities, attack:T1053.003:Cron, attack:T1027.002:Software Packing, attack:T1543.002:Systemd Service, attack:T1037.004:RC Scripts, attack:T1574.006:Dynamic Linker Hijacking, attack:T1036.005:Match Legitimate Name or Location, attack:T1190:Exploit Public-Facing Application, attack:T1110:Brute Force, uses:KillCompetition, XMRig, Rocke, Linux
-* https://twitter.com/billyleonard/status/1458531997576572929 ([#480](https://github.com/timb-machine/linux-malware/issues/480)) - Rekoobe, TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux
-* https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ ([#72](https://github.com/timb-machine/linux-malware/issues/72)) - DDoSTF (by malwaremustdie.org)
-* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ ([#459](https://github.com/timb-machine/linux-malware/issues/459)) - Persistence, Defense Evasion, Linux
-* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html ([#111](https://github.com/timb-machine/linux-malware/issues/111)) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap
-* https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ ([#315](https://github.com/timb-machine/linux-malware/issues/315)) - Gafgyt
-* https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks ([#8](https://github.com/timb-machine/linux-malware/issues/8)) - Credential Access, Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, vertical:Telecomms, attack:T1573.001:Symmetric Cryptography, attack:T1590:Gather Victim Network Information, attack:T1562.004:Disable or Modify System Firewall, attack:T1048.001:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1021.004:SSH, attack:T1037.004:RC Scripts, attack:T1090.001:Internal Proxy, attack:T1090.002:External Proxy, attack:T1110.003:Password Spraying, https://github.com/timb-machine/linux-malware/issues/134, SLAPSTICK, STEELCORGI, PingPong, TINYSHELL, CordScan, SIGTRANslator, Fast Reverse Proxy, Microsocks Proxy, ProxyChains, LightBasin, UNC1945, Solaris, Linux, Telecomms, Internal specialist services, Enclave deployment
-* https://twitter.com/Unit42_Intel/status/1653760405792014336 ([#785](https://github.com/timb-machine/linux-malware/issues/785)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, BlackSuite, Linux
-* https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html ([#442](https://github.com/timb-machine/linux-malware/issues/442)) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, https://github.com/timb-machine/linux-malware/issues/544, Linux, VMware, Internal enterprise services, Internal specialist services
-* https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ ([#671](https://github.com/timb-machine/linux-malware/issues/671)) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms
-* https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool ([#405](https://github.com/timb-machine/linux-malware/issues/405)) - attack:T1205.002:Socket Filters, ebpfkit
-* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc ([#786](https://github.com/timb-machine/linux-malware/issues/786)) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux
-* https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html ([#336](https://github.com/timb-machine/linux-malware/issues/336)) - PLEAD
-* https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group ([#790](https://github.com/timb-machine/linux-malware/issues/790)) - Initial Access, Execution, Discovery, Lateral Movement, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1059.004:Unix Shell, attack:T1072:Software Deployment Tools, attack:T1083:File and Directory Discovery, attack:T1082:System Information Discovery, attack:T1485:Data Destruction, BiBi-Linux, Linux
-* https://blog.talosintelligence.com/2018/05/VPNFilter.html ([#53](https://github.com/timb-machine/linux-malware/issues/53)) - VPNFilter
-* https://themittenmac.com/tinyshell-under-the-microscope/ ([#617](https://github.com/timb-machine/linux-malware/issues/617)) - TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481
 * https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html ([#383](https://github.com/timb-machine/linux-malware/issues/383))
-* https://twitter.com/avastthreatlabs/status/1430527767855058949 ([#492](https://github.com/timb-machine/linux-malware/issues/492)) - HCRootkit, https://github.com/timb-machine/linux-malware/issues/491, Linux
-* https://twitter.com/IntezerLabs/status/1288487307369222145 ([#331](https://github.com/timb-machine/linux-malware/issues/331)) - TrickBot
-* https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html ([#563](https://github.com/timb-machine/linux-malware/issues/563)) - Command and Control, uses:Go, Alchemist, [/malware/binaries/Alchimist](../../tree/main/malware/binaries/Alchimist), https://github.com/timb-machine/linux-malware/issues/564, Sysrv?, Linux
-* https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ ([#434](https://github.com/timb-machine/linux-malware/issues/434)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
-* https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ ([#678](https://github.com/timb-machine/linux-malware/issues/678)) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, attack:T1594:Search Victim-Owned Websites, attack:T1589:Gather Victim Identity Information, attack:T1589.001:Credentials, attack:T1133:External Remote Services, attack:T1078:Valid Accounts, Legion, wltm, Linux, Cloud hosted services
-* https://imgur.com/a/qI5Fvm4 ([#83](https://github.com/timb-machine/linux-malware/issues/83)) - STD (by malwaremustdie.org)
-* https://honeynet.onofri.org/scans/scan13/som/som13.txt ([#385](https://github.com/timb-machine/linux-malware/issues/385)) - Luckscan, UNC1945
+* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware ([#586](https://github.com/timb-machine/linux-malware/issues/586)) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT
+* https://themittenmac.com/tinyshell-under-the-microscope/ ([#617](https://github.com/timb-machine/linux-malware/issues/617)) - TSH, TINYSHELL, https://github.com/timb-machine/linux-malware/issues/481
+* https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development ([#505](https://github.com/timb-machine/linux-malware/issues/505)) - Impact, DarkAngels, wltm, Linux
+* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet ([#623](https://github.com/timb-machine/linux-malware/issues/623)) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer
+* https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf ([#338](https://github.com/timb-machine/linux-malware/issues/338)) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux
+* https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ ([#342](https://github.com/timb-machine/linux-malware/issues/342)) - Doki
+* https://imgur.com/a/8mFGk ([#70](https://github.com/timb-machine/linux-malware/issues/70)) - httpsd (by malwaremustdie.org)
+* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html ([#321](https://github.com/timb-machine/linux-malware/issues/321)) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux
+* https://ultimacybr.co.uk/2023-10-04-Sysrv/ ([#767](https://github.com/timb-machine/linux-malware/issues/767)) - Persistence, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:Go, Sysrv, Linux
+* https://vms.drweb.com/virus/?i=15389228 ([#326](https://github.com/timb-machine/linux-malware/issues/326)) - ?
 * https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/ ([#474](https://github.com/timb-machine/linux-malware/issues/474)) - Linux, FreeBSD
-* https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html ([#55](https://github.com/timb-machine/linux-malware/issues/55)) - CoinMiner
-* https://honeynet.onofri.org/scans/scan13/som/som5.txt ([#389](https://github.com/timb-machine/linux-malware/issues/389)) - Luckscan, UNC1945
-* https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html ([#366](https://github.com/timb-machine/linux-malware/issues/366)) - AirDropBot (by malwaremustdie.org)
-* https://twitter.com/malwrhunterteam/status/1422972905541996546 ([#374](https://github.com/timb-machine/linux-malware/issues/374)) - Impact, attack:T1486:Data Encrypted for Impact, Encryptor, Linux, VMware
-* https://imgur.com/a/5vPEc ([#74](https://github.com/timb-machine/linux-malware/issues/74)) - ChinaZ (by malwaremustdie.org)
-* https://blogs.jpcert.or.jp/en/2023/05/gobrat.html ([#682](https://github.com/timb-machine/linux-malware/issues/682)) - Command and Control, uses:Go, GobRAT, Linux, Telecomms
-* https://twitter.com/IntezerLabs/status/1300403461809491969 ([#347](https://github.com/timb-machine/linux-malware/issues/347)) - Dalcs
-* https://twitter.com/timb_machine/status/1450595881732947968 ([#66](https://github.com/timb-machine/linux-malware/issues/66)) - https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945, Solaris
-* https://twitter.com/ESETresearch/status/1415542456360263682 ([#368](https://github.com/timb-machine/linux-malware/issues/368)) - ?, #FreeBSD
-* https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ ([#714](https://github.com/timb-machine/linux-malware/issues/714)) - Initial Access, Defense Evasion, attack:T1190:Exploit Public-Facing Application, attack:T1480.001:Environmental Keying, Mirai, Linux, IOT
-* https://asec.ahnlab.com/en/45182/ ([#603](https://github.com/timb-machine/linux-malware/issues/603)) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux
-* https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html ([#721](https://github.com/timb-machine/linux-malware/issues/721)) - Defense Evasion, Command and Control, uses:Python, uses:JavaScript, attack:T1140:Deobfuscate/Decode Files or Information, PythonHTTPBackdoor, wltm, DangerousPassword, CryptoMimic, SnatchCrypto, Linux
-* https://analyze.intezer.com/files/9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5 ([#106](https://github.com/timb-machine/linux-malware/issues/106)) - Specter, SideWalk, StageClient, wltm
+* https://imgur.com/a/4YxuSfV ([#79](https://github.com/timb-machine/linux-malware/issues/79)) - Cayosin (by malwaremustdie.org)
+* https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en ([#447](https://github.com/timb-machine/linux-malware/issues/447)) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1027:Obfuscated Files or Information, attack:T1053.003:Cron, attack:T1082:System Information Discovery, attack:T1132:Data Encoding, attack:T1564.001:Hidden Files and Directories, Buni, APT32, Ocean Lotus
+* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ ([#470](https://github.com/timb-machine/linux-malware/issues/470)) - Lightning, [/malware/binaries/Lightning](../../tree/main/malware/binaries/Lightning), Linux
+* https://analyze.intezer.com/files/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92 ([#482](https://github.com/timb-machine/linux-malware/issues/482)) - Log4J, [/malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86](../../blob/main/malware/binaries/Unix.Trojan.Log4J/82aa04f8576ea573a4772db09ee245cab8eac7ff1e7200f0cc960d8b6f516e92.elf.x86), Linux
+* https://asec.ahnlab.com/en/54647/ ([#707](https://github.com/timb-machine/linux-malware/issues/707)) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, Tsunami, Kaiten, 0x333shadow Log Cleaner, https://github.com/timb-machine/linux-malware/issues/706, ChinaZ, Linux
+* https://twitter.com/jhencinski/status/1451592508157345793 ([#387](https://github.com/timb-machine/linux-malware/issues/387)) - Impact, XMRig
+* https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html ([#332](https://github.com/timb-machine/linux-malware/issues/332)) - NOTROBIN
+* https://mp.weixin.qq.com/s/BSfKTlMlOnNlsWKjV1NM8w ([#394](https://github.com/timb-machine/linux-malware/issues/394)) - NAMO
+* https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html ([#546](https://github.com/timb-machine/linux-malware/issues/546)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux
+* https://twitter.com/xnand_/status/1676336329985077249 ([#710](https://github.com/timb-machine/linux-malware/issues/710)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/724, https://github.com/timb-machine/linux-malware/issues/814, Linux
+* https://twitter.com/Unit42_Intel/status/1653760405792014336 ([#695](https://github.com/timb-machine/linux-malware/issues/695)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, BlackSuite, Linux
 * https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/ ([#759](https://github.com/timb-machine/linux-malware/issues/759)) - Impact, Octo Tempest, BlackCat, Linux, VMware
-* https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ ([#371](https://github.com/timb-machine/linux-malware/issues/371)) - Ebury
-* https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html ([#57](https://github.com/timb-machine/linux-malware/issues/57)) - Mirai (by malwaremustdie.org)
-* https://twitter.com/tolisec/status/1507854421618839564 ([#116](https://github.com/timb-machine/linux-malware/issues/116)) - Impact, KinSing
-* https://www.akamai.com/blog/security/new-p2p-botnet-panchan ([#476](https://github.com/timb-machine/linux-malware/issues/476)) - Pan-chan, https://github.com/timb-machine/linux-malware/issues/477, Linux
-* https://unit42.paloaltonetworks.com/watchdog-cryptojacking/ ([#324](https://github.com/timb-machine/linux-malware/issues/324)) - WatchDog
-* https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ ([#770](https://github.com/timb-machine/linux-malware/issues/770)) - Initial Access, Persistence, Defense Evasion, Impact, uses:ProcessTreeSpoofing, uses:TamperedPS, uses:Python, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1496:Resource Hijacking, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, XHide, XMRig, Diamorphine, libprocesshider, Kiss-a-Dog, Linux, Cloud hosted services
-* https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ ([#98](https://github.com/timb-machine/linux-malware/issues/98)) - Persistence, Defense Evasion, Command and Control, RotaJakiro, wltm
-* https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 ([#612](https://github.com/timb-machine/linux-malware/issues/612)) - Defense Evasion, Persistence, attack:T1547.006:Kernel Modules and Extensions
-* https://pastebin.com/raw/mEape37E ([#355](https://github.com/timb-machine/linux-malware/issues/355)) - SystemTen (by malwaremustdie.org)
-* https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ ([#340](https://github.com/timb-machine/linux-malware/issues/340)) - Kaiji (by malwaremustdie.org)
-* https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ ([#513](https://github.com/timb-machine/linux-malware/issues/513)) - Collection, Impact, Linux
+* https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors ([#305](https://github.com/timb-machine/linux-malware/issues/305)) - Tycoon
 * https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw ([#660](https://github.com/timb-machine/linux-malware/issues/660)) - Initial Access, attack:T1480:Execution Guardrails, attack:T1562.006:Indicator Blocking, uses:Non-persistentStorage, BOLDMOVE, wltm, Linux, Collaboration across enterprise boundaries
-* https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf ([#551](https://github.com/timb-machine/linux-malware/issues/551)) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services
-* https://cujo.com/threat-alert-krane-malware/ ([#391](https://github.com/timb-machine/linux-malware/issues/391)) - Initial Access, Persistence, Defense Evasion, Impact, attack:T1110.003:Password Spraying, attack:T098:Account Manipulation, attack:T1105:Ingress Tool Transfer, attack:T1562.003:Impair Command History Logging, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1082:System Information Discovery, attack:T1018:Remote System Discovery, attack:T1021:Remote Services, uses:Non-persistentStorage, Krane, wltm
-* http://www.foo.be/cours/dess-20042005/report/bigwar.html#sc ([#386](https://github.com/timb-machine/linux-malware/issues/386)) - sc (similar code to luckscan)
-* https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html ([#490](https://github.com/timb-machine/linux-malware/issues/490)) - uses:Go, Manjusaka, Linux
-* https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ ([#376](https://github.com/timb-machine/linux-malware/issues/376)) - HPC
-* https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ ([#478](https://github.com/timb-machine/linux-malware/issues/478)) - https://github.com/timb-machine/linux-malware/issues/480, Rekoobe, TSH, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux
-* https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ ([#408](https://github.com/timb-machine/linux-malware/issues/408)) - Linux
-* https://www.varonis.com/blog/alphv-blackcat-ransomware ([#109](https://github.com/timb-machine/linux-malware/issues/109)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
-* https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ ([#372](https://github.com/timb-machine/linux-malware/issues/372)) - Kessel
-* https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/ ([#679](https://github.com/timb-machine/linux-malware/issues/679)) - Initial Access, Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
-* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant ([#686](https://github.com/timb-machine/linux-malware/issues/686)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux
-* https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server ([#784](https://github.com/timb-machine/linux-malware/issues/784)) - Command and Control, Exfiltration, uses:PHP, attack:T1090:Proxy, attack:T1071.001:Web Protocols, SystemBC, Linux
-* https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ ([#105](https://github.com/timb-machine/linux-malware/issues/105)) - Specter, SideWalk, StageClient
-* https://www.signalblur.io/through-the-looking-glass ([#756](https://github.com/timb-machine/linux-malware/issues/756)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, RedAlert, Conti, BlackBasta, Sodinokibi, REvil, BlackMatter, DarkSide, Defray777, RansomEXX, HelloKitty, ViceSociety, Royal, BlackSuit, RTM Locker, Hive, GonnaCry, Erebus, eChOraix, QNAPCrypt, Cylance, Polaris, Linux, VMware, Internal enterprise services, Internal specialist services
-* https://imgur.com/a/N3BgY ([#73](https://github.com/timb-machine/linux-malware/issues/73)) - ChinaZ, GoARM (by malwaremustdie.org)
+* https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html ([#334](https://github.com/timb-machine/linux-malware/issues/334)) - TSCookie
+* https://pastebin.com/Z3sXqDCA ([#89](https://github.com/timb-machine/linux-malware/issues/89)) - Mozi (by malwaremustdie.org)
+* https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ ([#566](https://github.com/timb-machine/linux-malware/issues/566)) - Impact, XMRig, Sysrv, wltm, Linux
+* https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html ([#304](https://github.com/timb-machine/linux-malware/issues/304)) - DarkRadation
+* https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ ([#323](https://github.com/timb-machine/linux-malware/issues/323)) - EvilGnome
+* https://blog.polyswarm.io/lightning-framework ([#506](https://github.com/timb-machine/linux-malware/issues/506)) - Lightning, [/malware/binaries/Lightning](../../tree/main/malware/binaries/Lightning), Linux
+* https://sysdig.com/blog/cloud-defense-in-depth/ ([#713](https://github.com/timb-machine/linux-malware/issues/713)) - Initial Access, Lateral Movement, KinSing, Linux
+* https://twitter.com/cyb3rops/status/1523227511551033349 ([#425](https://github.com/timb-machine/linux-malware/issues/425)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
+* https://www.cisa.gov/news-events/analysis-reports/ar23-209a ([#731](https://github.com/timb-machine/linux-malware/issues/731)) - Persistence, https://github.com/timb-machine/linux-malware/issues/729, SUBMARINE, wltm, Linux
+* https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ ([#373](https://github.com/timb-machine/linux-malware/issues/373)) - Initial Access, Persistence, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, Prophet Spider, Linux
+* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf ([#427](https://github.com/timb-machine/linux-malware/issues/427)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
+* https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites ([#598](https://github.com/timb-machine/linux-malware/issues/598)) - Initial Access, Command and Control, uses:Go, GoTrim, Linux, Enterprise with public/Customer-facing services
 * https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux ([#685](https://github.com/timb-machine/linux-malware/issues/685)) - Impact, RTM Locker, Linux
-* https://blogs.vmware.com/security/2021/09/hellokitty-the-victims-perspective.html ([#546](https://github.com/timb-machine/linux-malware/issues/546)) - Impact, attack:T1486:Data Encrypted for Impact, wltm, Linux
+* https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ ([#690](https://github.com/timb-machine/linux-malware/issues/690)) - Command and Control, attack:T1572:Protocol Tunneling, ChamelDoh, wltm, ChamelGang, Linux
+* https://www.cisa.gov/news-events/analysis-reports/ar23-209b ([#730](https://github.com/timb-machine/linux-malware/issues/730)) - Command and Control, https://github.com/timb-machine/linux-malware/issues/729, SEASPY, wltm, Linux
+* https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf ([#493](https://github.com/timb-machine/linux-malware/issues/493)) - Persistence, Command and Control, uses:Go, IPStorm, [/malware/binaries/Unix.Trojan.Ipstorm](../../tree/main/malware/binaries/Unix.Trojan.Ipstorm), Linux
+* https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ ([#513](https://github.com/timb-machine/linux-malware/issues/513)) - Collection, Impact, Linux
+* https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server ([#784](https://github.com/timb-machine/linux-malware/issues/784)) - Command and Control, Exfiltration, uses:PHP, attack:T1090:Proxy, attack:T1071.001:Web Protocols, SystemBC, Linux
+* https://imgur.com/a/SSKmu ([#77](https://github.com/timb-machine/linux-malware/issues/77)) - Rebirth, Vulcan (by malwaremustdie.org)
+* https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar ([#375](https://github.com/timb-machine/linux-malware/issues/375)) - PRISM
+* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ ([#441](https://github.com/timb-machine/linux-malware/issues/441)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
+* https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ ([#432](https://github.com/timb-machine/linux-malware/issues/432)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
+* https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html ([#398](https://github.com/timb-machine/linux-malware/issues/398)) - Polaris
+* https://asec.ahnlab.com/en/45182/ ([#603](https://github.com/timb-machine/linux-malware/issues/603)) - Defense Evasion, attack:T1027.009:Embedded Payloads, uses:SHC, Linux
 * https://blog.talosintelligence.com/lazarus-collectionrat/ ([#752](https://github.com/timb-machine/linux-malware/issues/752)) - Command and Control, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, DeimosC2, https://github.com/timb-machine/linux-malware/issues/751, HiddenCobra, Lazarus, APT38, Linux
-* https://unit42.paloaltonetworks.com/blackcat-ransomware/ ([#108](https://github.com/timb-machine/linux-malware/issues/108)) - Impact, BlackCat, https://github.com/timb-machine/linux-malware/issues/512
-* https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html ([#58](https://github.com/timb-machine/linux-malware/issues/58)) - Mirai (by malwaremustdie.org)
-* https://news.drweb.com/show/?i=14646&lng=en&c=23 ([#602](https://github.com/timb-machine/linux-malware/issues/602)) - Initial Access, Command and Control, WordPressExploit, Linux
-* https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/ ([#343](https://github.com/timb-machine/linux-malware/issues/343)) - NGrok
+* https://www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/ ([#313](https://github.com/timb-machine/linux-malware/issues/313)) - FritzFrog
+* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ ([#119](https://github.com/timb-machine/linux-malware/issues/119)) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial
+* https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 ([#362](https://github.com/timb-machine/linux-malware/issues/362)) - Initial Access, Command and Control, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
+* https://atdotde.blogspot.com/2020/05/high-performance-hackers.html ([#377](https://github.com/timb-machine/linux-malware/issues/377)) - HPC
+* https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ ([#408](https://github.com/timb-machine/linux-malware/issues/408)) - Linux
+* https://honeynet.onofri.org/scans/scan13/som/som13.txt ([#385](https://github.com/timb-machine/linux-malware/issues/385)) - Luckscan, UNC1945
+* https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc ([#786](https://github.com/timb-machine/linux-malware/issues/786)) - Exfiltration, Impact, location:Israel, attack:T1561.001:Disk Content Wipe, attack:T1485:Data Destruction, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, Cyber Toufan, Linux
 * https://www.akamai.com/blog/security-research/dhpcd-cryptominer-hid-four-years ([#578](https://github.com/timb-machine/linux-malware/issues/578)) - Impact, dhcpcd, Linux, IOT
-* https://twitter.com/malwaremustd1e/status/1265321238383099904 ([#317](https://github.com/timb-machine/linux-malware/issues/317)) - Gafgyt (by malwaremustdie.org)
-* https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads ([#723](https://github.com/timb-machine/linux-malware/issues/723)) - Defense Evasion, Command and Control, Impact, uses:Python, attack:T1496:Resource Hijacking, attack:T1620:Reflective Code Loading, attack:T1102:Web Service, attack:T1190:Exploit Public-Facing Application, attack:T1105:Ingress Tool Transfer, attack:T1140:Deobfuscate/Decode Files or Information, attack:T1027.002:Software Packing, uses:Non-persistentStorage, PyLoose, XMRig, Linux
-* https://imgur.com/a/4YxuSfV ([#79](https://github.com/timb-machine/linux-malware/issues/79)) - Cayosin (by malwaremustdie.org)
-* https://blog.exatrack.com/melofee/ ([#620](https://github.com/timb-machine/linux-malware/issues/620)) - Reconnaissance, Resource Development, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Command and Control, attack:T1583.001:Domains, attack:T5183.004:Server, attack:T1071.001:Web Protocols, attack:T1587.001:Malware, attack:T1037.004:RC Scripts, attack:T1059.004:Unix Shell, attack:T1132.002:Non-Standard Encoding, attack:T1573.001:Symmetric Cryptography, attack:T1083:File and Directory Discovery, attack:T1592.002:Software, attack:T1564.001:Hidden Files and Directories, attack:T1562.003:Impair Command History Logging, attack:T1070.004:File Deletion, attack:T1599.001:Network Address Translation Traversal, attack:T1095:Non-Application Layer Protocol, attack:T1571:Non-Standard Port, attack:T1027.002:Software Packing, attack:T1027.007:Dynamic API Resolution, attack:T1588.001:Malware, attack:T1588.002:Tool, attack:T1057:Process Discovery, attack:T1572:Protocol Tunneling, attack:T1090:Proxy, attack:T1014:Rootkit, attack:T1608.001:Upload Malware, attack:T1608.002:Upload Tool, attack:T1082:System Information Discovery, attack:T1497.003:Time Based Evasion, Melofee, HelloBot, Linux
-* https://asec.ahnlab.com/en/54647/ ([#707](https://github.com/timb-machine/linux-malware/issues/707)) - Defense Evasion, Credential Access, Command and Control, Impact, attack:T1110:Brute Force, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1496:Resource Hijacking, attack:T1498:Network Denial of Service, uses:IRC, XMRig, ShellBot, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, Tsunami, Kaiten, 0x333shadow Log Cleaner, https://github.com/timb-machine/linux-malware/issues/706, ChinaZ, Linux
-* https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ ([#114](https://github.com/timb-machine/linux-malware/issues/114)) - HabitsRAT
-* https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html ([#398](https://github.com/timb-machine/linux-malware/issues/398)) - Polaris
-* https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt ([#320](https://github.com/timb-machine/linux-malware/issues/320)) - Gafgyt
-* https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ ([#360](https://github.com/timb-machine/linux-malware/issues/360)) - Rhombus (by malwaremustdie.org)
-* https://asec.ahnlab.com/ko/55070/ ([#709](https://github.com/timb-machine/linux-malware/issues/709)) - Command and Control, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/722, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
-* https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md ([#352](https://github.com/timb-machine/linux-malware/issues/352)) - ITTS
-* https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ ([#439](https://github.com/timb-machine/linux-malware/issues/439)) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, attack:T1053.003:Cron, attack:T1105:Ingress Tool Transfer, attack:T1027:Obfuscated Files or Information, attack:T1014:Rootkit, attack:T1082:System Information Discovery, attack:T1003.007:Proc Filesystem, attack:T1562.001:Disable or Modify Tools, attack:T1037.004:RC Scripts, attack:T1070.004:File Deletion, attack:T1036.005:Match Legitimate Name or Location, uses:Non-persistentStorage, uses:ioctl, uses:PortHiding, https://github.com/timb-machine/linux-malware/issues/129, uses:ProcessTreeSpoofing, XorDDoS, Rooty, Linux
-* https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ ([#357](https://github.com/timb-machine/linux-malware/issues/357)) - SystemTen (by malwaremustdie.org)
-* https://securelist.com/the-penquin-turla-2/67962/ ([#593](https://github.com/timb-machine/linux-malware/issues/593)) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
-* https://sansec.io/research/cronrat ([#399](https://github.com/timb-machine/linux-malware/issues/399)) - Defense Evasion, Command and Control, uses:Non-persistentStorage, attack:T1053.003:Cron, attack:T1027:Obfuscated Files or Information, attack:T1001.003:Protocol Impersonation, attack:T1036.005:Match Legitimate Name or Location, vertical:Retail, CronRAT, wltm, Linux
+* https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability ([#572](https://github.com/timb-machine/linux-malware/issues/572)) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux
+* https://www.trendmicro.com/en_gb/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html ([#111](https://github.com/timb-machine/linux-malware/issues/111)) - Persistence, Privilege Escalation, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap
+* https://twitter.com/IntezerLabs/status/1272915284148531200 ([#341](https://github.com/timb-machine/linux-malware/issues/341)) - Lazarus
+* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ ([#778](https://github.com/timb-machine/linux-malware/issues/778)) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:k8s, attack:T1140:Deobfuscate/Decode Files or Information, uses:Python, attack:T1611:Escape to Host, attack:T1562.008:Disable or Modify Cloud Logs, attack:T1027.004:Compile After Delivery, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, uses:ProcessTreeSpoofing, attack:T1190:Exploit Public-Facing Application, attack:T1595.002:Vulnerability Scanning, uses:ModifyServerShell, delivery:Redis, uses:Redis, XMRig, Diamorphine, libprocesshider, Pnscan, Zgrab, Masscan, Kiss-A-Dog, TeamTNT, Linux, Cloud hosted services
+* https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html ([#336](https://github.com/timb-machine/linux-malware/issues/336)) - PLEAD
+* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ ([#64](https://github.com/timb-machine/linux-malware/issues/64)) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, https://github.com/timb-machine/linux-malware/issues/134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux
+* https://twitter.com/malwrhunterteam/status/1467264298237972484 ([#406](https://github.com/timb-machine/linux-malware/issues/406)) - Cerber
+* https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ ([#315](https://github.com/timb-machine/linux-malware/issues/315)) - Gafgyt
+* https://blog.malwarebytes.com/cybercrime/2022/03/a-new-rootkit-comes-to-an-atm-near-you/ ([#120](https://github.com/timb-machine/linux-malware/issues/120)) - CAKETAP, UNC2891, Solaris
+* https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975 ([#604](https://github.com/timb-machine/linux-malware/issues/604)) - Initial Access, attack:T1190:Exploit Public-Facing Application, attack:T1078.001:Default Accounts, KinSing, Linux
+* https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan ([#732](https://github.com/timb-machine/linux-malware/issues/732)) - Persistence, Defense Evasion, Command and Control, Linux, Hosting
+* https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group ([#544](https://github.com/timb-machine/linux-malware/issues/544)) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Night Sky, Emperor Dragonfly, Bronze Starlight, Linux, VMware
+* https://blog.talosintelligence.com/2018/05/VPNFilter.html ([#53](https://github.com/timb-machine/linux-malware/issues/53)) - VPNFilter
+* https://lab52.io/blog/looking-for-penquins-in-the-wild/ ([#594](https://github.com/timb-machine/linux-malware/issues/594)) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
+* https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf ([#100](https://github.com/timb-machine/linux-malware/issues/100)) - Cyclops Blink
+* https://imgur.com/a/H7YuWuj ([#356](https://github.com/timb-machine/linux-malware/issues/356)) - SystemTen (by malwaremustdie.org)
+* https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html ([#380](https://github.com/timb-machine/linux-malware/issues/380)) - Persistence, Defense Evasion, Impact, KinSing
+* https://twitter.com/malwaremustd1e/status/1267068856645775360 ([#363](https://github.com/timb-machine/linux-malware/issues/363)) - DarkNexus (by malwaremustdie.org)
+* https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ ([#671](https://github.com/timb-machine/linux-malware/issues/671)) - Persistence, Defense Evasion, Command and Control, Horse Shell, wltm, Camaro Dragon, Linux, IOT, Telecomms
+* https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf ([#370](https://github.com/timb-machine/linux-malware/issues/370)) - Kobalos, #bsd, #solaris, #aix
 * https://cyberplace.social/@GossiTheDog/110516069484635011 ([#703](https://github.com/timb-machine/linux-malware/issues/703)) - Resource Development, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Linux
-* https://twitter.com/IntezerLabs/status/1338480158249013250 ([#301](https://github.com/timb-machine/linux-malware/issues/301)) - Promotei
-* https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar ([#375](https://github.com/timb-machine/linux-malware/issues/375)) - PRISM
-* https://asec.ahnlab.com/en/50316/ ([#621](https://github.com/timb-machine/linux-malware/issues/621)) - Defense Evasion, Discovery, Command and Control, Impact, attack:T1036.005:Match Legitimate Name or Location, attack:T1499:Endpoint Denial of Service, attack:T1082:System Information Discovery, attack:T1095:Non-Application Layer Protocol, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, uses:RedirectionToNull, DDoSClient, ChinaZ, Linux
-* https://netadr.github.io/blog/a-quick-glimpse-sbz/ ([#596](https://github.com/timb-machine/linux-malware/issues/596)) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris
-* https://imgur.com/a/a6RaZMP ([#87](https://github.com/timb-machine/linux-malware/issues/87)) - Honda Car's Panel's Rootkit from China #Android (by malwaremustdie.org)
-* https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ ([#339](https://github.com/timb-machine/linux-malware/issues/339)) - Kaiji
-* https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ ([#601](https://github.com/timb-machine/linux-malware/issues/601)) - Persistence, Privilege Escalation, OrBit, [/malware/binaries/OrBit](../../tree/main/malware/binaries/OrBit), Linux
-* https://twitter.com/CraigHRowland/status/1523266585133457408 ([#424](https://github.com/timb-machine/linux-malware/issues/424)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
-* https://imgur.com/a/y5BRx ([#86](https://github.com/timb-machine/linux-malware/issues/86)) - r57shell (by malwaremustdie.org)
-* http://www.cverc.org.cn/head/zhaiyao/news20220218-1.htm ([#113](https://github.com/timb-machine/linux-malware/issues/113)) - NOPEN
-* https://www.mandiant.com/resources/unc3524-eye-spy-email ([#414](https://github.com/timb-machine/linux-malware/issues/414)) - Resource Development, Persistence, Defense Evasion, Lateral Movement, attack:T1021.004:SSH, attack:T1027:Obfuscated Files or Information, attack:T1037.004:RC Scripts, attack:T1584:Compromise Infrastructure, QUIETEXIT, unc3524, Linux, IOT, Internal enterprise services, Device agent/gateway deployment
-* https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors ([#729](https://github.com/timb-machine/linux-malware/issues/729)) - Persistence, Command and Control, SEASPY, https://github.com/timb-machine/linux-malware/issues/730, SUBMARINE, https://github.com/timb-machine/linux-malware/issues/731, Linux
-* https://twitter.com/IntezerLabs/status/1291355808811409408 ([#346](https://github.com/timb-machine/linux-malware/issues/346)) - Carbanak
-* https://imgur.com/a/57uOiTu ([#80](https://github.com/timb-machine/linux-malware/issues/80)) - DDoSMan (by malwaremustdie.org)
-* https://www.virustotal.com/gui/file/bf3ebc294870a6e743f021f4e18be75810149a1004b8d7c8a1e91f35562db3f5/detection ([#644](https://github.com/timb-machine/linux-malware/issues/644)) - Impact, attack:T1486:Data Encrypted for Impact, LockBit, [/malware/binaries/Multios.Ransomware.Lockbit](../../tree/main/malware/binaries/Multios.Ransomware.Lockbit), Linux
-* https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/ ([#319](https://github.com/timb-machine/linux-malware/issues/319)) - Gafgyt
-* https://twitter.com/xnand_/status/1676336329985077249 ([#710](https://github.com/timb-machine/linux-malware/issues/710)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/711, https://github.com/timb-machine/linux-malware/issues/724, Linux
-* https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/ ([#344](https://github.com/timb-machine/linux-malware/issues/344)) - NGrok
-* https://twitter.com/malwaremustd1e/status/1379028201075187716 ([#365](https://github.com/timb-machine/linux-malware/issues/365)) - DGAbot (by malwaremustdie.org)
-* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ ([#471](https://github.com/timb-machine/linux-malware/issues/471)) - HiddenWasp, Linux
-* https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html ([#637](https://github.com/timb-machine/linux-malware/issues/637)) - Initial Access, Balada, Linux, Hosting, Consumer, Cloud hosted services
-* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack ([#715](https://github.com/timb-machine/linux-malware/issues/715)) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux
-* https://twitter.com/malwaremustd1e/status/1251758225919115264 ([#361](https://github.com/timb-machine/linux-malware/issues/361)) - Persistence, Impact, Tsunami, Kaiten (by malwaremustdie.org), Linux
-* https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ ([#314](https://github.com/timb-machine/linux-malware/issues/314)) - Gafgyt
-* https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor ([#547](https://github.com/timb-machine/linux-malware/issues/547)) - Command and Control, Exfiltration, uses:LD_PRELOAD, wltm, Linux
-* https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware ([#586](https://github.com/timb-machine/linux-malware/issues/586)) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Command and Control, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1496:Resource Hijacking, uses:CrossCompiled, Kmsdbot, Linux, IOT
-* https://imgur.com/a/53f29O9 ([#61](https://github.com/timb-machine/linux-malware/issues/61)) - Mirai (by malwaremustdie.org)
+* https://blog.sekoia.io/walking-on-apt31-infrastructure-footprints/ ([#478](https://github.com/timb-machine/linux-malware/issues/478)) - https://github.com/timb-machine/linux-malware/issues/480, Rekoobe, TSH, https://github.com/timb-machine/linux-malware/issues/481, APT31, Linux
+* https://www.fortiguard.com/threat-signal-report/4735/new-shikitega-malware-targets-linux-machines ([#527](https://github.com/timb-machine/linux-malware/issues/527)) - Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation, attack:T1036.005:Match Legitimate Name or Location, attack:T1059:Command and Scripting Interpreter, attack:T1569:System Service, attack:T1569.002:Service Execution, attack:T1543:Create or Modify System Process, attack:T1027:Obfuscated Files or Information, uses:Non-persistentStorage, attack:T1057:Process Discovery, attack:T1070.004:File Deletion, attack:T1546.004:Unix Shell, exploit:CVE-2021-3493, exploit:CVE-2021-4034, https://github.com/timb-machine/linux-malware/issues/510, Shikitega, [/malware/binaries/Shikitega](../../tree/main/malware/binaries/Shikitega), XMRig, Linux
+* https://twitter.com/CraigHRowland/status/1422009387686645761 ([#353](https://github.com/timb-machine/linux-malware/issues/353)) - ITTS
+* https://twitter.com/malwrhunterteam/status/1415403132230803460 ([#310](https://github.com/timb-machine/linux-malware/issues/310)) - HelloKitty
+* https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf ([#333](https://github.com/timb-machine/linux-malware/issues/333)) - Cloud Snooper
+* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ ([#468](https://github.com/timb-machine/linux-malware/issues/468)) - Persistence, Defense Evasion, uses:LD_PRELOAD, attack:T1574.006:Dynamic Linker Hijacking, attack:T1548.001:Setuid and Setgid, attack:T1556.003:Pluggable Authentication Modules, attack:T1027:Obfuscated Files or Information, attack:T1082:System Information Discovery, attack:T1562.001:Disable or Modify Tools, attack:T1003.007:Proc Filesystem, attack:T1563.001:SSH Hijacking, uses:PortHiding, uses:Non-persistentStorage, OrBit, [/malware/binaries/OrBit](../../tree/main/malware/binaries/OrBit), Linux
 * https://old.reddit.com/r/LinuxMalware/comments/7qd27e/linuxss_aka_shark_hacktool_syn_scanner_wpcap/ ([#71](https://github.com/timb-machine/linux-malware/issues/71)) - SS, Shark (by malwaremustdie.org)
-* https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign ([#727](https://github.com/timb-machine/linux-malware/issues/727)) - Initial Access, Command and Control, Impact, XMRig, Linux
-* https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/ ([#778](https://github.com/timb-machine/linux-malware/issues/778)) - Reconnaissance, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Impact, attack:T1496:Resource Hijacking, uses:k8s, attack:T1140:Deobfuscate/Decode Files or Information, uses:Python, attack:T1611:Escape to Host, attack:T1562.008:Disable or Modify Cloud Logs, attack:T1027.004:Compile After Delivery, attack:T1547.006:Kernel Modules and Extensions, attack:T1574.006:Dynamic Linker Hijacking, uses:ProcessTreeSpoofing, attack:T1190:Exploit Public-Facing Application, attack:T1595.002:Vulnerability Scanning, uses:ModifyServerShell, delivery:Redis, uses:Redis, XMRig, Diamorphine, libprocesshider, Pnscan, Zgrab, Masscan, Kiss-A-Dog, TeamTNT, Linux, Cloud hosted services
-* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ ([#470](https://github.com/timb-machine/linux-malware/issues/470)) - Lightning, [/malware/binaries/Lightning](../../tree/main/malware/binaries/Lightning), Linux
-* https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ ([#65](https://github.com/timb-machine/linux-malware/issues/65)) - Qemu, https://github.com/timb-machine/linux-malware/issues/134, LightBasin, UNC1945
-* https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group ([#544](https://github.com/timb-machine/linux-malware/issues/544)) - Initial Access, Discovery, Lateral Movement, Collection, Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, Emperor Dragonfly, Linux, VMware
-* https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ ([#643](https://github.com/timb-machine/linux-malware/issues/643)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, attack:T1573:Encrypted Channel, attack:T1106:Native API, attack:T1059.004: Unix Shell, attack:T1070.004:File Deletion, attack:T1036.004:Masquerade Task or Service, attack:T1070.006:Timestomp, uses:RedirectionToNull, uses:Non-persistentStorage, attack:T1036.005:Match Legitimate Name or Location, uses:ProcessTreeSpoofing, attack:T1562.004:Disable or Modify System Firewall, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, Linux, Solaris
+* https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/ ([#549](https://github.com/timb-machine/linux-malware/issues/549)) - ACBackdoor, wltm, Linux
+* https://twitter.com/IntezerLabs/status/1338480158249013250 ([#301](https://github.com/timb-machine/linux-malware/issues/301)) - Promotei
+* https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ ([#404](https://github.com/timb-machine/linux-malware/issues/404)) - Hildegard, TeamTNT
+* https://unfinished.bike/fun-with-the-new-bpfdoor-2023 ([#803](https://github.com/timb-machine/linux-malware/issues/803)) - Defense Evasion, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, attack:T1070.006:Timestomp, attack:T1070.004:File Deletion, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), wltm, Linux
+* https://twitter.com/ankit_anubhav/status/1490574137370103808 ([#483](https://github.com/timb-machine/linux-malware/issues/483)) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/482, Linux
+* https://unit42.paloaltonetworks.com/alloy-taurus/ ([#646](https://github.com/timb-machine/linux-malware/issues/646)) - Command and Control, attack:T1071:Application Layer Protocol, attack:T1071.001:Web Protocols, attack:T1132:Data Encoding, attack:T1132.001:Standard Encoding, attack:T1573:Encrypted Channel, attack:T1573.001:Symmetric Cryptography, Sword2033, PingBull, wltm, Alloy Taurus, GALLIUM, Soft Cell, Linux
+* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot ([#744](https://github.com/timb-machine/linux-malware/issues/744)) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT
+* https://twitter.com/malwrhunterteam/status/1559636227485319168 ([#500](https://github.com/timb-machine/linux-malware/issues/500)) - Impact, REvil, wltm, Linux
 * https://asec.ahnlab.com/en/51908/ ([#650](https://github.com/timb-machine/linux-malware/issues/650)) - Impact, Defense Evasion, uses:ProcessTreeSpoofingBindMountProc, https://github.com/timb-machine/linux-malware/issues/550, KONO DIO DA, XMRig, Linux
-* https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/ ([#56](https://github.com/timb-machine/linux-malware/issues/56)) - LemonDuck
-* https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ([#306](https://github.com/timb-machine/linux-malware/issues/306)) - QNAPCrypt, eCh0raix
-* https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ ([#656](https://github.com/timb-machine/linux-malware/issues/656)) - Impact, attack:T1486:Data Encrypted for Impact, Cl0p, wltm, Linux, Internal enterprise services
+* https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html ([#614](https://github.com/timb-machine/linux-malware/issues/614)) - Command and Control, Persistence, SysUpdate, IronTiger
+* https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ ([#681](https://github.com/timb-machine/linux-malware/issues/681)) - Persistence, Impact, Legion, wltm, Linux, Cloud hosted services
+* https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass ([#692](https://github.com/timb-machine/linux-malware/issues/692)) - Execution, Persistence, Defense Evasion, Credential Access, Command and Control, attack:T1552:Unsecured Credentials, attack:T1212:Exploitation for Credential Access, attack:T1562:Impair Defenses, attack:T1580:Cloud Infrastructure Discovery, attack:T1525:Implant Internal Image, attack:T1102:Web Service, UNC3886, Linux, VMware
 * https://www.group-ib.com/blog/krasue-rat/ ([#797](https://github.com/timb-machine/linux-malware/issues/797)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:AbnormalSignal, attack:T1071:Application Layer Protocol, uses:RTSP, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205:Traffic Signaling, Krasue, Diamorphine, https://github.com/timb-machine/linux-malware/issues/217, Suterusu, https://github.com/timb-machine/linux-malware/issues/491, Rooty, https://github.com/timb-machine/linux-malware/issues/440, Linux
-* https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version ([#309](https://github.com/timb-machine/linux-malware/issues/309)) - REvil
-* https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html ([#698](https://github.com/timb-machine/linux-malware/issues/698)) - Impact, BlackSuit, Linux
-* https://imgur.com/a/8mFGk ([#70](https://github.com/timb-machine/linux-malware/issues/70)) - httpsd (by malwaremustdie.org)
-* https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet ([#623](https://github.com/timb-machine/linux-malware/issues/623)) - Initial Access, Defense Evasion, Command and Control, Impact, attack:T1105:Ingress Tool Transfer, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocol, attack:T1499:Endpoint Denial of Service, attack:T1480:Execution Guardrails, HinataBot, Linux, Consumer
-* https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ([#758](https://github.com/timb-machine/linux-malware/issues/758)) - Persistence, Defense Evasion, Impact, attack:T1486:Data Encrypted for Impact, Gwisin, Spirit, Linux, VMware
-* https://www.trendmicro.com/en_ca/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html ([#380](https://github.com/timb-machine/linux-malware/issues/380)) - Persistence, Defense Evasion, Impact, KinSing
-* https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered ([#693](https://github.com/timb-machine/linux-malware/issues/693)) - Persistence, Defense Evasion, Discovery, Command and Control, attack:T1037.004:RC Scripts, attack:T1543.002:Systemd Service , attack:T1036:Masquerading: Match Legitimate Name or Location , attack:T1070.004:File Deletion , attack:T1222:File and Directory Permissions Modification , attack:T1564.001:Hidden Files and Directories , attack:T1082:System Information Discovery , attack:T1057:Process Discovery , attack:T1071.004:DNS, Sotdas, Linux
-* https://sysdig.com/blog/muhstik-malware-botnet-analysis/ ([#90](https://github.com/timb-machine/linux-malware/issues/90)) - Impact, uses:k8s, uses:Non-persistentStorage, attack:T1190:Exploit Public-Facing Application, attack:T1505.003:Web Shell, attack:T1105:Ingress Tool Transfer, attack:T1053.003:Cron, attack:T1037.004:RC Scripts, Muhstik, wltm
-* https://sysdig.com/blog/ssh-snake/ ([#801](https://github.com/timb-machine/linux-malware/issues/801)) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, https://github.com/timb-machine/linux-malware/issues/791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
-* https://twitter.com/billyleonard/status/1417910729005490177 ([#69](https://github.com/timb-machine/linux-malware/issues/69)) - https://github.com/timb-machine/linux-malware/issues/329, https://github.com/timb-machine/linux-malware/issues/131, Zirconium, APT31
-* https://www.cisa.gov/news-events/analysis-reports/ar23-209b ([#730](https://github.com/timb-machine/linux-malware/issues/730)) - Command and Control, https://github.com/timb-machine/linux-malware/issues/729, SEASPY, wltm, Linux
-* https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan ([#732](https://github.com/timb-machine/linux-malware/issues/732)) - Persistence, Defense Evasion, Command and Control, Linux, Hosting
-* https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ ([#311](https://github.com/timb-machine/linux-malware/issues/311)) - HelloKitty
-* https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ ([#401](https://github.com/timb-machine/linux-malware/issues/401)) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/530, lib__mdma
-* https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ ([#618](https://github.com/timb-machine/linux-malware/issues/618)) - Persistence, Defense Evasion, uses:Go, attack:T1554:Compromise Client Software Binary, attack:T1546.004:Unix Shell Configuration Modification, attack:T1053.003:Cron, attack:T1543.002:Systemd Service, attack:T1037:Boot or Logon Initialization Scripts, Chaos, [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos), Linux
-* https://cybersecurity.att.com/blogs/labs-research/internet-of-termites ([#517](https://github.com/timb-machine/linux-malware/issues/517)) - Command and Control, Exfiltration, Termite, EarthWorm, Earthwrom, Linux
-* https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html ([#321](https://github.com/timb-machine/linux-malware/issues/321)) - Execution, Persistence, Privilege Escalation, Command and Control, Exfiltration, Impact, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1573:Encrypted Channel, attack:T1071.001:Web Protocols, attack:T1053.003:Cron, attack:T1486:Data Encrypted for Impact, DarkSide, UNC2628, UNC2659, UNC2465, Linux
-* https://github.com/akamai/akamai-security-research/tree/main/malware/panchan ([#477](https://github.com/timb-machine/linux-malware/issues/477)) - Pan-chan, [/malware/binaries/pan-chan](../../tree/main/malware/binaries/pan-chan), Linux
-* https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ ([#119](https://github.com/timb-machine/linux-malware/issues/119)) - Impact, attack:T1485:Data Destruction, attack:T1053.003:Cron, attack:T1016:System Network Configuration Discovery, attack:T1110.003:Password Spraying, attack:T1490:Inhibit System Recovery, attack:T1027:Obfuscated Files or Information, attack:T1561.001:Disk Content Wipe, attack:T1529:System Shutdown/Reboot, attack:T1007:System Service Discovery, attack:T1021.004:SSH, Industroyer, ORCSHRED, SOLOSHRED, AWFULSHRED, Sandworm, Linux, Solaris, Industrial
+* https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ ([#110](https://github.com/timb-machine/linux-malware/issues/110)) - b1txor20
+* https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ ([#340](https://github.com/timb-machine/linux-malware/issues/340)) - Kaiji (by malwaremustdie.org)
+* https://asec.ahnlab.com/en/55229/ ([#722](https://github.com/timb-machine/linux-malware/issues/722)) - Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/709, attack:T1036.005:Match Legitimate Name or Location, attack:T1573.001:Symmetric Encryption, uses:ProcessTreeSpoofing, Rekoobe, TINYSHELL, APT31, Linux, Solaris
+* https://imgur.com/a/vS7xV ([#75](https://github.com/timb-machine/linux-malware/issues/75)) - CarpeDiem (by malwaremustdie.org)
+* https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf ([#518](https://github.com/timb-machine/linux-malware/issues/518)) - DarkNexus, Linux
+* https://imgur.com/a/MuHSZtC ([#81](https://github.com/timb-machine/linux-malware/issues/81)) - Mandibule (by malwaremustdie.org)
 * https://imgur.com/a/eBF7Mqe ([#76](https://github.com/timb-machine/linux-malware/issues/76)) - Haiduc (by malwaremustdie.org) (by malwaremustdie.org)
-* https://asec.ahnlab.com/en/49769/ ([#624](https://github.com/timb-machine/linux-malware/issues/624)) - Initial Access, Command and Control, Impact, attack:T1078:Valid Accounts, attack:T1071.001:Web Protocols, attack:T1499:Endpoint Denial of Service, attack:T1105:Ingress Tool Transfer, ShellBot, Linux, Consumer
-* https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot ([#744](https://github.com/timb-machine/linux-malware/issues/744)) - Reconnaissance, Initial Access, Defense Evasion, Lateral Movement, Exfiltration, Impact, uses:Go, attack:T1133:External Remote Services, attack:T1021:Remote Services, attack:T1021.004:SSH, attack:T1078.001:Default Accounts, attack:T1110:Brute Force, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1567:Exfiltration Over Web Service, attack:T1499:Endpoint Denial of Service, attack:T1498:Network Denial of Service, attack:T1480:Execution Guardrails, Kmsdbot, Linux, IOT
-* https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf ([#407](https://github.com/timb-machine/linux-malware/issues/407)) - Impact, attack:T1567:Financial Theft, https://github.com/timb-machine/linux-malware/issues/135, FastCash, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services
-* https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf ([#338](https://github.com/timb-machine/linux-malware/issues/338)) - Persistence, Defense Evasion, Command and Control, Penguin, Penquin_x64, Turla, Linux
-* https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf ([#99](https://github.com/timb-machine/linux-malware/issues/99)) - Persistence, Command and Control, attack:T1205:Traffic Signaling, attack:T1205.002:Socket Filters, attack:T1573.002:Symmetric Cryptography, attack:T1573.002:Asymmetric Cryptography, attack:T1082:System Information Discovery, attack:T1547.006:Kernel Modules and Extensions, Bvp47, dewdrop, tipoff, StoicSurgeon, Incision, Equation Group, Linux, Solaris, FreeBSD
-* https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf ([#100](https://github.com/timb-machine/linux-malware/issues/100)) - Cyclops Blink
-* https://lab52.io/blog/looking-for-penquins-in-the-wild/ ([#594](https://github.com/timb-machine/linux-malware/issues/594)) - Persistence, Defense Evasion, Command and Control, Penquin, Turla, Linux
-* https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers ([#382](https://github.com/timb-machine/linux-malware/issues/382)) - Mayhem
-* https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ ([#329](https://github.com/timb-machine/linux-malware/issues/329)) - Zirconium, APT31
-* https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ ([#64](https://github.com/timb-machine/linux-malware/issues/64)) - Defense Evasion, Discovery, Lateral Movement, Collection, Command and Control, Impact, attack:T1602.001:SNMP (MIB Dump), attack:T1070.002:Clear Linux or Mac System Logs, attack:T1046:Network Service Discovery, attack:T1018:Remote System Discovery, attack:T1110.002:Password Cracking, attack:T1110.003:Password Spraying, attack:T1555:Credentials from Password Stores, attack:T1040:Packet Capture, attack:T1071.001:Web Protocols, attack:T1071.002:File Transfer Protocols, attack:T1071.004:DNS, attack:T1021.002:SMB/Windows Admin Shares, attack:T1021.004:SSH, attack:T1021.005:VNC, attack:T1590:Gather Victim Network Information, attack:T1590.002:DNS, attack:T1027.002:Software Packing, attack:T1001:Data Obfuscation, attack:T1070.004:File Deletion, https://github.com/timb-machine/linux-malware/issues/134, STEELCORGI, netcat, unixcat, netcat-ssl, telnet, traceroute, traceroute-tcp, traceroute-tcpfin, traceroute-udp, traceroute-icmp, traceroute-all, tftpd, HEAD, GET, sniff, nfsshell, ssh, ricochet, axfr, whois, scanip, sctpscan, sdporn, rmiexec, arpmap, whois, who, ahost, resolv, adig, axfr, asrv, aspf, periscope, scanip.sh, aliveips.sh, brutus.pl, enum4linux.pl, mikro, ss, sshu, onesixtyone, snmpgrab, snmpcheck, ciscopush, mikrotik-client, bleach, clean, ssleak, decrypt-vpn, pogo, pogo2, sid-force, sshock, decrypt-cisco, decrypt-vnc, decrypt-cvs, LightBasin, UNC1945, Linux
-* https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/ ([#441](https://github.com/timb-machine/linux-malware/issues/441)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris
-* https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 ([#702](https://github.com/timb-machine/linux-malware/issues/702)) - Initial Access, Discovery, Command and Control, Impact, attack:T1190:Exploit Public-Facing Application, attack:T1057:Process Discovery, attack:T1498:Network Denial of Service, Condi, Linux, IOT
-* https://imgur.com/a/2zRCt ([#318](https://github.com/timb-machine/linux-malware/issues/318)) - Gafgyt (by malwaremustdie.org)
-* https://github.com/blackberry/threat-research-and-intelligence/raw/main/Talks/2023-01-30%20-%20SANS%20Cyber%20Threat%20Intelligence%20Summit%20%26%20Training%202023/Pedro%20Drimel%2C%20Jose%20Luis%20Sanchez%20Martinez%20-%20Practical%20CTI%20Analysis%20Over%202022%20ITW%20Linux%20Implants.pdf ([#613](https://github.com/timb-machine/linux-malware/issues/613))
-* https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html ([#334](https://github.com/timb-machine/linux-malware/issues/334)) - TSCookie
-* https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/ ([#524](https://github.com/timb-machine/linux-malware/issues/524)) - Initial Access, Execution, Persistence, Discovery, Lateral Movement, Command and Control, Exfiltration, uses:Go, attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1021.004:SSH, attack:T1057:Process Discovery, attack:T1552.004:Private Keys, attack:T1190:Exploit Public-Facing Application, Chaos, [/malware/binaries/Chaos](../../tree/main/malware/binaries/Chaos), Linux
-* https://blog.polyswarm.io/deadbolt-ransomware ([#577](https://github.com/timb-machine/linux-malware/issues/577)) - Impact, Deadbolt, Linux, Consumer
-* http://it.rising.com.cn/fanglesuo/19851.html ([#96](https://github.com/timb-machine/linux-malware/issues/96)) - SFile
-* https://twitter.com/ankit_anubhav/status/1490574137370103808 ([#483](https://github.com/timb-machine/linux-malware/issues/483)) - Privilege Escalation, Defense Evasion, Persistence, Command and Control, Log4J, attack:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/482, Linux
-* https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ ([#348](https://github.com/timb-machine/linux-malware/issues/348)) - Rakos
-* https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ ([#307](https://github.com/timb-machine/linux-malware/issues/307)) - QNAPCrypt, eCh0raix
-* https://twitter.com/ESETresearch/status/1454100591261667329?s=20 ([#390](https://github.com/timb-machine/linux-malware/issues/390)) - Hive
-* https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability ([#572](https://github.com/timb-machine/linux-malware/issues/572)) - Persistence, Impact, Mirai, RAR1Ransom, GuardMiner, Linux
-* https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability ([#337](https://github.com/timb-machine/linux-malware/issues/337)) - Impact, Persistence, Impact, KinSing
-* https://imgur.com/a/H7YuWuj ([#356](https://github.com/timb-machine/linux-malware/issues/356)) - SystemTen (by malwaremustdie.org)
-* https://www.cadosecurity.com/redis-p2pinfect/ ([#741](https://github.com/timb-machine/linux-malware/issues/741)) - Initial Access, Linux
-* https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ ([#297](https://github.com/timb-machine/linux-malware/issues/297)) - FreakOut
-* https://securityboulevard.com/2021/04/detect-c2-redxor-with-state-based-functionality/ ([#548](https://github.com/timb-machine/linux-malware/issues/548)) - Command and Control, Exfiltration, https://github.com/timb-machine/linux-malware/issues/325, RedXOR, Linux
+* https://netadr.github.io/blog/a-quick-glimpse-sbz/ ([#596](https://github.com/timb-machine/linux-malware/issues/596)) - Persistence, Defense Evasion, attack:T1027:Obfuscated Files or Information, SBZ, wltm, Equation Group, Solaris
+* https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md ([#352](https://github.com/timb-machine/linux-malware/issues/352)) - ITTS
+* https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack ([#715](https://github.com/timb-machine/linux-malware/issues/715)) - Reconnaissance, Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Command and Control, Impact, attack:T1525:Implant Internal Image, attack:T1595:Active Scanning, attack:T1496:Resource Hijacking, attack:T1613:Container and Resource Discovery, attack:T1190:Exploit Public-Facing Application, attack:T1059:Command and Scripting Interpreter, attack:T1610:Deploy Container, attack:T1222:File and Directory Permissions Modification, attack:T1036:Masquerading, attack:T1132:Data Encoding, attack:T1552.005:Cloud Instance Metadata API, attack:T1082:System Information Discovery, attack:T1071.001:Web Protocols, attack:T1090.003:Multi-hop Proxy, Tsunami, TeamTNT, Linux
+* https://conference.hitb.org/hitbsecconf2017ams/materials/D2T4%20-%20Emmanuel%20Gadaix%20-%20A%20Surprise%20Encounter%20With%20a%20Telco%20APT.pdf ([#551](https://github.com/timb-machine/linux-malware/issues/551)) - Defense Evasion, Collection, Command and Control, Impact, vertical:Telecomms, uses:Perl, Plexing Eagle, Solaris, Telecomms, Internal specialist services
+* https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware ([#639](https://github.com/timb-machine/linux-malware/issues/639)) - Command and Control, AP36, Transparent Tribe, Poseidon, Linux
+* https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ ([#750](https://github.com/timb-machine/linux-malware/issues/750)) - Initial Access, Persistence, Defense Evasion, Command and Control, Impact, attack:T1547.006:Kernel Modules and Extensions, SkidMap, Linux
+* https://mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0ng87ffBB9FQ?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en ([#580](https://github.com/timb-machine/linux-malware/issues/580)) - Command and Control, Torii, Linux
+* https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ([#306](https://github.com/timb-machine/linux-malware/issues/306)) - QNAPCrypt, eCh0raix
+* https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/ ([#378](https://github.com/timb-machine/linux-malware/issues/378)) - #cobaltstrike, VermilionStrike
+* https://twitter.com/IntezerLabs/status/1300403461809491969 ([#347](https://github.com/timb-machine/linux-malware/issues/347)) - Dalcs
+* https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf ([#808](https://github.com/timb-machine/linux-malware/issues/808)) - Execution, Persistence, Discovery, Collection, Command and Control, Exfiltration, attack:T1574.006:Dynamic Linker, attack:T1059.004:Unix Shell, attack:T1053.003:Cron, attack:T1559:Inter-Process Communication, attack:T1205.001:Port Knocking, attack:T1001.003:Protocol Impersonation, attack:T1573.002:Asymmetric Cryptography, attack:T1572:Protocol Tunneling, attack:T1560.002:Archive via Library, attack:T1041:Exfiltration Over C2 Channel, attack:T1005:Data from Local System, attack:T1124:System Time Discovery, attack:T1518:Software Discovery, attack:T1071.Application Layer Protocol, uses:BPF, uses:Non-persistentStorage, Pygmy Goat, EarthWorm, Earthwrom, wltm, Linux, Enterprise with satellite facilities
+* https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ ([#410](https://github.com/timb-machine/linux-malware/issues/410)) - Initial Access, Persistence, Defense Evasion, Lateral Movement, Impact, LemonDuck, Linux, Cloud hosted services, Device application sandboxing
+* https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ ([#117](https://github.com/timb-machine/linux-malware/issues/117)) - AcidRain
+* https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ ([#52](https://github.com/timb-machine/linux-malware/issues/52)) - GodLua
+* https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ ([#322](https://github.com/timb-machine/linux-malware/issues/322)) - Turian
+* https://vulncheck.com/blog/fake-repos-deliver-malicious-implant ([#686](https://github.com/timb-machine/linux-malware/issues/686)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, Linux
+* https://www.mandiant.com/resources/unc2891-overview ([#112](https://github.com/timb-machine/linux-malware/issues/112)) - Lateral Movement, Credential Access, Execution, Defense Evasion, Persistence, attack:T1021.004:SSH, attack:T1003.008:/etc/passwd and /etc/shadow, attack:T1552.003:Bash History, attack:T1552.004:Private Keys, attack:T1556.003:Pluggable Authentication Modules, attack:T1053.001:At (Linux), attack:T1059.004:Unix Shell, attack:T1014:Rootkit, attack:T1070.002:Clear Linux or Mac System Logs, attack:T1548.001:Setuid and Setgid, attack:T1543.002:Systemd Service, attack:T1547.006:Kernel Modules and Extensions, https://github.com/timb-machine/linux-malware/issues/134, TINYSHELL, SLAPSTICK, CAKETAP, WIPERIGHT, MIG Logcleaner, https://github.com/timb-machine/linux-malware/issues/154, BINBASH, UNC2891, UNC1945, LightBasin, Linux, Solaris, Banking
+* https://igor-blue.github.io/2021/03/24/apt1.html ([#302](https://github.com/timb-machine/linux-malware/issues/302))
 
 ### Malware samples
 
 #### Malware binaries
 
-* https://bazaar.abuse.ch/browse/signature/Gafgyt/ ([#128](https://github.com/timb-machine/linux-malware/issues/128)) - Gafgyt, [/malware/binaries/Unix.Trojan.Gafgyt](../../tree/main/malware/binaries/Unix.Trojan.Gafgyt)
-* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection ([#418](https://github.com/timb-machine/linux-malware/issues/418)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/419, https://github.com/timb-machine/linux-malware/issues/424, https://github.com/timb-machine/linux-malware/issues/425, https://github.com/timb-machine/linux-malware/issues/426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, [/malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64](../../blob/main/malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64), Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux
-* https://github.com/eset/malware-ioc/tree/master/rakos ([#132](https://github.com/timb-machine/linux-malware/issues/132)) - Rakos
-* https://github.com/darrenmartyn/malware_samples ([#530](https://github.com/timb-machine/linux-malware/issues/530)) - Execution, Persistence, Defense Evasion, Discovery, uses:ProcessTreeSpoofing, uses:RedirectionToNull, attack:T1546.004:Unix Shell, attack:T1574.006:Dynamic Linker Hijacking, attack:T1057:Process Discovery, attack:T1036.005:Match Legitimate Name or Location, lib__mdma, Linux
-* https://bazaar.abuse.ch/browse/tag/Symbiote/ ([#460](https://github.com/timb-machine/linux-malware/issues/460)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, [/malware/binaries/Symbiote](../../tree/main/malware/binaries/Symbiote), Symbiote, Linux
-* https://github.com/eset/malware-ioc/tree/master/kobalos ([#137](https://github.com/timb-machine/linux-malware/issues/137)) - Kobalos
-* https://github.com/Caprico1/kinsing ([#454](https://github.com/timb-machine/linux-malware/issues/454)) - Persistence, Impact, KinSing, Linux
-* https://twitter.com/nunohaien/status/1261281420791742464 ([#125](https://github.com/timb-machine/linux-malware/issues/125))
-* https://github.com/x0rz/EQGRP ([#138](https://github.com/timb-machine/linux-malware/issues/138))
-* https://github.com/blackorbird/APT_REPORT ([#124](https://github.com/timb-machine/linux-malware/issues/124))
-* https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection ([#141](https://github.com/timb-machine/linux-malware/issues/141)) - Linikatz
-* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d/ ([#751](https://github.com/timb-machine/linux-malware/issues/751)) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, [/malware/binaries/Unix.Backdoor.DeimosC2](../../../tree/main/malware/binaries/Unix.Backdoor.DeimosC2), Linux
-* https://github.com/AngelGuyu/spirit ([#757](https://github.com/timb-machine/linux-malware/issues/757)) - Persistence, Defense Evasion, Spirit, Gwisin, Linux
-* https://bazaar.abuse.ch/browse/tag/blackcat/ ([#512](https://github.com/timb-machine/linux-malware/issues/512)) - Impact, https://github.com/timb-machine/linux-malware/issues/118, https://github.com/timb-machine/linux-malware/issues/109, https://github.com/timb-machine/linux-malware/issues/108, https://github.com/timb-machine/linux-malware/issues/107, https://github.com/timb-machine/linux-malware/issues/41, BlackCat, [/malware/binaries/BlackCat](../../tree/main/malware/binaries/BlackCat), Linux
-* https://github.com/hardenedvault/bootkit-samples ([#103](https://github.com/timb-machine/linux-malware/issues/103))
-* https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ ([#662](https://github.com/timb-machine/linux-malware/issues/662)) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, https://github.com/timb-machine/linux-malware/issues/661, SystemBC, [/malware/binaries/SystemBC](../../tree/main/malware/binaries/SystemBC), Linux
-* https://bazaar.abuse.ch/browse/tag/elf/ ([#122](https://github.com/timb-machine/linux-malware/issues/122))
-* https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection ([#126](https://github.com/timb-machine/linux-malware/issues/126)) - wltm
-* https://samples.vx-underground.org/samples/Families/VermilionStrike/ ([#136](https://github.com/timb-machine/linux-malware/issues/136)) - CobaltStrike, VermilionStrike, [/malware/binaries/VermilionStrike](../../tree/main/malware/binaries/VermilionStrike)
-* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection ([#420](https://github.com/timb-machine/linux-malware/issues/420)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/421, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, [/malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc](../../blob/main/malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc), Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Solaris
-* https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 ([#133](https://github.com/timb-machine/linux-malware/issues/133)) - WellMail, wltm, APT29
-* https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ ([#139](https://github.com/timb-machine/linux-malware/issues/139)) - Polaris, [/malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64](../../blob/main/malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64)
-* https://samples.vx-underground.org/samples/Families/Fastcash/ ([#135](https://github.com/timb-machine/linux-malware/issues/135)) - Impact, FastCash, [/malware/binaries/FastCash](../../tree/main/malware/binaries/FastCash), HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services, Enclave deployment
-* https://bazaar.abuse.ch/browse/signature/XorDDoS/ ([#129](https://github.com/timb-machine/linux-malware/issues/129)) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, [/malware/binaries/Unix.Trojan.Xorddos](../../tree/main/malware/binaries/Unix.Trojan.Xorddos), [/malware/binaries/Unix.Malware.Xorddos](../../tree/main/malware/binaries/Unix.Malware.Xorddos), Linux
 * https://bazaar.abuse.ch/browse/signature/Mirai/ ([#127](https://github.com/timb-machine/linux-malware/issues/127)) - Mirai, [/malware/binaries/Unix.Exploit.Mirai](../../tree/main/malware/binaries/Unix.Exploit.Mirai), [/malware/binaries/Unix.Dropper.Mirai](../../tree/main/malware/binaries/Unix.Dropper.Mirai), [/malware/binaries/Unix.Trojan.Mirai](../../tree/main/malware/binaries/Unix.Trojan.Mirai)
+* https://bazaar.abuse.ch/browse/tag/elf/ ([#122](https://github.com/timb-machine/linux-malware/issues/122))
+* https://bazaar.abuse.ch/sample/d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4/ ([#662](https://github.com/timb-machine/linux-malware/issues/662)) - Persistence, Defense Evasion, attack:T1053.003:Cron, uses:Non-persistentStorage, uses:RedirectionToNull, https://github.com/timb-machine/linux-malware/issues/661, SystemBC, [/malware/binaries/SystemBC](../../tree/main/malware/binaries/SystemBC), Linux
+* https://github.com/x0rz/EQGRP ([#138](https://github.com/timb-machine/linux-malware/issues/138))
 * https://samples.vx-underground.org/APTs/2021/2021.10.11/ ([#409](https://github.com/timb-machine/linux-malware/issues/409)) - FontOnLake, [/malware/binaries/FontOnLake](../../tree/main/malware/binaries/FontOnLake), Linux
-* https://github.com/MalwareSamples/Linux-Malware-Samples ([#123](https://github.com/timb-machine/linux-malware/issues/123))
+* https://github.com/darrenmartyn/malware_samples ([#530](https://github.com/timb-machine/linux-malware/issues/530)) - Execution, Persistence, Defense Evasion, Discovery, uses:ProcessTreeSpoofing, uses:RedirectionToNull, attack:T1546.004:Unix Shell, attack:T1574.006:Dynamic Linker Hijacking, attack:T1057:Process Discovery, attack:T1036.005:Match Legitimate Name or Location, lib__mdma, Linux
+* https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection ([#131](https://github.com/timb-machine/linux-malware/issues/131)) - SoWaT, [/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips](../../blob/main/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips), APT31, Zirconium
 * https://tria.ge/s?q=tag%3alinux ([#121](https://github.com/timb-machine/linux-malware/issues/121))
 * https://bazaar.abuse.ch/sample/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/ ([#140](https://github.com/timb-machine/linux-malware/issues/140)) - SoWaT, [/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips](../../blob/main/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips), APT31, Zirconium
+* https://github.com/MalwareSamples/Linux-Malware-Samples ([#123](https://github.com/timb-machine/linux-malware/issues/123))
+* https://bazaar.abuse.ch/sample/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9/ ([#139](https://github.com/timb-machine/linux-malware/issues/139)) - Polaris, [/malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64](../../blob/main/malware/binaries/Unix.Ransomware.Polaris/e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9.elf.x86_64)
+* https://github.com/hardenedvault/bootkit-samples ([#103](https://github.com/timb-machine/linux-malware/issues/103))
+* https://www.virustotal.com/gui/file/3b7a06c53ec0f2ce7b9de4cae9e6e765fd18dc1f2ff522c0ccd9c8c3f9e79532/detection ([#141](https://github.com/timb-machine/linux-malware/issues/141)) - Linikatz
+* https://twitter.com/nunohaien/status/1261281420791742464 ([#125](https://github.com/timb-machine/linux-malware/issues/125))
 * https://samples.vx-underground.org/APTs/2020/2020.11.02/ ([#134](https://github.com/timb-machine/linux-malware/issues/134)) - [/malware/binaries/UNC1945](../../tree/main/malware/binaries/UNC1945), LightBasin, UNC1945, Solaris
-* https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection ([#131](https://github.com/timb-machine/linux-malware/issues/131)) - SoWaT, [/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips](../../blob/main/malware/binaries/APT31/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2.elf.mips), APT31, Zirconium
+* https://bazaar.abuse.ch/browse/signature/Gafgyt/ ([#128](https://github.com/timb-machine/linux-malware/issues/128)) - Gafgyt, [/malware/binaries/Unix.Trojan.Gafgyt](../../tree/main/malware/binaries/Unix.Trojan.Gafgyt)
+* https://samples.vx-underground.org/samples/Families/VermilionStrike/ ([#136](https://github.com/timb-machine/linux-malware/issues/136)) - CobaltStrike, VermilionStrike, [/malware/binaries/VermilionStrike](../../tree/main/malware/binaries/VermilionStrike)
+* https://bazaar.abuse.ch/sample/05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d/ ([#751](https://github.com/timb-machine/linux-malware/issues/751)) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, [/malware/binaries/Unix.Backdoor.DeimosC2](../../../tree/main/malware/binaries/Unix.Backdoor.DeimosC2), Linux
+* https://analyze.intezer.com/files/85e72976b9448295034a8d4c26462b8f1ebe1ca0a4e4b897c7f2404d0de948c2 ([#133](https://github.com/timb-machine/linux-malware/issues/133)) - WellMail, wltm, APT29
+* https://github.com/blackorbird/APT_REPORT ([#124](https://github.com/timb-machine/linux-malware/issues/124))
+* https://samples.vx-underground.org/samples/Families/Fastcash/ ([#135](https://github.com/timb-machine/linux-malware/issues/135)) - Impact, FastCash, [/malware/binaries/FastCash](../../tree/main/malware/binaries/FastCash), https://github.com/timb-machine/linux-malware/issues/312, https://github.com/timb-machine/linux-malware/issues/815, https://github.com/timb-machine/linux-malware/issues/407, HiddenCobra, Lazarus, APT38, AIX, Banking, Internal specialist services, Enclave deployment
+* https://github.com/eset/malware-ioc/tree/master/rakos ([#132](https://github.com/timb-machine/linux-malware/issues/132)) - Rakos
+* https://bazaar.abuse.ch/browse/tag/blackcat/ ([#512](https://github.com/timb-machine/linux-malware/issues/512)) - Impact, https://github.com/timb-machine/linux-malware/issues/118, https://github.com/timb-machine/linux-malware/issues/109, https://github.com/timb-machine/linux-malware/issues/108, https://github.com/timb-machine/linux-malware/issues/107, https://github.com/timb-machine/linux-malware/issues/41, BlackCat, [/malware/binaries/BlackCat](../../tree/main/malware/binaries/BlackCat), Linux
+* https://github.com/Caprico1/kinsing ([#454](https://github.com/timb-machine/linux-malware/issues/454)) - Persistence, Impact, KinSing, Linux
+* https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection ([#126](https://github.com/timb-machine/linux-malware/issues/126)) - wltm
 * https://github.com/tstromberg/malware-menagerie ([#795](https://github.com/timb-machine/linux-malware/issues/795)) - Impact, attack:T1496:Resource Hijacking, QubitStrike, StripedFly, Linux
+* https://bazaar.abuse.ch/browse/signature/XorDDoS/ ([#129](https://github.com/timb-machine/linux-malware/issues/129)) - Initial Access, Credential Access, Impact, attack:T1078:Valid Accounts, attack:T1100:Brute Force, attack:T1498:Network Denial of Service, XorDDoS, [/malware/binaries/Unix.Trojan.Xorddos](../../tree/main/malware/binaries/Unix.Trojan.Xorddos), [/malware/binaries/Unix.Malware.Xorddos](../../tree/main/malware/binaries/Unix.Malware.Xorddos), Linux
+* https://www.virustotal.com/gui/file/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a/detection ([#420](https://github.com/timb-machine/linux-malware/issues/420)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/421, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, [/malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc](../../blob/main/malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc), Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Solaris
+* https://github.com/eset/malware-ioc/tree/master/kobalos ([#137](https://github.com/timb-machine/linux-malware/issues/137)) - Kobalos
+* https://www.virustotal.com/gui/file/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c/detection ([#418](https://github.com/timb-machine/linux-malware/issues/418)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/419, https://github.com/timb-machine/linux-malware/issues/424, https://github.com/timb-machine/linux-malware/issues/425, https://github.com/timb-machine/linux-malware/issues/426, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor client?, [/malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64](../../blob/main/malware/binaries/BPFDoor/93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c.elf.x86_64), Unix.Backdoor.RedMenshen, Tricephalic Hellkeeper, JustForFun, https://www.hybrid-analysis.com/sample/591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78, DecisiveArchitect, Linux
+* https://bazaar.abuse.ch/browse/tag/Symbiote/ ([#460](https://github.com/timb-machine/linux-malware/issues/460)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/452, attack:T1205:Traffic Signaling, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1556.003:Pluggable Authentication Modules, attack:T1574.006:Dynamic Linker Hijacking, [/malware/binaries/Symbiote](../../tree/main/malware/binaries/Symbiote), Symbiote, Linux
+* https://github.com/AngelGuyu/spirit ([#757](https://github.com/timb-machine/linux-malware/issues/757)) - Persistence, Defense Evasion, Spirit, Gwisin, Linux
 
 #### Malware source
 
-* https://pastebin.com/raw/kmmJuuQP ([#426](https://github.com/timb-machine/linux-malware/issues/426)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
-* https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html ([#706](https://github.com/timb-machine/linux-malware/issues/706)) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX
-* https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux ([#143](https://github.com/timb-machine/linux-malware/issues/143))
-* https://github.com/arialdomartini/morris-worm ([#694](https://github.com/timb-machine/linux-malware/issues/694)) - Initial Access, Execution, Discovery, Lateral Movement
-* https://github.com/chenkaie/junkcode/blob/master/xhide.c ([#775](https://github.com/timb-machine/linux-malware/issues/775)) - Defense Evasion, uses:ProcessTreeSpoofing, XHide, Linux
-* https://github.com/Kabot/mig-logcleaner-resurrected ([#154](https://github.com/timb-machine/linux-malware/issues/154)) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, MIG Logcleaner, UNC2891, Linux, Solaris, BSD
-* https://pastebin.com/kmmJuuQP ([#802](https://github.com/timb-machine/linux-malware/issues/802)) - Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, uses:ProcessTreeSpoofing, BPFDoor, [/malware/binaries/BPFDoor](https://github.com/timb-machine/linux-malware/tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, Linux
-* https://pastebin.com/jkndLHQf ([#145](https://github.com/timb-machine/linux-malware/issues/145)) - FinFisher
-* https://gitlab.com/rav7teif/linux.wifatch ([#144](https://github.com/timb-machine/linux-malware/issues/144)) - Initial Access, Persistence, Command and Control, Lateral Movement, Linux.Wifatch
+* https://github.com/0x27/linux.mirai ([#142](https://github.com/timb-machine/linux-malware/issues/142)) - Mirai
 * https://github.com/chokepoint/Jynx2 ([#531](https://github.com/timb-machine/linux-malware/issues/531)) - Persistence, Defense Evasion, Linux
-* https://github.com/0x27/sebd-0.2 ([#148](https://github.com/timb-machine/linux-malware/issues/148)) - sebd 0.2 source code (a fix of 0.1)
 * https://github.com/gianlucaborello/libprocesshider ([#776](https://github.com/timb-machine/linux-malware/issues/776)) - Defense Evasion, uses:ProcessTreeSpoofing, attack:T1574.006:Dynamic Linker Hijacking, libprocesshider, Linux
+* https://github.com/Kabot/mig-logcleaner-resurrected ([#154](https://github.com/timb-machine/linux-malware/issues/154)) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, MIG Logcleaner, UNC2891, Linux, Solaris, BSD
+* https://github.com/HeapAllocate/sterben ([#150](https://github.com/timb-machine/linux-malware/issues/150)) - sterben
+* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc ([#711](https://github.com/timb-machine/linux-malware/issues/711)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/724, https://github.com/timb-machine/linux-malware/issues/814, Linux
 * https://github.com/jwne/caffsec-malware-analysis/blob/master/mIRChack/pscan2.c ([#147](https://github.com/timb-machine/linux-malware/issues/147)) - pscan (similar code to luckscan) 
-* https://github.com/0x27/linux.mirai ([#142](https://github.com/timb-machine/linux-malware/issues/142)) - Mirai
-* http://www.afn.org/~afn28925/wipe.c ([#153](https://github.com/timb-machine/linux-malware/issues/153)) - UNC2891
-* https://packetstormsecurity.com/files/23336/Slx2k001.txt.html ([#152](https://github.com/timb-machine/linux-malware/issues/152)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, UNC2891
+* https://pastebin.com/jkndLHQf ([#145](https://github.com/timb-machine/linux-malware/issues/145)) - FinFisher
+* https://github.com/0x27/sebd-0.2 ([#148](https://github.com/timb-machine/linux-malware/issues/148)) - sebd 0.2 source code (a fix of 0.1)
+* https://pastebin.com/kmmJuuQP ([#802](https://github.com/timb-machine/linux-malware/issues/802)) - Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, uses:BPF, uses:Non-persistentStorage, uses:ProcessTreeSpoofing, BPFDoor, [/malware/binaries/BPFDoor](../../tree/main/malware/binaries/BPFDoor), Unix.Backdoor.RedMenshen, Linux
+* https://gitlab.com/rav7teif/linux.wifatch ([#144](https://github.com/timb-machine/linux-malware/issues/144)) - Initial Access, Persistence, Command and Control, Lateral Movement, Linux.Wifatch
 * https://github.com/shadow1ng/fscan ([#564](https://github.com/timb-machine/linux-malware/issues/564)) - Initial Access, Lateral Movement, uses:Go, Alchimist, fscan, [/malware/binaries/Alchimist/UPX/fscan](../../tree/main/malware/binaries/Alchimist/UPX/fscan), Linux
+* https://packetstormsecurity.com/files/23336/Slx2k001.txt.html ([#152](https://github.com/timb-machine/linux-malware/issues/152)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, UNC2891
 * https://github.com/isdrupter/ziggystartux ([#701](https://github.com/timb-machine/linux-malware/issues/701)) - Impact, Linux
+* https://github.com/vxunderground/MalwareSourceCode/tree/main/Linux ([#143](https://github.com/timb-machine/linux-malware/issues/143))
+* https://github.com/arialdomartini/morris-worm ([#694](https://github.com/timb-machine/linux-malware/issues/694)) - Initial Access, Execution, Discovery, Lateral Movement
+* http://www.afn.org/~afn28925/wipe.c ([#153](https://github.com/timb-machine/linux-malware/issues/153)) - UNC2891
+* https://pastebin.com/raw/kmmJuuQP ([#426](https://github.com/timb-machine/linux-malware/issues/426)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
+* https://github.com/chenkaie/junkcode/blob/master/xhide.c ([#775](https://github.com/timb-machine/linux-malware/issues/775)) - Defense Evasion, uses:ProcessTreeSpoofing, XHide, Linux
 * https://github.com/NexusBots/Umbreon-Rootkit ([#149](https://github.com/timb-machine/linux-malware/issues/149)) - Umbreon Rootkit
-* https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc ([#711](https://github.com/timb-machine/linux-malware/issues/711)) - Resource Development, Initial Access, Execution, Persistence, Defense Evasion, uses:FakeExploit, attack:T1588:Obtain Capabilities, attack:T1608:Stage Capabilities, attack:T1585:Establish Accounts, attack:T1583.008:Malvertising, attack:T1036:Masquerading, exploit:CVE-2023-35829, https://github.com/timb-machine/linux-malware/issues/710, https://github.com/timb-machine/linux-malware/issues/724, Linux
-* https://github.com/HeapAllocate/sterben ([#150](https://github.com/timb-machine/linux-malware/issues/150)) - sterben
+* https://packetstormsecurity.com/files/31345/0x333shadow.tar.gz.html ([#706](https://github.com/timb-machine/linux-malware/issues/706)) - Defense Evasion, attack:T1070.002:Clear Linux or Mac System Logs, 0x333shadow Log Cleaner, Linux, Solaris, Freebsd, IRIX
 
 ### Malware PoCs
 
-* https://github.com/timb-machine-mirrors/phath0m-JadedWraith ([#165](https://github.com/timb-machine/linux-malware/issues/165))
-* https://github.com/mufeedvh/moonwalk ([#208](https://github.com/timb-machine/linux-malware/issues/208))
-* https://github.com/m1m1x/memdlopen ([#175](https://github.com/timb-machine/linux-malware/issues/175)) - Defense Evasion, attack:T1620:Reflective Code Loading
+* https://github.com/chokepoint/azazel ([#191](https://github.com/timb-machine/linux-malware/issues/191))
+* https://github.com/h3xduck/TripleCross ([#465](https://github.com/timb-machine/linux-malware/issues/465)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux
+* https://www.guitmz.com/linux-nasty-elf-virus/ ([#642](https://github.com/timb-machine/linux-malware/issues/642)) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux
 * https://github.com/elfmaster/saruman ([#220](https://github.com/timb-machine/linux-malware/issues/220))
-* https://github.com/airman604/jdbc-backdoor ([#607](https://github.com/timb-machine/linux-malware/issues/607)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services
-* https://github.com/ixty/mandibule ([#170](https://github.com/timb-machine/linux-malware/issues/170))
-* https://github.com/therealdreg/enyelkm ([#456](https://github.com/timb-machine/linux-malware/issues/456)) - Persistence, Defense Evasion, Linux
-* https://github.com/trustedsec/ELFLoader ([#416](https://github.com/timb-machine/linux-malware/issues/416)) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
-* https://github.com/toffan/binfmt_misc ([#431](https://github.com/timb-machine/linux-malware/issues/431)) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
-* https://github.com/nurupo/rootkit ([#172](https://github.com/timb-machine/linux-malware/issues/172))
-* https://github.com/elfmaster/kprobe_rootkit ([#223](https://github.com/timb-machine/linux-malware/issues/223))
-* https://github.com/reveng007/reveng_rtkit ([#669](https://github.com/timb-machine/linux-malware/issues/669)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux
-* https://github.com/SafeBreach-Labs/backdoros ([#213](https://github.com/timb-machine/linux-malware/issues/213))
-* https://github.com/codewhitesec/daphne ([#740](https://github.com/timb-machine/linux-malware/issues/740)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
-* https://github.com/yaoyumeng/adore-ng ([#458](https://github.com/timb-machine/linux-malware/issues/458)) - Persistence, Defense Evasion, Linux
-* https://github.com/aviat/passe-partout ([#704](https://github.com/timb-machine/linux-malware/issues/704)) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX
+* https://github.com/guitmz/midrashim ([#664](https://github.com/timb-machine/linux-malware/issues/664)) - Persistence, attack:T1577:Compromise Application Executable, Linux
+* https://packetstormsecurity.com/files/22121/cd00r.c.html ([#597](https://github.com/timb-machine/linux-malware/issues/597)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux
+* https://github.com/m1m1x/memdlopen ([#175](https://github.com/timb-machine/linux-malware/issues/175)) - Defense Evasion, attack:T1620:Reflective Code Loading
+* https://github.com/QuokkaLight/rkduck ([#667](https://github.com/timb-machine/linux-malware/issues/667)) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux
+* https://github.com/tarcisio-marinho/GonnaCry ([#486](https://github.com/timb-machine/linux-malware/issues/486)) - Impact, Linux
+* https://github.com/io-tl/degu-lib ([#413](https://github.com/timb-machine/linux-malware/issues/413)) - Linux
+* https://github.com/citronneur/pamspy ([#466](https://github.com/timb-machine/linux-malware/issues/466)) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux
 * https://github.com/jermeyyy/rooty ([#440](https://github.com/timb-machine/linux-malware/issues/440)) - Persistence, Defense Evasion, https://github.com/timb-machine/linux-malware/issues/439, attack:T1547.006:Kernel Modules and Extensions, XorDDoS, Linux, Consumer, Cloud hosted services, Device application sandboxing
-* https://github.com/blendin/3snake ([#189](https://github.com/timb-machine/linux-malware/issues/189))
-* https://github.com/vfsfitvnm/intruducer ([#209](https://github.com/timb-machine/linux-malware/issues/209))
-* https://github.com/gaffe23/linux-inject ([#210](https://github.com/timb-machine/linux-malware/issues/210))
-* https://github.com/fbkcs/msf-elf-in-memory-execution ([#203](https://github.com/timb-machine/linux-malware/issues/203))
-* https://github.com/R3tr074/brokepkg ([#777](https://github.com/timb-machine/linux-malware/issues/777)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:ProcessTreeSpoofing, uses:AbnormalSignal, uses:TamperCredStruct, uses:HiddenPort, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1573:Encrypted Channel, attack:T1205:Traffic Signaling, BrokePkg, Linux
-* https://github.com/MegaManSec/SSH-Snake ([#791](https://github.com/timb-machine/linux-malware/issues/791)) - Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
-* https://github.com/arget13/DDexec ([#222](https://github.com/timb-machine/linux-malware/issues/222))
-* https://github.com/roddux/santa ([#207](https://github.com/timb-machine/linux-malware/issues/207))
+* https://github.com/timb-machine-mirrors/ripmeep-memory-injector ([#160](https://github.com/timb-machine/linux-malware/issues/160))
+* https://github.com/stealth/devpops ([#192](https://github.com/timb-machine/linux-malware/issues/192)) - DevPops by stealth (not really malicious, has guard rails)
+* https://github.com/alexander-pick/apinject ([#608](https://github.com/timb-machine/linux-malware/issues/608)) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux
+* https://github.com/ixty/mandibule ([#170](https://github.com/timb-machine/linux-malware/issues/170))
 * https://github.com/compilepeace/KAAL_BHAIRAV ([#202](https://github.com/timb-machine/linux-malware/issues/202))
-* https://github.com/X-C3LL/memdlopen-lib ([#605](https://github.com/timb-machine/linux-malware/issues/605)) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux
-* https://github.com/mncoppola/suterusu ([#491](https://github.com/timb-machine/linux-malware/issues/491)) - Persistence, Defense Evasion, wltm, Linux
-* https://github.com/h3xduck/TripleCross ([#465](https://github.com/timb-machine/linux-malware/issues/465)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, Linux
-* https://github.com/guitmz/midrashim ([#664](https://github.com/timb-machine/linux-malware/issues/664)) - Persistence, attack:T1577:Compromise Application Executable, Linux
+* https://github.com/mufeedvh/moonwalk ([#208](https://github.com/timb-machine/linux-malware/issues/208))
+* https://github.com/elfmaster/dt_infect ([#219](https://github.com/timb-machine/linux-malware/issues/219))
+* https://github.com/guitmz/go-liora ([#663](https://github.com/timb-machine/linux-malware/issues/663)) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux
+* https://github.com/croemheld/lkm-rootkit ([#628](https://github.com/timb-machine/linux-malware/issues/628)) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux
+* https://github.com/roddux/santa ([#207](https://github.com/timb-machine/linux-malware/issues/207))
 * https://github.com/wunderwuzzi23/Offensive-BPF ([#469](https://github.com/timb-machine/linux-malware/issues/469)) - Credential Access, attack:T1205.002:Socket Filters, Linux
+* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ ([#739](https://github.com/timb-machine/linux-malware/issues/739)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, https://github.com/timb-machine/linux-malware/issues/734, https://github.com/timb-machine/linux-malware/issues/740, Linux
+* https://github.com/Gui774ume/ebpfkit ([#151](https://github.com/timb-machine/linux-malware/issues/151)) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux
+* https://github.com/jtripper/parasite ([#169](https://github.com/timb-machine/linux-malware/issues/169))
+* https://github.com/liamg/memit ([#200](https://github.com/timb-machine/linux-malware/issues/200))
+* https://github.com/fbkcs/msf-elf-in-memory-execution ([#203](https://github.com/timb-machine/linux-malware/issues/203))
 * https://github.com/SilentVoid13/Silent_Packer ([#783](https://github.com/timb-machine/linux-malware/issues/783)) - Defense Evasion, attack:T1027.002:Software Packing, Linux
-* https://github.com/zephrax/linux-pam-backdoor ([#181](https://github.com/timb-machine/linux-malware/issues/181)) - Credential Access, Persistence, Defense Evasion, attack:T1556.003:Pluggable Authentication Modules, Linux
-* https://github.com/chokepoint/azazel ([#191](https://github.com/timb-machine/linux-malware/issues/191))
-* https://packetstormsecurity.com/files/author/3859/ ([#553](https://github.com/timb-machine/linux-malware/issues/553)) - Persistence, Defense Evasion, uses:DTrace, SInAR, [/malware/pocs/SInAR](../../tree/main/malware/pocs/SInAR), Archim, Solaris, Internal specialist services, Device application sandboxing
-* https://github.com/guitmz/go-liora ([#663](https://github.com/timb-machine/linux-malware/issues/663)) - Persistence, uses:Go, attack:T1577:Compromise Application Executable, Linux
-* https://github.com/stealth/devpops ([#192](https://github.com/timb-machine/linux-malware/issues/192)) - DevPops by stealth (not really malicious, has guard rails)
+* https://github.com/schrodyn/bad_UDP ([#453](https://github.com/timb-machine/linux-malware/issues/453)) - Linux
 * https://github.com/timb-machine-mirrors/sar5430-coolkid ([#629](https://github.com/timb-machine/linux-malware/issues/629)) - Persistence, Defense Evasion, Linux
-* https://packetstormsecurity.com/files/22121/cd00r.c.html ([#597](https://github.com/timb-machine/linux-malware/issues/597)) - Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, cd00r, Linux
-* https://github.com/elfmaster/dt_infect ([#219](https://github.com/timb-machine/linux-malware/issues/219))
+* https://github.com/elfmaster/skeksi_virus ([#224](https://github.com/timb-machine/linux-malware/issues/224))
 * https://github.com/f0rb1dd3n/Reptile ([#171](https://github.com/timb-machine/linux-malware/issues/171))
-* https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 ([#198](https://github.com/timb-machine/linux-malware/issues/198))
-* https://hckng.org/articles/perljam-elf64-virus.html ([#735](https://github.com/timb-machine/linux-malware/issues/735)) - Persistence, attack:T1554:Compromise Client Software Binary, attack:T1505:Server Software Component, uses:Perl, Linux, AIX, Solaris, HP-UX
-* https://github.com/Gui774ume/ebpfkit ([#151](https://github.com/timb-machine/linux-malware/issues/151)) - Discovery, Persistence, Defense Evasion, Command and Control, attack:T1205.002:Socket Filters, ebpfkit, Linux
-* https://github.com/noptrix/fbkit ([#684](https://github.com/timb-machine/linux-malware/issues/684)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205.002:Socket Filters, attack:T1548.001:Setuid and Setgid, FreeBSD
-* https://github.com/ONsec-Lab/scripts/tree/master/pam_steal ([#195](https://github.com/timb-machine/linux-malware/issues/195))
-* https://github.com/mempodippy/vlany ([#174](https://github.com/timb-machine/linux-malware/issues/174))
+* https://github.com/X-C3LL/memdlopen-lib ([#605](https://github.com/timb-machine/linux-malware/issues/605)) - Defense Evasion, attack:T1620:Reflective Code Loading, Linux
+* https://github.com/codewhitesec/daphne ([#740](https://github.com/timb-machine/linux-malware/issues/740)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
 * https://github.com/sad0p/d0zer ([#782](https://github.com/timb-machine/linux-malware/issues/782)) - Execution, Persistence, uses:Go, attack:T1625:Hijack Execution Flow, attack:T1204:Malicious File, Linux
-* https://github.com/codewhitesec/apollon ([#734](https://github.com/timb-machine/linux-malware/issues/734)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
-* https://github.com/EvelynSubarrow/IridiumScorpion ([#183](https://github.com/timb-machine/linux-malware/issues/183))
+* https://github.com/yaoyumeng/adore-ng ([#458](https://github.com/timb-machine/linux-malware/issues/458)) - Persistence, Defense Evasion, Linux
+* https://github.com/elfmaster/kprobe_rootkit ([#223](https://github.com/timb-machine/linux-malware/issues/223))
+* https://github.com/R3tr074/brokepkg ([#777](https://github.com/timb-machine/linux-malware/issues/777)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, uses:ProcessTreeSpoofing, uses:AbnormalSignal, uses:TamperCredStruct, uses:PortHiding, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1573:Encrypted Channel, attack:T1205:Traffic Signaling, BrokePkg, Linux
 * https://github.com/nnsee/fileless-elf-exec ([#193](https://github.com/timb-machine/linux-malware/issues/193)) - Defense Evasion, attack:T1620:Reflective Code Loading
-* https://github.com/mav8557/Father ([#606](https://github.com/timb-machine/linux-malware/issues/606)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux
 * https://github.com/Eterna1/puszek-rootkit ([#670](https://github.com/timb-machine/linux-malware/issues/670)) - Persistence, Defense Evasion, Credential Access, Discovery, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1040:Network Sniffing, Linux
-* https://github.com/timb-machine-mirrors/ripmeep-memory-injector ([#160](https://github.com/timb-machine/linux-malware/issues/160))
-* https://www.guitmz.com/linux-nasty-elf-virus/ ([#642](https://github.com/timb-machine/linux-malware/issues/642)) - Persistence, attack:T1577:Compromise Application Executable, attack:T1057:Process Discovery, attack:T1083:File and Directory Discovery, Linux
-* https://code-white.com/blog/2023-08-blindsiding-auditd-for-fun-and-profit/ ([#739](https://github.com/timb-machine/linux-malware/issues/739)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, https://github.com/timb-machine/linux-malware/issues/734, https://github.com/timb-machine/linux-malware/issues/740, Linux
-* https://github.com/h3xduck/Umbra ([#668](https://github.com/timb-machine/linux-malware/issues/668)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1095:Non-Application Layer Protocol, attack:T1486:Data Encrypted for Impact, attacK:T1548:Abuse Elevation Control Mechanism, Linux
-* https://github.com/croemheld/lkm-rootkit ([#628](https://github.com/timb-machine/linux-malware/issues/628)) - Persistence, Defense Evasion, Privilege Escalation, Exfiltration, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1548:Abuse Elevation Control Mechanism, attack:T1205.001:Port Knocking, attack:T1095:Non-Application Layer Protocol, attack:T1020:Automated Exfiltration, attack:T1048.003:Exfiltration Over Unencrypted Non-C2 Protocol, attack:T1056.001:Keylogging, Linux
-* https://github.com/rek7/fireELF ([#159](https://github.com/timb-machine/linux-malware/issues/159))
-* https://github.com/schrodyn/bad_UDP ([#453](https://github.com/timb-machine/linux-malware/issues/453)) - Linux
-* https://github.com/QuokkaLight/rkduck ([#667](https://github.com/timb-machine/linux-malware/issues/667)) - Persistence, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1056.001:Keylogging, attack:T1564.001:Hidden Files and Directories, attack:T1021.004:SSH, attack:T1095:Non-Application Layer Protocol, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, Linux
-* https://github.com/citronneur/pamspy ([#466](https://github.com/timb-machine/linux-malware/issues/466)) - Persistence, Defense Evasion, Credential Access, attack:T1205.002:Socket Filters, attack:T1556.003:Pluggable Authentication Modules, Linux
-* https://github.com/EvelynSubarrow/BismuthScorpion ([#182](https://github.com/timb-machine/linux-malware/issues/182))
-* https://github.com/liamg/memit ([#200](https://github.com/timb-machine/linux-malware/issues/200))
-* https://github.com/io-tl/degu-lib ([#413](https://github.com/timb-machine/linux-malware/issues/413)) - Linux
 * https://github.com/elfmaster/linker_preloading_virus ([#211](https://github.com/timb-machine/linux-malware/issues/211))
+* https://hckng.org/articles/perljam-elf64-virus.html ([#735](https://github.com/timb-machine/linux-malware/issues/735)) - Persistence, attack:T1554:Compromise Client Software Binary, attack:T1505:Server Software Component, uses:Perl, Linux, AIX, Solaris, HP-UX
+* https://github.com/timb-machine-mirrors/phath0m-JadedWraith ([#165](https://github.com/timb-machine/linux-malware/issues/165))
+* https://github.com/arget13/DDexec ([#222](https://github.com/timb-machine/linux-malware/issues/222))
+* https://github.com/noptrix/fbkit ([#684](https://github.com/timb-machine/linux-malware/issues/684)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1205.002:Socket Filters, attack:T1548.001:Setuid and Setgid, FreeBSD
+* https://github.com/airman604/jdbc-backdoor ([#607](https://github.com/timb-machine/linux-malware/issues/607)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.002:DLL Side-Loading, Linux, Internal enterprise services, Internal specialist services
+* https://github.com/blendin/3snake ([#189](https://github.com/timb-machine/linux-malware/issues/189))
+* https://github.com/codewhitesec/apollon ([#734](https://github.com/timb-machine/linux-malware/issues/734)) - Defense Evasion, attack:T1562.001:Disable or Modify Tools, attack:T1562:Impair Defenses, uses:Auditd, Linux
 * https://github.com/0x1CA3/parasite ([#201](https://github.com/timb-machine/linux-malware/issues/201)) - wltm
-* https://github.com/kris-nova/boopkit ([#221](https://github.com/timb-machine/linux-malware/issues/221))
-* https://github.com/tarcisio-marinho/GonnaCry ([#486](https://github.com/timb-machine/linux-malware/issues/486)) - Impact, Linux
-* https://github.com/jtripper/parasite ([#169](https://github.com/timb-machine/linux-malware/issues/169))
-* https://github.com/alexander-pick/apinject ([#608](https://github.com/timb-machine/linux-malware/issues/608)) - Defense Evasion, attack:hT1055.008:Ptrace System Calls, Linux
+* https://github.com/nurupo/rootkit ([#172](https://github.com/timb-machine/linux-malware/issues/172))
+* https://github.com/reveng007/reveng_rtkit ([#669](https://github.com/timb-machine/linux-malware/issues/669)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, Linux
+* https://github.com/vfsfitvnm/intruducer ([#209](https://github.com/timb-machine/linux-malware/issues/209))
+* https://github.com/mav8557/Father ([#606](https://github.com/timb-machine/linux-malware/issues/606)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1574.006:Dynamic Linker Hijacking, Linux
 * https://github.com/m0nad/Diamorphine ([#217](https://github.com/timb-machine/linux-malware/issues/217)) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Diamorphine, Linux
-* https://github.com/elfmaster/skeksi_virus ([#224](https://github.com/timb-machine/linux-malware/issues/224))
+* https://github.com/EvelynSubarrow/IridiumScorpion ([#183](https://github.com/timb-machine/linux-malware/issues/183))
+* https://github.com/trustedsec/ELFLoader ([#416](https://github.com/timb-machine/linux-malware/issues/416)) - Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1027:Obfuscated Files or Information, Linux, Solaris, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
+* https://github.com/kris-nova/boopkit ([#221](https://github.com/timb-machine/linux-malware/issues/221))
+* https://github.com/h3xduck/Umbra ([#668](https://github.com/timb-machine/linux-malware/issues/668)) - Persistence, Privilege Escalation, Defense Evasion, Command and Control, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attack:T1095:Non-Application Layer Protocol, attack:T1486:Data Encrypted for Impact, attacK:T1548:Abuse Elevation Control Mechanism, Linux
+* https://github.com/EvelynSubarrow/BismuthScorpion ([#182](https://github.com/timb-machine/linux-malware/issues/182))
+* https://github.com/zephrax/linux-pam-backdoor ([#181](https://github.com/timb-machine/linux-malware/issues/181)) - Credential Access, Persistence, Defense Evasion, attack:T1556.003:Pluggable Authentication Modules, Linux
+* https://github.com/therealdreg/enyelkm ([#456](https://github.com/timb-machine/linux-malware/issues/456)) - Persistence, Defense Evasion, Linux
+* https://gist.github.com/zznop/0117c24164ee715e750150633c7c1782 ([#198](https://github.com/timb-machine/linux-malware/issues/198))
+* https://github.com/toffan/binfmt_misc ([#431](https://github.com/timb-machine/linux-malware/issues/431)) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
+* https://packetstormsecurity.com/files/author/3859/ ([#553](https://github.com/timb-machine/linux-malware/issues/553)) - Persistence, Defense Evasion, uses:DTrace, SInAR, [/malware/pocs/SInAR](../../tree/main/malware/pocs/SInAR), Archim, Solaris, Internal specialist services, Device application sandboxing
+* https://github.com/aviat/passe-partout ([#704](https://github.com/timb-machine/linux-malware/issues/704)) - Credential Access, attack:T1649:Steal or Forge Authentication Certificates, attack:T1563.001:SSH Hijacking, Linux, AIX, Solaris, HP-UX
+* https://github.com/SafeBreach-Labs/backdoros ([#213](https://github.com/timb-machine/linux-malware/issues/213))
+* https://github.com/mncoppola/suterusu ([#491](https://github.com/timb-machine/linux-malware/issues/491)) - Persistence, Defense Evasion, wltm, Linux
+* https://github.com/rek7/fireELF ([#159](https://github.com/timb-machine/linux-malware/issues/159))
+* https://github.com/gaffe23/linux-inject ([#210](https://github.com/timb-machine/linux-malware/issues/210))
+* https://github.com/ONsec-Lab/scripts/tree/master/pam_steal ([#195](https://github.com/timb-machine/linux-malware/issues/195))
+* https://github.com/mempodippy/vlany ([#174](https://github.com/timb-machine/linux-malware/issues/174))
+* https://github.com/MegaManSec/SSH-Snake ([#791](https://github.com/timb-machine/linux-malware/issues/791)) - Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
 
 ## Offensive research
 
@@ -558,268 +564,270 @@ Not necessarily malicious code (see Linikatz and unix-privesc-check =)) but inte
 
 ### Offensive tools
 
-* https://github.com/dsnezhkov/zombieant ([#793](https://github.com/timb-machine/linux-malware/issues/793)) - Defense Evasion, attack:T1562:Impair Defenses, Linux
-* https://github.com/Idov31/Sandman ([#582](https://github.com/timb-machine/linux-malware/issues/582)) - Persistence, Command and Control, Linux
-* https://github.com/SkyperTHC/bpf-keylogger ([#781](https://github.com/timb-machine/linux-malware/issues/781)) - Credential Access, Collection, uses:eBPF, attack:T1417.001:Keylogging, Linux
-* https://github.com/liamg/traitor ([#687](https://github.com/timb-machine/linux-malware/issues/687)) - Privilege Escalation, Linux
-* https://github.com/aojea/netkat ([#464](https://github.com/timb-machine/linux-malware/issues/464)) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux
-* https://github.com/airbus-seclab/nbutools ([#689](https://github.com/timb-machine/linux-malware/issues/689)) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services
-* https://github.com/FiloSottile/age ([#166](https://github.com/timb-machine/linux-malware/issues/166))
-* https://github.com/namazso/linux_injector ([#599](https://github.com/timb-machine/linux-malware/issues/599)) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux
-* https://github.com/sosdave/KeyTabExtract ([#206](https://github.com/timb-machine/linux-malware/issues/206))
-* https://github.com/CiscoCXSecurity/linikatz ([#156](https://github.com/timb-machine/linux-malware/issues/156)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, https://github.com/timb-machine/linux-malware/issues/141
-* https://github.com/liamg/siphon ([#576](https://github.com/timb-machine/linux-malware/issues/576)) - Discovery, Collection, Linux
-* https://github.com/zMarch/Orc ([#161](https://github.com/timb-machine/linux-malware/issues/161))
-* https://github.com/CiscoCXSecurity/enum4linux ([#178](https://github.com/timb-machine/linux-malware/issues/178))
-* https://github.com/huntergregal/mimipenguin ([#185](https://github.com/timb-machine/linux-malware/issues/185))
+* https://github.com/milabs/khook ([#212](https://github.com/timb-machine/linux-malware/issues/212))
+* https://github.com/rebootuser/LinEnum ([#158](https://github.com/timb-machine/linux-malware/issues/158))
+* https://github.com/io-tl/Mara ([#487](https://github.com/timb-machine/linux-malware/issues/487)) - Linux
+* https://github.com/Frissi0n/GTFONow ([#771](https://github.com/timb-machine/linux-malware/issues/771)) - Privilege Escalation, attack:T1548:Abuse Elevation Control Mechanism, Linux
+* https://github.com/JonathonReinhart/nosecmem ([#180](https://github.com/timb-machine/linux-malware/issues/180))
+* https://github.com/pmorjan/kmod ([#654](https://github.com/timb-machine/linux-malware/issues/654)) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux
+* https://github.com/redcode-labs/Bashark ([#168](https://github.com/timb-machine/linux-malware/issues/168))
+* https://github.com/elfmaster/maya ([#504](https://github.com/timb-machine/linux-malware/issues/504)) - Defense Evasion, Linux, Device application sandboxing
+* https://github.com/willshiao/node-bash-obfuscate ([#190](https://github.com/timb-machine/linux-malware/issues/190))
+* https://github.com/fireeye/SSSDKCMExtractor ([#520](https://github.com/timb-machine/linux-malware/issues/520)) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
+* https://github.com/DavidBuchanan314/dlinject ([#485](https://github.com/timb-machine/linux-malware/issues/485)) - Linux
+* https://github.com/vbpf/ebpf-samples ([#215](https://github.com/timb-machine/linux-malware/issues/215)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing
+* https://github.com/DeimosC2/DeimosC2 ([#652](https://github.com/timb-machine/linux-malware/issues/652)) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, [/malware/binaries/Unix.Backdoor.DeimosC2](../../../tree/main/malware/binaries/Unix.Backdoor.DeimosC2), Linux
+* https://github.com/mnagel/gnome-keyring-dumper ([#186](https://github.com/timb-machine/linux-malware/issues/186))
+* https://github.com/TarlogicSecurity/tickey ([#184](https://github.com/timb-machine/linux-malware/issues/184))
 * https://github.com/NixOS/patchelf ([#443](https://github.com/timb-machine/linux-malware/issues/443)) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux, Device application sandboxing
 * https://github.com/timb-machine-mirrors/adamcaudill-EquationGroupLeak/tree/master/Linux ([#173](https://github.com/timb-machine/linux-malware/issues/173))
-* https://github.com/t3l3machus/Villain ([#591](https://github.com/timb-machine/linux-malware/issues/591)) - Command and Control, Linux
-* https://github.com/controlplaneio/truffleproc ([#537](https://github.com/timb-machine/linux-malware/issues/537)) - Privilege Escalation, Credential Access, Linux
-* https://github.com/eeriedusk/nysm ([#761](https://github.com/timb-machine/linux-malware/issues/761)) - Persistence, Linux
-* https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/ ([#585](https://github.com/timb-machine/linux-malware/issues/585)) - Execution, Persistence, Linux, Cloud hosted services
-* https://github.com/DavidBuchanan314/dlinject ([#485](https://github.com/timb-machine/linux-malware/issues/485)) - Linux
-* https://github.com/Frissi0n/GTFONow ([#771](https://github.com/timb-machine/linux-malware/issues/771)) - Privilege Escalation, attack:T1548:Abuse Elevation Control Mechanism, Linux
-* https://github.com/io-tl/Mara ([#487](https://github.com/timb-machine/linux-malware/issues/487)) - Linux
-* https://github.com/NetDirect/nfsshell ([#164](https://github.com/timb-machine/linux-malware/issues/164))
+* https://github.com/89luca89/pakkero ([#718](https://github.com/timb-machine/linux-malware/issues/718)) - Defense Evasion, attack:T1027.002:Software Packing, Linux
+* https://github.com/dsnezhkov/zombieant ([#793](https://github.com/timb-machine/linux-malware/issues/793)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1562:Impair Defenses, attack:T1574.006:Dynamic Linker Hijacking, Linux
+* https://github.com/pathtofile/bad-bpf ([#205](https://github.com/timb-machine/linux-malware/issues/205)) - uses:BPF
+* https://github.com/netifera/netifera ([#194](https://github.com/timb-machine/linux-malware/issues/194))
+* https://github.com/AlessandroZ/LaZagne ([#155](https://github.com/timb-machine/linux-malware/issues/155))
+* https://github.com/ropnop/kerbrute ([#176](https://github.com/timb-machine/linux-malware/issues/176))
+* https://github.com/ropnop/windapsearch ([#177](https://github.com/timb-machine/linux-malware/issues/177))
+* https://github.com/DavidBuchanan314/stelf-loader ([#738](https://github.com/timb-machine/linux-malware/issues/738)) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux
+* https://github.com/liamg/traitor ([#687](https://github.com/timb-machine/linux-malware/issues/687)) - Privilege Escalation, Linux
+* https://github.com/Idov31/Sandman ([#582](https://github.com/timb-machine/linux-malware/issues/582)) - Persistence, Command and Control, Linux
 * https://github.com/stealth/injectso ([#589](https://github.com/timb-machine/linux-malware/issues/589)) - Defense Evasion, Linux
-* https://github.com/Ne0nd0g/merlin ([#545](https://github.com/timb-machine/linux-malware/issues/545)) - Command and Control, Exfiltration, uses:Go, Merlin, Linux
-* https://github.com/blacklanternsecurity/KCMTicketFormatter ([#519](https://github.com/timb-machine/linux-malware/issues/519)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
-* https://github.com/DeimosC2/DeimosC2 ([#652](https://github.com/timb-machine/linux-malware/issues/652)) - Command and Control, Exfiltration, attack:T1048:Exfiltration Over Alternative Protocol, attack:T1573:Encrypted Channel, attack:T1071:Application Layer Protocol, uses:Go, DeimosC2, [/malware/binaries/Unix.Backdoor.DeimosC2](../../../tree/main/malware/binaries/Unix.Backdoor.DeimosC2), Linux
-* https://chromium.googlesource.com/linux-syscall-support/ ([#533](https://github.com/timb-machine/linux-malware/issues/533)) - Linux
-* https://github.com/hackerschoice/ssh-key-backdoor ([#672](https://github.com/timb-machine/linux-malware/issues/672)) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX
+* https://gtfobins.github.io/ ([#179](https://github.com/timb-machine/linux-malware/issues/179))
+* https://github.com/nicocha30/ligolo-ng ([#699](https://github.com/timb-machine/linux-malware/issues/699)) - Command and Control, Exfiltration, Linux
+* https://github.com/controlplaneio/truffleproc ([#537](https://github.com/timb-machine/linux-malware/issues/537)) - Privilege Escalation, Credential Access, Linux
+* https://github.com/CiscoCXSecurity/enum4linux ([#178](https://github.com/timb-machine/linux-malware/issues/178))
+* https://github.com/creaktive/tsh ([#481](https://github.com/timb-machine/linux-malware/issues/481)) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux
+* https://github.com/namazso/linux_injector ([#599](https://github.com/timb-machine/linux-malware/issues/599)) - Persistence, attack:T1574.006:Dynamic Linker Hijacking, Linux
+* https://github.com/SkyperTHC/bpf-keylogger ([#781](https://github.com/timb-machine/linux-malware/issues/781)) - Credential Access, Collection, uses:eBPF, attack:T1417.001:Keylogging, Linux
+* https://github.com/huntergregal/mimipenguin ([#185](https://github.com/timb-machine/linux-malware/issues/185))
+* https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz ([#146](https://github.com/timb-machine/linux-malware/issues/146)) - Reconnaissance, pscan (similar code to luckscan)
+* https://github.com/sosdave/KeyTabExtract ([#206](https://github.com/timb-machine/linux-malware/issues/206))
 * https://github.com/TH3xACE/SUDO_KILLER ([#162](https://github.com/timb-machine/linux-malware/issues/162)) - Privilege Escalation
-* https://github.com/TarlogicSecurity/tickey ([#184](https://github.com/timb-machine/linux-malware/issues/184))
-* https://github.com/milabs/khook ([#212](https://github.com/timb-machine/linux-malware/issues/212))
-* https://github.com/IvanGlinkin/AutoSUID ([#204](https://github.com/timb-machine/linux-malware/issues/204))
-* https://github.com/pmorjan/kmod ([#654](https://github.com/timb-machine/linux-malware/issues/654)) - Persistence, Privilege Escalation, uses:Go, attack:T1547.006:Kernel Modules and Extensions, Linux
 * https://github.com/ciscocxsecurity/unix-privesc-check ([#157](https://github.com/timb-machine/linux-malware/issues/157)) - Privilege Escalation
-* https://github.com/vbpf/ebpf-samples ([#215](https://github.com/timb-machine/linux-malware/issues/215)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1620:Reflective Code Loading, Device application sandboxing
-* https://github.com/willshiao/node-bash-obfuscate ([#190](https://github.com/timb-machine/linux-malware/issues/190))
+* https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/ ([#585](https://github.com/timb-machine/linux-malware/issues/585)) - Execution, Persistence, Linux, Cloud hosted services
+* https://github.com/sevagas/swap_digger ([#515](https://github.com/timb-machine/linux-malware/issues/515)) - Credential Access, Linux
+* https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ ([#188](https://github.com/timb-machine/linux-malware/issues/188))
+* https://github.com/blacklanternsecurity/KCMTicketFormatter ([#519](https://github.com/timb-machine/linux-malware/issues/519)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
 * https://github.com/anko/xkbcat ([#691](https://github.com/timb-machine/linux-malware/issues/691)) - Credential Access, Collection, attack:T1056.001:Keylogging, Linux, AIX, Solaris, HP-UX, Consumer, Internal enterprise services
+* https://github.com/grisuno/LazyOwn ([#812](https://github.com/timb-machine/linux-malware/issues/812)) - Reconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Discovery, Collection, Command and Control, Linux
+* https://github.com/akawashiro/sloader ([#521](https://github.com/timb-machine/linux-malware/issues/521)) - Defense Evasion, Linux
 * https://github.com/timb-machine-mirrors/CoolerVoid-casper-fs ([#216](https://github.com/timb-machine/linux-malware/issues/216))
-* https://github.com/naksyn/Pyramid ([#630](https://github.com/timb-machine/linux-malware/issues/630)) - Persistence, Command and Control, Linux
-* https://github.com/rebootuser/LinEnum ([#158](https://github.com/timb-machine/linux-malware/issues/158))
-* https://github.com/sevagas/swap_digger ([#515](https://github.com/timb-machine/linux-malware/issues/515)) - Credential Access, Linux
+* https://chromium.googlesource.com/linux-syscall-support/ ([#533](https://github.com/timb-machine/linux-malware/issues/533)) - Linux
+* https://github.com/CiscoCXSecurity/linikatz ([#156](https://github.com/timb-machine/linux-malware/issues/156)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets, https://github.com/timb-machine/linux-malware/issues/141
+* https://github.com/metac0rtex/SSH-Key-Brute-Forcer ([#489](https://github.com/timb-machine/linux-malware/issues/489)) - Initial Access, Lateral Movement, Linux, Enclave deployment
 * https://github.com/oldboy21/LDAP-Password-Hunter ([#167](https://github.com/timb-machine/linux-malware/issues/167))
-* https://gtfobins.github.io/ ([#179](https://github.com/timb-machine/linux-malware/issues/179))
-* https://github.com/AlessandroZ/LaZagne ([#155](https://github.com/timb-machine/linux-malware/issues/155))
-* https://github.com/elfmaster/maya ([#504](https://github.com/timb-machine/linux-malware/issues/504)) - Defense Evasion, Linux, Device application sandboxing
-* https://github.com/nicocha30/ligolo-ng ([#699](https://github.com/timb-machine/linux-malware/issues/699)) - Command and Control, Exfiltration, Linux
-* https://github.com/guitmz/memrun ([#592](https://github.com/timb-machine/linux-malware/issues/592)) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, Linux
-* https://packetstormsecurity.com/files/download/23045/statdx-scan.tar.gz ([#146](https://github.com/timb-machine/linux-malware/issues/146)) - Reconnaissance, pscan (similar code to luckscan)
-* https://github.com/ropnop/kerbrute ([#176](https://github.com/timb-machine/linux-malware/issues/176))
-* https://github.com/ropnop/windapsearch ([#177](https://github.com/timb-machine/linux-malware/issues/177))
-* https://github.com/mnagel/gnome-keyring-dumper ([#186](https://github.com/timb-machine/linux-malware/issues/186))
+* https://github.com/DavidBuchanan314/monomorph ([#534](https://github.com/timb-machine/linux-malware/issues/534)) - Defense Evasion, Linux
+* https://github.com/aojea/netkat ([#464](https://github.com/timb-machine/linux-malware/issues/464)) - Lateral Movement, Command and Control, attack:T1205.002:Socket Filters, Linux
 * https://github.com/MatheuZSecurity/D3m0n1z3dShell ([#773](https://github.com/timb-machine/linux-malware/issues/773)) - Persistence, Linux
+* https://github.com/zMarch/Orc ([#161](https://github.com/timb-machine/linux-malware/issues/161))
+* https://github.com/hackerschoice/ssh-key-backdoor ([#672](https://github.com/timb-machine/linux-malware/issues/672)) - Persistence, Defense Evasion, Linux, AIX, Solaris, HP-UX
+* https://github.com/naksyn/Pyramid ([#630](https://github.com/timb-machine/linux-malware/issues/630)) - Persistence, Command and Control, Linux
+* https://github.com/eeriedusk/nysm ([#761](https://github.com/timb-machine/linux-malware/issues/761)) - Persistence, Linux
+* https://github.com/t3l3machus/Villain ([#591](https://github.com/timb-machine/linux-malware/issues/591)) - Command and Control, Linux
 * https://github.com/CiscoCXSecurity/sudo-parser ([#163](https://github.com/timb-machine/linux-malware/issues/163)) - Privilege Escalation
-* https://github.com/akawashiro/sloader ([#521](https://github.com/timb-machine/linux-malware/issues/521)) - Defense Evasion, Linux
-* https://github.com/fireeye/SSSDKCMExtractor ([#520](https://github.com/timb-machine/linux-malware/issues/520)) - attack:T1558:Steal or Forge Kerberos Tickets, Linux, Internal enterprise services, Enhanced identity governance
-* https://github.com/DavidBuchanan314/stelf-loader ([#738](https://github.com/timb-machine/linux-malware/issues/738)) - Execution, Defense Evasion, uses:ProcessTreeSpoofing, uses:Non-persistentStorage, Linux
-* https://github.com/netifera/netifera ([#194](https://github.com/timb-machine/linux-malware/issues/194))
-* https://github.com/JonathonReinhart/nosecmem ([#180](https://github.com/timb-machine/linux-malware/issues/180))
-* https://github.com/metac0rtex/SSH-Key-Brute-Forcer ([#489](https://github.com/timb-machine/linux-malware/issues/489)) - Initial Access, Lateral Movement, Linux, Enclave deployment
-* https://github.com/DavidBuchanan314/monomorph ([#534](https://github.com/timb-machine/linux-malware/issues/534)) - Defense Evasion, Linux
-* https://github.com/redcode-labs/Bashark ([#168](https://github.com/timb-machine/linux-malware/issues/168))
+* https://github.com/guitmz/memrun ([#592](https://github.com/timb-machine/linux-malware/issues/592)) - Defense Evasion, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, Linux
+* https://github.com/FiloSottile/age ([#166](https://github.com/timb-machine/linux-malware/issues/166))
 * https://github.com/NetSPI/sshkey-grab ([#619](https://github.com/timb-machine/linux-malware/issues/619)) - Credential Access, attack:T1552.004:Private Keys, attack:T1003.007:Proc Filesystem, attack:T1055.009:Proc Memory, Linux, Enhanced identity governance
+* https://github.com/NetDirect/nfsshell ([#164](https://github.com/timb-machine/linux-malware/issues/164))
 * https://github.com/alichtman/malware-techniques ([#199](https://github.com/timb-machine/linux-malware/issues/199))
-* https://github.com/pathtofile/bad-bpf ([#205](https://github.com/timb-machine/linux-malware/issues/205)) - uses:BPF
-* https://github.com/creaktive/tsh ([#481](https://github.com/timb-machine/linux-malware/issues/481)) - TSH, TINYSHELL, APT31, UNC2891, LightBasin, Linux
-* https://github.com/89luca89/pakkero ([#718](https://github.com/timb-machine/linux-malware/issues/718)) - Defense Evasion, attack:T1027.002:Software Packing, Linux
-* https://vulners.com/metasploit/MSF:POST/LINUX/GATHER/GNOME_KEYRING_DUMP/ ([#188](https://github.com/timb-machine/linux-malware/issues/188))
+* https://github.com/Ne0nd0g/merlin ([#545](https://github.com/timb-machine/linux-malware/issues/545)) - Command and Control, Exfiltration, uses:Go, Merlin, Linux
+* https://github.com/IvanGlinkin/AutoSUID ([#204](https://github.com/timb-machine/linux-malware/issues/204))
+* https://github.com/airbus-seclab/nbutools ([#689](https://github.com/timb-machine/linux-malware/issues/689)) - Discovery, Collection, Linux, AIX, Solaris, HP-UX, Banking, CNI, Telecomms, Internal enterprise services
+* https://github.com/liamg/siphon ([#576](https://github.com/timb-machine/linux-malware/issues/576)) - Discovery, Collection, Linux
 
 ### Offensive techniques
 
+* https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf ([#241](https://github.com/timb-machine/linux-malware/issues/241)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
+* https://www.archcloudlabs.com/projects/debuginfod/ ([#796](https://github.com/timb-machine/linux-malware/issues/796)) - Command and Control, Exfiltration, attack:T1071:Application Layer Protocol, attack:T1567:Exfiltration Over Web Service, Linux
+* https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ ([#236](https://github.com/timb-machine/linux-malware/issues/236))
+* https://grugq.github.io/docs/subversiveld.pdf ([#473](https://github.com/timb-machine/linux-malware/issues/473)) - Linux
 * https://github.com/0xor0ne/debugoff ([#755](https://github.com/timb-machine/linux-malware/issues/755)) - Defense Evasion, uses:Rust, attack:T1622:Debugger Evasion, Linux
-* https://sonarsource.github.io/argument-injection-vectors/ ([#627](https://github.com/timb-machine/linux-malware/issues/627)) - Initial Access, Execution
+* https://n0.lol/ ([#227](https://github.com/timb-machine/linux-malware/issues/227))
+* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html ([#683](https://github.com/timb-machine/linux-malware/issues/683)) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux
+* https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ ([#475](https://github.com/timb-machine/linux-malware/issues/475)) - Linux
+* https://rp.os3.nl/2016-2017/p97/report.pdf ([#234](https://github.com/timb-machine/linux-malware/issues/234))
+* http://www.ouah.org/LKM_HACKING.html ([#257](https://github.com/timb-machine/linux-malware/issues/257)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
+* https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ ([#562](https://github.com/timb-machine/linux-malware/issues/562)) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris
+* https://vxug.fakedoma.in/papers.html ([#228](https://github.com/timb-machine/linux-malware/issues/228))
 * https://rushter.com/blog/public-ssh-keys/ ([#754](https://github.com/timb-machine/linux-malware/issues/754)) - Initial Access, Discovery, Lateral Movement, attack:T1018:Remote System Discovery, attack:T1199:Trusted Relationship, attack:T1021.004:SSH, Linux, AIX, Solaris, HP-UX
-* http://www.nth-dimension.org.uk/downloads.php?id=77 ([#237](https://github.com/timb-machine/linux-malware/issues/237))
+* https://gtfoargs.github.io/ ([#626](https://github.com/timb-machine/linux-malware/issues/626)) - Initial Access, Execution
+* http://lists.openstack.org/pipermail/openstack/2013-December/004138.html ([#244](https://github.com/timb-machine/linux-malware/issues/244))
+* https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh ([#708](https://github.com/timb-machine/linux-malware/issues/708)) - Lateral Movement, Linux, AIX, Solaris, HP-UX
+* http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf ([#246](https://github.com/timb-machine/linux-malware/issues/246))
+* https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ ([#238](https://github.com/timb-machine/linux-malware/issues/238))
+* https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html ([#611](https://github.com/timb-machine/linux-malware/issues/611)) - Defense Evasion
+* https://devilinside.me/blogs/becoming-rat-your-system ([#256](https://github.com/timb-machine/linux-malware/issues/256))
+* https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html ([#240](https://github.com/timb-machine/linux-malware/issues/240)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
+* https://rp.os3.nl/2016-2017/p59/presentation.pdf ([#233](https://github.com/timb-machine/linux-malware/issues/233))
+* https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 ([#550](https://github.com/timb-machine/linux-malware/issues/550)) - Defense Evasion, attack:T1562:Impair Defenses, Linux
+* https://twitter.com/HuskyHacksMK/status/1578413641669308416 ([#541](https://github.com/timb-machine/linux-malware/issues/541)) - Defense Evasion, Linux, AIX, Solaris, HP-UX
+* https://twitter.com/Alh4zr3d/status/1577649651376791552 ([#540](https://github.com/timb-machine/linux-malware/issues/540)) - Defense Evasion, Linux, AIX, Solaris, HP-UX
 * https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html ([#251](https://github.com/timb-machine/linux-malware/issues/251))
-* https://rp.os3.nl/2016-2017/p97/report.pdf ([#234](https://github.com/timb-machine/linux-malware/issues/234))
-* https://twitter.com/David3141593/status/1575978540868435968 ([#532](https://github.com/timb-machine/linux-malware/issues/532)) - Linux
-* https://github.com/hakivvi/ermir ([#579](https://github.com/timb-machine/linux-malware/issues/579)) - Initial Access, Lateral Movement, Linux, Internal enterprise services
-* https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ ([#239](https://github.com/timb-machine/linux-malware/issues/239))
-* https://www.jakoblell.com/blog/2014/05/07/hacking-contest-rootkit/ ([#562](https://github.com/timb-machine/linux-malware/issues/562)) - Persistence, Defense Evasion, Command and Control, Linux, AIX, Solaris
+* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html ([#575](https://github.com/timb-machine/linux-malware/issues/575)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux
 * https://tmpout.sh/2/ ([#226](https://github.com/timb-machine/linux-malware/issues/226))
+* https://github.com/milabs/awesome-linux-rootkits ([#9](https://github.com/timb-machine/linux-malware/issues/9)) - Persistence, Linux
+* https://twitter.com/Alh4zr3d/status/1578406155453276160 ([#539](https://github.com/timb-machine/linux-malware/issues/539)) - Defense Evasion, Linux, AIX, Solaris, HP-UX
+* https://sysdig.com/blog/ebpf-offensive-capabilities/ ([#768](https://github.com/timb-machine/linux-malware/issues/768)) - Persistence, Defense Evasion, uses:eBPF, Linux
+* https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 ([#197](https://github.com/timb-machine/linux-malware/issues/197)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm
 * https://joshua.hu/ssh-snake-ssh-network-traversal-discover-ssh-private-keys-network-graph ([#800](https://github.com/timb-machine/linux-malware/issues/800)) - Defense Evasion, Discovery, Lateral Movement, attack:T1021.004:SSH, attack:T1078:Valid Accounts, attack:T1552.004:Private Keys, attack:T1027:Obfuscated Files or Information, https://github.com/timb-machine/linux-malware/issues/791, SSH-Snake, Linux, AIX, Solaris, HP-UX, Internal enterprise services
-* http://lists.openstack.org/pipermail/openstack/2013-December/004138.html ([#244](https://github.com/timb-machine/linux-malware/issues/244))
+* https://twitter.com/brainsmoke/status/399558997994668033 ([#509](https://github.com/timb-machine/linux-malware/issues/509)) - Execution, Linux
+* https://rp.os3.nl/2016-2017/p97/presentation.pdf ([#235](https://github.com/timb-machine/linux-malware/issues/235))
+* https://github.com/Sysinternals/SysmonForLinux/issues/83 ([#648](https://github.com/timb-machine/linux-malware/issues/648)) - Defense Evasion, Linux
 * http://shell-storm.org/api/?s=arm ([#243](https://github.com/timb-machine/linux-malware/issues/243))
+* https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf ([#436](https://github.com/timb-machine/linux-malware/issues/436)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing
+* https://sysdig.com/blog/containers-read-only-fileless-malware/ ([#415](https://github.com/timb-machine/linux-malware/issues/415)) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing
+* https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal ([#665](https://github.com/timb-machine/linux-malware/issues/665)) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer
+* https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ ([#430](https://github.com/timb-machine/linux-malware/issues/430)) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
+* https://sonarsource.github.io/argument-injection-vectors/ ([#627](https://github.com/timb-machine/linux-malware/issues/627)) - Initial Access, Execution
+* https://github.com/hakivvi/ermir ([#579](https://github.com/timb-machine/linux-malware/issues/579)) - Initial Access, Lateral Movement, Linux, Internal enterprise services
+* https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium ([#428](https://github.com/timb-machine/linux-malware/issues/428)) - Persistence, Linux, Device application sandboxing
+* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 ([#461](https://github.com/timb-machine/linux-malware/issues/461)) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm
+* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html ([#705](https://github.com/timb-machine/linux-malware/issues/705)) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/669, Linux
+* https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ ([#635](https://github.com/timb-machine/linux-malware/issues/635)) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services
 * https://www.form3.tech/engineering/content/bypassing-ebpf-tools ([#584](https://github.com/timb-machine/linux-malware/issues/584)) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
-* https://twitter.com/brainsmoke/status/399558997994668033 ([#509](https://github.com/timb-machine/linux-malware/issues/509)) - Execution, Linux
-* https://labs.portcullis.co.uk/presentations/breaking-the-links-exploiting-the-linker/ ([#238](https://github.com/timb-machine/linux-malware/issues/238))
-* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 ([#653](https://github.com/timb-machine/linux-malware/issues/653)) - Initial Access, Credential Access, attack:T1110:Brute Force, attack:T1078:Valid Accounts, Linux, AIX, Solaris, HP-UX, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services
-* http://www.foo.be/cours/mssi-20072008/davidoff-clearmem-linux.pdf ([#246](https://github.com/timb-machine/linux-malware/issues/246))
-* https://packetstormsecurity.com/files/34013/0x4553-Static_Infecting.html ([#255](https://github.com/timb-machine/linux-malware/issues/255))
-* http://www.hick.org/code/skape/papers/remote-library-injection.pdf ([#455](https://github.com/timb-machine/linux-malware/issues/455)) - Persistence, Linux
-* https://github.com/CiscoCXSecurity/presentations/raw/master/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf ([#241](https://github.com/timb-machine/linux-malware/issues/241)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
-* https://ortiz.sh/linux/2020/07/05/UNKILLABLE.html ([#575](https://github.com/timb-machine/linux-malware/issues/575)) - Persistence, Privilege Escalation, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, attack:T1562:Impair Defenses, Linux
 * https://www.cs.dartmouth.edu/~sergey/cs258/2010/spainhower_DT.pdf ([#555](https://github.com/timb-machine/linux-malware/issues/555)) - Persistence, Defense Evasion, uses:DTrace, SInAR, https://github.com/timb-machine/linux-malware/issues/553, https://github.com/timb-machine/linux-malware/issues/554, Archim, Solaris, Internal specialist services, Device application sandboxing
+* https://gist.github.com/royra/35952b7bb1217e482a24d427848eefc2 ([#653](https://github.com/timb-machine/linux-malware/issues/653)) - Initial Access, Credential Access, attack:T1110:Brute Force, attack:T1078:Valid Accounts, Linux, AIX, Solaris, HP-UX, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services
+* https://github.com/CiscoCXSecurity/linikatz/issues ([#230](https://github.com/timb-machine/linux-malware/issues/230))
+* https://twitter.com/David3141593/status/1575978540868435968 ([#532](https://github.com/timb-machine/linux-malware/issues/532)) - Linux
+* https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 ([#250](https://github.com/timb-machine/linux-malware/issues/250))
 * https://www.guitmz.com/running-elf-from-memory/ ([#252](https://github.com/timb-machine/linux-malware/issues/252))
-* https://rp.os3.nl/2016-2017/p59/report.pdf ([#232](https://github.com/timb-machine/linux-malware/issues/232))
-* https://gist.github.com/timb-machine/7bd75479ee29aee8762952ea16908eb0 ([#197](https://github.com/timb-machine/linux-malware/issues/197)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, attack:T1202:Indirect Command Execution, Linux, AIX, Solaris, HP-UX, Device application sandboxing, Trust algorithm
+* http://www.hick.org/code/skape/papers/remote-library-injection.pdf ([#455](https://github.com/timb-machine/linux-malware/issues/455)) - Persistence, Linux
 * http://archive.hack.lu/2019/Fileless-Malware-Infection-and-Linux-Process-Injection-in-Linux-OS.pdf ([#242](https://github.com/timb-machine/linux-malware/issues/242)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
-* https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html ([#683](https://github.com/timb-machine/linux-malware/issues/683)) - Defense Evasion, attack:T1629.003:Disable or Modify Tools, attack:T1547.006:Kernel Modules and Extensions, uses:Auditd, Linux
-* https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf ([#245](https://github.com/timb-machine/linux-malware/issues/245))
-* https://sysdig.com/blog/ebpf-offensive-capabilities/ ([#768](https://github.com/timb-machine/linux-malware/issues/768)) - Persistence, Defense Evasion, uses:eBPF, Linux
-* https://gist.github.com/timb-machine/602d1a4dace4899babc1b6b5345d24b2 ([#550](https://github.com/timb-machine/linux-malware/issues/550)) - Defense Evasion, attack:T1562:Impair Defenses, Linux
-* https://pbs.twimg.com/media/FSi1m3gXsAA79yF?format=jpg&name=medium ([#428](https://github.com/timb-machine/linux-malware/issues/428)) - Persistence, Linux, Device application sandboxing
-* https://www.archcloudlabs.com/projects/debuginfod/ ([#796](https://github.com/timb-machine/linux-malware/issues/796)) - Command and Control, Exfiltration, attack:T1071:Application Layer Protocol, attack:T1567:Exfiltration Over Web Service, Linux
-* https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301 ([#250](https://github.com/timb-machine/linux-malware/issues/250))
-* https://www.akamai.com/blog/security-research/linux-lateral-movement-more-than-ssh ([#708](https://github.com/timb-machine/linux-malware/issues/708)) - Lateral Movement, Linux, AIX, Solaris, HP-UX
-* https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement ([#772](https://github.com/timb-machine/linux-malware/issues/772)) - Persistence, Defense Evasion, Credential Access, attack:T1556.003:Pluggable Authentication Modules, Linux
+* https://packetstormsecurity.com/files/34013/0x4553-Static_Infecting.html ([#255](https://github.com/timb-machine/linux-malware/issues/255))
+* https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf ([#248](https://github.com/timb-machine/linux-malware/issues/248))
+* https://rp.os3.nl/2016-2017/p59/report.pdf ([#232](https://github.com/timb-machine/linux-malware/issues/232))
+* http://hick.org/code/skape/papers/needle.txt ([#557](https://github.com/timb-machine/linux-malware/issues/557)) - Persistence, Defense Evasion, Linux
+* https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm ([#254](https://github.com/timb-machine/linux-malware/issues/254)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
+* https://grugq.github.io/docs/ul_exec.txt ([#463](https://github.com/timb-machine/linux-malware/issues/463)) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm
 * https://www.blackhat.com/presentations/bh-dc-08/Beauchamp-Weston/Whitepaper/bh-dc-08-beauchamp-weston-WP.pdf ([#556](https://github.com/timb-machine/linux-malware/issues/556)) - Persistence, Defense Evasion, uses:DTrace, Solaris, Internal specialist services, Device application sandboxing
-* https://github.com/Sysinternals/SysmonForLinux/issues/83 ([#648](https://github.com/timb-machine/linux-malware/issues/648)) - Defense Evasion, Linux
-* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 ([#461](https://github.com/timb-machine/linux-malware/issues/461)) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, AIX, Solaris, HP-UX, Trust algorithm
-* https://tmpout.sh/1/ ([#225](https://github.com/timb-machine/linux-malware/issues/225))
+* https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ ([#239](https://github.com/timb-machine/linux-malware/issues/239))
+* https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ ([#558](https://github.com/timb-machine/linux-malware/issues/558)) - Persistence, Defense Evasion, Linux
 * https://c3media.vsos.ethz.ch/congress/2004/papers/057%20SUN%20Bloody%20Daft%20Solaris%20Mechanisms.pdf ([#554](https://github.com/timb-machine/linux-malware/issues/554)) - Persistence, Defense Evasion, uses:DTrace, SInAR, https://github.com/timb-machine/linux-malware/issues/553, Archim, Solaris, Internal specialist services, Device application sandboxing
-* https://github.com/elfmaster/scop_virus_paper ([#253](https://github.com/timb-machine/linux-malware/issues/253))
-* https://twitter.com/HuskyHacksMK/status/1578413641669308416 ([#541](https://github.com/timb-machine/linux-malware/issues/541)) - Defense Evasion, Linux, AIX, Solaris, HP-UX
-* https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html ([#705](https://github.com/timb-machine/linux-malware/issues/705)) - Persistence, Defense Evasion, attack:T1014:Rootkit, attack:T1547.006:Kernel Modules and Extensions, attack:T1564.001:Hidden Files and Directories, attacK:T1548:Abuse Elevation Control Mechanism, https://github.com/timb-machine/linux-malware/issues/669, Linux
-* http://hick.org/code/skape/papers/needle.txt ([#557](https://github.com/timb-machine/linux-malware/issues/557)) - Persistence, Defense Evasion, Linux
+* https://rosesecurityresearch.com/crafting-malicious-pluggable-authentication-modules-for-persistence-privilege-escalation-and-lateral-movement ([#772](https://github.com/timb-machine/linux-malware/issues/772)) - Persistence, Defense Evasion, Credential Access, attack:T1556.003:Pluggable Authentication Modules, Linux
 * https://github.com/rapid7/ssh-badkeys ([#538](https://github.com/timb-machine/linux-malware/issues/538)) - Initial Access, Linux, AIX, Solaris, HP-UX
-* https://devilinside.me/blogs/becoming-rat-your-system ([#256](https://github.com/timb-machine/linux-malware/issues/256))
-* https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal ([#665](https://github.com/timb-machine/linux-malware/issues/665)) - Initial Access, attack:T1190:Exploit Public-Facing Application, Mirai, Linux, IOT, Consumer
+* https://blog.fbkcs.ru/en/elf-in-memory-execution/ ([#249](https://github.com/timb-machine/linux-malware/issues/249))
+* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html ([#462](https://github.com/timb-machine/linux-malware/issues/462)) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm
+* https://www.tarlogic.com/blog/how-to-attack-kerberos/ ([#229](https://github.com/timb-machine/linux-malware/issues/229))
+* https://tmpout.sh/1/ ([#225](https://github.com/timb-machine/linux-malware/issues/225))
 * https://www.first.org/resources/papers/telaviv2019/Rezilion-Shlomi-Butnaro-Beyond-Whitelisting-Fileless-Attacks-Against-L....pdf ([#231](https://github.com/timb-machine/linux-malware/issues/231)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Device application sandboxing
 * https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html ([#567](https://github.com/timb-machine/linux-malware/issues/567)) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
-* https://is.muni.cz/el/fi/jaro2011/PV204/um/LinuxRootkits/sys_call_table_complete.htm ([#254](https://github.com/timb-machine/linux-malware/issues/254)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
-* https://www.sentinelone.com/blog/shadow-suid-for-privilege-persistence-part-1/ ([#430](https://github.com/timb-machine/linux-malware/issues/430)) - Persistence, Privilege Escalation, Defense Evasion, Linux, Device application sandboxing
-* https://grugq.github.io/docs/ul_exec.txt ([#463](https://github.com/timb-machine/linux-malware/issues/463)) - Persistence, Defense Evasion, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, Linux, Trust algorithm
+* https://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-slides.pdf ([#245](https://github.com/timb-machine/linux-malware/issues/245))
+* http://www.nth-dimension.org.uk/downloads.php?id=77 ([#237](https://github.com/timb-machine/linux-malware/issues/237))
+* https://github.com/elfmaster/scop_virus_paper ([#253](https://github.com/timb-machine/linux-malware/issues/253))
 * https://medium.com/verint-cyber-engineering/linux-threat-hunting-primer-part-ii-69484f58ac92 ([#247](https://github.com/timb-machine/linux-malware/issues/247))
-* https://blog.vibri.us/BeyondTrust-AD-Bridge-Open-Post-Exploitation/ ([#635](https://github.com/timb-machine/linux-malware/issues/635)) - Credential Access, Discovery, attack:T1087.002:Domain Account, Linux, Internal enterprise services
-* https://rp.os3.nl/2016-2017/p59/presentation.pdf ([#233](https://github.com/timb-machine/linux-malware/issues/233))
-* https://gtfoargs.github.io/ ([#626](https://github.com/timb-machine/linux-malware/issues/626)) - Initial Access, Execution
-* https://security.humanativaspa.it/openssh-ssh-agent-shielded-private-key-extraction-x86_64-linux/ ([#236](https://github.com/timb-machine/linux-malware/issues/236))
-* https://grugq.github.io/docs/subversiveld.pdf ([#473](https://github.com/timb-machine/linux-malware/issues/473)) - Linux
-* https://github.com/milabs/awesome-linux-rootkits ([#9](https://github.com/timb-machine/linux-malware/issues/9)) - Persistence, Linux
-* https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.html ([#240](https://github.com/timb-machine/linux-malware/issues/240)) - Credential Access, attack:T1558:Steal or Forge Kerberos Tickets
-* https://n0.lol/ ([#227](https://github.com/timb-machine/linux-malware/issues/227))
-* https://www.elastic.co/guide/en/security/master/binary-executed-from-shared-memory-directory.html ([#611](https://github.com/timb-machine/linux-malware/issues/611)) - Defense Evasion
-* https://twitter.com/Alh4zr3d/status/1577649651376791552 ([#540](https://github.com/timb-machine/linux-malware/issues/540)) - Defense Evasion, Linux, AIX, Solaris, HP-UX
-* https://twitter.com/Alh4zr3d/status/1578406155453276160 ([#539](https://github.com/timb-machine/linux-malware/issues/539)) - Defense Evasion, Linux, AIX, Solaris, HP-UX
-* https://sysdig.com/blog/containers-read-only-fileless-malware/ ([#415](https://github.com/timb-machine/linux-malware/issues/415)) - Persistence, Defense Evasion, attack:T1202:Indirect Command Execution, attack:T1620:Reflective Code Loading, uses:Non-persistentStorage, uses:k8s, Linux, Cloud hosted services, Device application sandboxing
-* https://blog.fbkcs.ru/en/elf-in-memory-execution/ ([#249](https://github.com/timb-machine/linux-malware/issues/249))
-* https://github.com/CiscoCXSecurity/linikatz/issues ([#230](https://github.com/timb-machine/linux-malware/issues/230))
-* https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf ([#248](https://github.com/timb-machine/linux-malware/issues/248))
-* https://rp.os3.nl/2016-2017/p97/presentation.pdf ([#235](https://github.com/timb-machine/linux-malware/issues/235))
-* https://www.tarlogic.com/blog/how-to-attack-kerberos/ ([#229](https://github.com/timb-machine/linux-malware/issues/229))
-* https://buzzchronicles.com/Mollyycolllinss/b/internet/7795/ ([#475](https://github.com/timb-machine/linux-malware/issues/475)) - Linux
-* https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ ([#558](https://github.com/timb-machine/linux-malware/issues/558)) - Persistence, Defense Evasion, Linux
-* http://www.ouah.org/LKM_HACKING.html ([#257](https://github.com/timb-machine/linux-malware/issues/257)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions
-* https://2018.zeronights.ru/wp-content/uploads/materials/09-ELF-execution-in-Linux-RAM.pdf ([#436](https://github.com/timb-machine/linux-malware/issues/436)) - Persistence, Defense Evasion, attack:T1620:Reflective Code Loading, Linux, Device application sandboxing
-* https://vxug.fakedoma.in/papers.html ([#228](https://github.com/timb-machine/linux-malware/issues/228))
-* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html ([#462](https://github.com/timb-machine/linux-malware/issues/462)) - Defense Evasion, Discovery, attack:T1055:Process Injection, attack:T1055.008:Ptrace System Calls, attack:T1055.012:Process Hollowing, attack:T1134.004:Parent PID Spoofing, attack:T1057:Process Discovery, attack:T1620:Reflective Code Loading, Linux, AIX, Solaris, HP-UX, Trust algorithm
 
 ## Defensive research
 
 ### Defensive tools
 
-* https://www.volatilityfoundation.org/releases-vol3 ([#457](https://github.com/timb-machine/linux-malware/issues/457)) - Persistence, Defense Evasion, Linux, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
-* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ ([#276](https://github.com/timb-machine/linux-malware/issues/276))
-* https://twitter.com/inversecos/status/1527188391347068928 ([#435](https://github.com/timb-machine/linux-malware/issues/435)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing
-* https://github.com/M00NLIG7/ChopChopGo ([#674](https://github.com/timb-machine/linux-malware/issues/674)) - Defense Evasion, Linux
+* https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ([#451](https://github.com/timb-machine/linux-malware/issues/451)) - Linux
+* https://github.com/stratosphereips/StratosphereLinuxIPS ([#811](https://github.com/timb-machine/linux-malware/issues/811)) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux
+* https://github.com/sandflysecurity/sandfly-processdecloak ([#633](https://github.com/timb-machine/linux-malware/issues/633)) - Defense Evasion, Linux
+* https://github.com/david942j/seccomp-tools ([#590](https://github.com/timb-machine/linux-malware/issues/590)) - Defense Evasion, Linux
+* https://github.com/op7ic/unix_collector ([#266](https://github.com/timb-machine/linux-malware/issues/266)) - Solaris, Linux, AIX, OS X
+* https://twitter.com/timb_machine/status/1523253031382687744 ([#421](https://github.com/timb-machine/linux-malware/issues/421)) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/420, DecisiveArchitect, Solaris
+* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ ([#274](https://github.com/timb-machine/linux-malware/issues/274))
 * https://github.com/NozomiNetworks/upx-recovery-tool ([#535](https://github.com/timb-machine/linux-malware/issues/535)) - Defense Evasion, attack:T1027.002:Software Packing, Linux
+* https://github.com/evilsocket/ebpf-process-anomaly-detection ([#497](https://github.com/timb-machine/linux-malware/issues/497)) - Execution, Linux
+* https://github.com/ancat/egrets ([#218](https://github.com/timb-machine/linux-malware/issues/218))
+* https://github.com/M00NLIG7/ChopChopGo ([#674](https://github.com/timb-machine/linux-malware/issues/674)) - Defense Evasion, Linux
+* https://github.com/Gui774ume/ebpfkit-monitor ([#467](https://github.com/timb-machine/linux-malware/issues/467)) - Persistence, Defense Evasion, Discovery, Command and Control, Linux
+* https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 ([#269](https://github.com/timb-machine/linux-malware/issues/269))
+* https://github.com/chainguard-dev/osquery-defense-kit ([#574](https://github.com/timb-machine/linux-malware/issues/574)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux
+* https://www.volatilityfoundation.org/releases-vol3 ([#457](https://github.com/timb-machine/linux-malware/issues/457)) - Persistence, Defense Evasion, Linux, Consumer, Cloud hosted services, Internal enterprise services, Internal specialist services, Enterprise with public/Customer-facing services, Device application sandboxing
 * https://github.com/snapattack/bpfdoor-scanner ([#437](https://github.com/timb-machine/linux-malware/issues/437)) - Persistence, Defense Evasion, Command and Control, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect
+* https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 ([#472](https://github.com/timb-machine/linux-malware/issues/472)) - Linux
 * https://github.com/monnappa22/Limon ([#258](https://github.com/timb-machine/linux-malware/issues/258))
-* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf ([#449](https://github.com/timb-machine/linux-malware/issues/449)) - Persistence, Defense Evasion, Credential Access, Command and Control, https://github.com/timb-machine/linux-malware/issues/156, https://github.com/timb-machine/linux-malware/issues/418, https://github.com/timb-machine/linux-malware/issues/420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux
-* https://github.com/Gui774ume/krie ([#498](https://github.com/timb-machine/linux-malware/issues/498)) - Defense Evasion, Privilege Escalation, Persistence, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, attack:T1562.001:Disable or Modify Tools, attack:T1548:Abuse Elevation Control Mechanism, Linux
-* https://bazaar.abuse.ch/ ([#259](https://github.com/timb-machine/linux-malware/issues/259))
-* https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals ([#450](https://github.com/timb-machine/linux-malware/issues/450)) - Persistence, Privilege Escalation, Defense Evasion, Linux
-* https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 ([#278](https://github.com/timb-machine/linux-malware/issues/278))
-* https://github.com/Gui774ume/ebpfkit-monitor ([#467](https://github.com/timb-machine/linux-malware/issues/467)) - Persistence, Defense Evasion, Discovery, Command and Control, Linux
-* https://twitter.com/timb_machine/status/1523253031382687744 ([#421](https://github.com/timb-machine/linux-malware/issues/421)) - Command and Control, attack:T1205.002:Socket Filters, attack:T1205:Traffic Signaling, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/420, DecisiveArchitect, Solaris
-* https://github.com/threathunters-io/laurel ([#581](https://github.com/timb-machine/linux-malware/issues/581)) - Defense Evasion, Linux
-* https://github.com/sandflysecurity/sandfly-entropyscan ([#632](https://github.com/timb-machine/linux-malware/issues/632)) - Defense Evasion, Linux
-* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought/ ([#274](https://github.com/timb-machine/linux-malware/issues/274))
+* https://github.com/niveb/NoCrypt ([#673](https://github.com/timb-machine/linux-malware/issues/673)) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux
+* https://github.com/CYB3RMX/Qu1cksc0pe ([#696](https://github.com/timb-machine/linux-malware/issues/696)) - Defense Evasion, Linux
 * https://github.com/sourque/louis ([#411](https://github.com/timb-machine/linux-malware/issues/411)) - Linux, Device application sandboxing
-* https://youtu.be/16_EAsYAApI ([#438](https://github.com/timb-machine/linux-malware/issues/438)) - Linux
-* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac ([#569](https://github.com/timb-machine/linux-malware/issues/569)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
-* https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ([#451](https://github.com/timb-machine/linux-malware/issues/451)) - Linux
-* https://github.com/avilum/secimport ([#748](https://github.com/timb-machine/linux-malware/issues/748)) - Persistence, Defense Evasion, Linux
-* https://tbhaxor.com/hunting-malicious-binaries-in-containers/ ([#272](https://github.com/timb-machine/linux-malware/issues/272))
-* https://github.com/vmware/kernel-event-collector-module ([#271](https://github.com/timb-machine/linux-malware/issues/271)) - Carbon Black
+* https://github.com/tclahr/uac ([#583](https://github.com/timb-machine/linux-malware/issues/583)) - Persistence, Defense Evasion, Linux
+* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ ([#275](https://github.com/timb-machine/linux-malware/issues/275))
+* https://github.com/504ensicsLabs/LiME ([#187](https://github.com/timb-machine/linux-malware/issues/187))
+* https://github.com/Gui774ume/krie ([#498](https://github.com/timb-machine/linux-malware/issues/498)) - Defense Evasion, Privilege Escalation, Persistence, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, attack:T1562.001:Disable or Modify Tools, attack:T1548:Abuse Elevation Control Mechanism, Linux
+* https://github.com/alex-cart/LEAF ([#445](https://github.com/timb-machine/linux-malware/issues/445)) - Linux
 * https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ ([#277](https://github.com/timb-machine/linux-malware/issues/277))
-* https://github.com/signalblur/impelf ([#647](https://github.com/timb-machine/linux-malware/issues/647)) - Defense Evasion, Linux
-* https://twitter.com/ldsopreload/status/1582780282758828035 ([#571](https://github.com/timb-machine/linux-malware/issues/571)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/570, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
-* https://github.com/tstromberg/sunlight ([#794](https://github.com/timb-machine/linux-malware/issues/794)) - Defense Evasion, uses:eBPF, Linux
-* https://github.com/chainguard-dev/osquery-defense-kit ([#574](https://github.com/timb-machine/linux-malware/issues/574)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Command and Control, Exfiltration, Linux
-* https://github.com/op7ic/unix_collector ([#266](https://github.com/timb-machine/linux-malware/issues/266)) - Solaris, Linux, AIX, OS X
 * https://github.com/0xrawsec/kunai ([#749](https://github.com/timb-machine/linux-malware/issues/749)) - Defense Evasion, Linux
-* https://www.rfxn.com/projects/linux-malware-detect/ ([#261](https://github.com/timb-machine/linux-malware/issues/261))
 * https://twitter.com/ldsopreload/status/1583178316286029824 ([#568](https://github.com/timb-machine/linux-malware/issues/568)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/569, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
-* https://blog.blockmagnates.com/hunt-linux-malware-with-cgroups-497733095a94 ([#472](https://github.com/timb-machine/linux-malware/issues/472)) - Linux
 * https://github.com/falcosecurity/falco ([#412](https://github.com/timb-machine/linux-malware/issues/412)) - Linux, Device application sandboxing
-* https://github.com/david942j/seccomp-tools ([#590](https://github.com/timb-machine/linux-malware/issues/590)) - Defense Evasion, Linux
-* https://github.com/evilsocket/ebpf-process-anomaly-detection ([#497](https://github.com/timb-machine/linux-malware/issues/497)) - Execution, Linux
-* https://github.com/alex-cart/LEAF ([#445](https://github.com/timb-machine/linux-malware/issues/445)) - Linux
-* https://github.com/marin-m/vmlinux-to-elf ([#726](https://github.com/timb-machine/linux-malware/issues/726)) - Defense Evasion, attack:T1601:Modify System Image, Linux
-* https://github.com/sandflysecurity/sandfly-file-decloak ([#634](https://github.com/timb-machine/linux-malware/issues/634)) - Defense Evasion, Linux
 * https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Fixing-A-Memory-Forensics-Blind-Spot-Linux-Kernel-Tracing-wp.pdf ([#423](https://github.com/timb-machine/linux-malware/issues/423)) - Persistence, Privilege Escalation, Defense Evasion, Credential Access, Collection, Command and Control, Exfiltration, Linux
-* https://github.com/Achiefs/fim ([#779](https://github.com/timb-machine/linux-malware/issues/779)) - Defense Evasion, Linux
-* https://elfdigest.com/ ([#262](https://github.com/timb-machine/linux-malware/issues/262))
-* https://github.com/hardenedvault/ved-ebpf ([#737](https://github.com/timb-machine/linux-malware/issues/737)) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux
-* https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ ([#268](https://github.com/timb-machine/linux-malware/issues/268))
-* https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 ([#269](https://github.com/timb-machine/linux-malware/issues/269))
+* https://twitter.com/inversecos/status/1527188391347068928 ([#435](https://github.com/timb-machine/linux-malware/issues/435)) - Persistence, Defense Evasion, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux, Solaris, Device application sandboxing
+* https://bazaar.abuse.ch/ ([#259](https://github.com/timb-machine/linux-malware/issues/259))
+* https://youtu.be/16_EAsYAApI ([#438](https://github.com/timb-machine/linux-malware/issues/438)) - Linux
+* https://twitter.com/ldsopreload/status/1582780282758828035 ([#571](https://github.com/timb-machine/linux-malware/issues/571)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/570, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
 * https://elastic.github.io/security-research/intelligence/2022/03/03.dirty-pipe/article/ ([#265](https://github.com/timb-machine/linux-malware/issues/265))
-* https://github.com/niveb/NoCrypt ([#673](https://github.com/timb-machine/linux-malware/issues/673)) - Impact, attack:T1486:Data Encrypted for Impact, attack:T1547.006:Kernel Modules and Extensions, Linux
-* https://github.com/tclahr/uac ([#583](https://github.com/timb-machine/linux-malware/issues/583)) - Persistence, Defense Evasion, Linux
-* https://github.com/ancat/egrets ([#218](https://github.com/timb-machine/linux-malware/issues/218))
-* https://github.com/sandflysecurity/sandfly-processdecloak ([#633](https://github.com/timb-machine/linux-malware/issues/633)) - Defense Evasion, Linux
-* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace ([#570](https://github.com/timb-machine/linux-malware/issues/570)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
-* https://github.com/504ensicsLabs/LiME ([#187](https://github.com/timb-machine/linux-malware/issues/187))
-* https://github.com/CYB3RMX/Qu1cksc0pe ([#696](https://github.com/timb-machine/linux-malware/issues/696)) - Defense Evasion, Linux
-* https://github.com/chriskaliX/Hades ([#514](https://github.com/timb-machine/linux-malware/issues/514)) - Linux
-* https://github.com/nikhilh-20/ELFEN ([#764](https://github.com/timb-machine/linux-malware/issues/764)) - Defense Evasion, Linux
-* https://github.com/elfmaster/avu32 ([#273](https://github.com/timb-machine/linux-malware/issues/273))
+* https://www.rfxn.com/projects/linux-malware-detect/ ([#261](https://github.com/timb-machine/linux-malware/issues/261))
+* https://github.com/signalblur/impelf ([#647](https://github.com/timb-machine/linux-malware/issues/647)) - Defense Evasion, Linux
+* https://github.com/deepfence/ebpfguard ([#697](https://github.com/timb-machine/linux-malware/issues/697)) - Defense Evasion, Linux
+* https://github.com/sandflysecurity/sandfly-entropyscan ([#632](https://github.com/timb-machine/linux-malware/issues/632)) - Defense Evasion, Linux
+* https://github.com/hardenedvault/ved-ebpf ([#737](https://github.com/timb-machine/linux-malware/issues/737)) - Execution, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1548.001:Setuid and Setgid, attack:T1620:Reflective Code Loading, attack:T1068:Exploitation for Privilege Escalation, uses:eBPF, Linux
+* https://gist.github.com/EvergreenCartoons/6c223e8f43e2fa4dc11c1c0a6118cbac ([#569](https://github.com/timb-machine/linux-malware/issues/569)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/568, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
+* https://github.com/marin-m/vmlinux-to-elf ([#726](https://github.com/timb-machine/linux-malware/issues/726)) - Defense Evasion, attack:T1601:Modify System Image, Linux
+* https://elfdigest.com/ ([#262](https://github.com/timb-machine/linux-malware/issues/262))
 * https://github.com/sqall01/LSMS ([#610](https://github.com/timb-machine/linux-malware/issues/610)) - Defense Evasion, Linux
-* https://www.virustotal.com/gui/ ([#260](https://github.com/timb-machine/linux-malware/issues/260))
+* https://github.com/vmware/kernel-event-collector-module ([#271](https://github.com/timb-machine/linux-malware/issues/271)) - Carbon Black
+* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/ ([#276](https://github.com/timb-machine/linux-malware/issues/276))
 * https://github.com/jafarlihi/modreveal ([#609](https://github.com/timb-machine/linux-malware/issues/609)) - Persistence, Privilege Escalation, attack:T1547.006:Kernel Modules and Extensions, Linux
-* https://github.com/deepfence/ebpfguard ([#697](https://github.com/timb-machine/linux-malware/issues/697)) - Defense Evasion, Linux
-* https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-initial-analysis/ ([#275](https://github.com/timb-machine/linux-malware/issues/275))
+* https://grsecurity.net/tetragone_a_lesson_in_security_fundamentals ([#450](https://github.com/timb-machine/linux-malware/issues/450)) - Persistence, Privilege Escalation, Defense Evasion, Linux
+* https://github.com/CiscoCXSecurity/presentations/raw/master/Auditd%20for%20the%20newly%20threatened.pdf ([#449](https://github.com/timb-machine/linux-malware/issues/449)) - Persistence, Defense Evasion, Credential Access, Command and Control, https://github.com/timb-machine/linux-malware/issues/156, https://github.com/timb-machine/linux-malware/issues/418, https://github.com/timb-machine/linux-malware/issues/420, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1005:Data from Local System, attack:T1083:File and Directory Discovery, attack:T1003:OS Credential Dumping, attack:T1558:Steal or Forge Kerberos Tickets, BPFDoor, Linikatz, Linux
+* https://github.com/tstromberg/sunlight ([#794](https://github.com/timb-machine/linux-malware/issues/794)) - Defense Evasion, uses:eBPF, Linux
+* https://github.com/elfmaster/avu32 ([#273](https://github.com/timb-machine/linux-malware/issues/273))
+* https://www.virustotal.com/gui/ ([#260](https://github.com/timb-machine/linux-malware/issues/260))
+* https://github.com/chriskaliX/Hades ([#514](https://github.com/timb-machine/linux-malware/issues/514)) - Linux
+* https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014 ([#278](https://github.com/timb-machine/linux-malware/issues/278))
+* https://github.com/sandflysecurity/sandfly-file-decloak ([#634](https://github.com/timb-machine/linux-malware/issues/634)) - Defense Evasion, Linux
+* https://tbhaxor.com/hunting-malicious-binaries-in-containers/ ([#272](https://github.com/timb-machine/linux-malware/issues/272))
+* https://github.com/threathunters-io/laurel ([#581](https://github.com/timb-machine/linux-malware/issues/581)) - Defense Evasion, Linux
+* https://github.com/avilum/secimport ([#748](https://github.com/timb-machine/linux-malware/issues/748)) - Persistence, Defense Evasion, Linux
 * https://tria.ge/ ([#263](https://github.com/timb-machine/linux-malware/issues/263))
+* https://github.com/Achiefs/fim ([#779](https://github.com/timb-machine/linux-malware/issues/779)) - Credential Access, Defense Evasion, Persistence, attack:T1556.003:Pluggable Authentication Modules, attack:T1562.012:Disable or Modify Linux Audit System, attack:T1601:Modify System Image, Linux
+* https://github.com/nikhilh-20/ELFEN ([#764](https://github.com/timb-machine/linux-malware/issues/764)) - Defense Evasion, Linux
+* https://gist.github.com/EvergreenCartoons/51d7529eeb9191880beb8890cf9b1ace ([#570](https://github.com/timb-machine/linux-malware/issues/570)) - Persistence, Defense Evasion, Command and Control, https://github.com/timb-machine/linux-malware/issues/571, attack:T1205.002:Socket Filters, attack:T1036:Masquerading, attack:T1070:Indicator Removal on Host, attack:T1205:Traffic Signaling, https://github.com/timb-machine/linux-malware/issues/420, https://github.com/timb-machine/linux-malware/issues/418, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, DecisiveArchitect, Linux
+* https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ ([#268](https://github.com/timb-machine/linux-malware/issues/268))
 
 ### Defensive techniques
 
-* https://redcanary.com/blog/ebpf-for-security/ ([#270](https://github.com/timb-machine/linux-malware/issues/270)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading
-* https://github.com/rung/threat-matrix-cicd ([#10](https://github.com/timb-machine/linux-malware/issues/10)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Exfiltration, Impact, Linux
+* https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ ([#528](https://github.com/timb-machine/linux-malware/issues/528)) - Persistence, Defense Evasion, Linux, Device application sandboxing
+* https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ ([#39](https://github.com/timb-machine/linux-malware/issues/39)) - honeypot, Linux
+* https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html ([#559](https://github.com/timb-machine/linux-malware/issues/559)) - Defense Evasion, Linux
+* https://github.com/timb-machine/obscure-forensics ([#267](https://github.com/timb-machine/linux-malware/issues/267))
+* https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ ([#38](https://github.com/timb-machine/linux-malware/issues/38)) - honeypot, Linux
 * https://redcanary.com/blog/process-streams/ ([#494](https://github.com/timb-machine/linux-malware/issues/494)) - Lateral Movement, Command and Control, Exfiltration, uses:bash, uses:ksh93, attack:T1059:Command and Scripting Interpreter, attack:T1095:Non-Application Layer Protocol, Linux, Enclave deployment
-* https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html ([#774](https://github.com/timb-machine/linux-malware/issues/774)) - Defense Evasion, Linux
+* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf ([#499](https://github.com/timb-machine/linux-malware/issues/499)) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux
+* https://github.com/rung/threat-matrix-cicd ([#10](https://github.com/timb-machine/linux-malware/issues/10)) - Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Lateral Movement, Exfiltration, Impact, Linux
 * https://www.mandiant.com/sites/default/files/2022-03/wp-linux-endpoint-hardening.pdf ([#675](https://github.com/timb-machine/linux-malware/issues/675)) - Defense Evasion, Linux
-* https://www.forensicxlab.com/posts/inodes/ ([#522](https://github.com/timb-machine/linux-malware/issues/522)) - Defense Evasion, Linux
 * https://blog.trailofbits.com/2021/11/09/all-your-tracing-are-belong-to-bpf/ ([#747](https://github.com/timb-machine/linux-malware/issues/747)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
-* https://archive.org/details/HalLinuxForensics ([#560](https://github.com/timb-machine/linux-malware/issues/560)) - Defense Evasion, Linux
-* https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html ([#559](https://github.com/timb-machine/linux-malware/issues/559)) - Defense Evasion, Linux
-* https://i.blackhat.com/USA-22/Wednesday/US-22-Fournier-Return-To-Sender.pdf ([#499](https://github.com/timb-machine/linux-malware/issues/499)) - Execution, Privilege Escalation, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, attack:T1574:Hijack Execution Flow, attack:T1068:Exploitation for Privilege Escalation, Linux
-* https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ ([#736](https://github.com/timb-machine/linux-malware/issues/736)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
-* https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/ ([#762](https://github.com/timb-machine/linux-malware/issues/762)) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux
+* https://redcanary.com/blog/ebpf-for-security/ ([#270](https://github.com/timb-machine/linux-malware/issues/270)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading
 * https://github.com/cr0nx/awesome-linux-attack-forensics-purplelabs ([#712](https://github.com/timb-machine/linux-malware/issues/712)) - Defense Evasion, Linux
-* https://righteousit.wordpress.com/2021/12/21/hudaks-honeypot-part-2/ ([#39](https://github.com/timb-machine/linux-malware/issues/39)) - honeypot, Linux
+* https://www.forensicxlab.com/posts/inodes/ ([#522](https://github.com/timb-machine/linux-malware/issues/522)) - Defense Evasion, Linux
+* https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/ ([#762](https://github.com/timb-machine/linux-malware/issues/762)) - Execution, Persistence, Privilege Escalation, Defense Evasion, Linux
+* https://github.com/DevinRTK/rtk-eLibrary ([#631](https://github.com/timb-machine/linux-malware/issues/631)) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise
 * https://www.youtube.com/watch?v=Zig-inHOhII ([#561](https://github.com/timb-machine/linux-malware/issues/561)) - Defense Evasion, Linux
-* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ ([#719](https://github.com/timb-machine/linux-malware/issues/719)) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX
+* https://sandflysecurity.com/blog/detecting-evasive-linux-backdoors-presentation/ ([#760](https://github.com/timb-machine/linux-malware/issues/760)) - Persistence, Defense Evasion, Command and Control, Linux
+* https://archive.org/details/HalLinuxForensics ([#560](https://github.com/timb-machine/linux-malware/issues/560)) - Defense Evasion, Linux
+* https://blog.trailofbits.com/2023/08/09/use-our-suite-of-ebpf-libraries/ ([#736](https://github.com/timb-machine/linux-malware/issues/736)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
 * https://twitter.com/CraigHRowland/status/1593102427276050433 ([#587](https://github.com/timb-machine/linux-malware/issues/587)) - Persistence, Defense Evasion, attack:T1547.006:Kernel Modules and Extensions, Linux
 * https://blog.aquasec.com/detecting-ebpf-malware-with-tracee ([#745](https://github.com/timb-machine/linux-malware/issues/745)) - Persistence, Defense Evasion, uses:eBPF, attack:T1620:Reflective Code Loading, Linux
+* https://blog.virustotal.com/2023/12/sigma-rules-for-linux-and-macos_20.html ([#774](https://github.com/timb-machine/linux-malware/issues/774)) - Defense Evasion, Linux
+* https://sandflysecurity.com/blog/detecting-linux-binary-file-poisoning/ ([#719](https://github.com/timb-machine/linux-malware/issues/719)) - Execution, Persistence, Privilege Escalation, Defense Evasion, attack:T1574:Hijack Execution Flow, attack:T1204:User Execution, attack:T1218:System Binary Proxy Execution, attack:T1036.003:Rename System Utilities, Linux, AIX, Solaris, HP-UX
 * https://github.com/archcloudlabs/BSidesRoc2022_Linux_Malware_Analysis_Course ([#264](https://github.com/timb-machine/linux-malware/issues/264))
-* https://sandflysecurity.com/blog/detecting-evasive-linux-backdoors-presentation/ ([#760](https://github.com/timb-machine/linux-malware/issues/760)) - Persistence, Defense Evasion, Command and Control, Linux
-* https://darrenmartyn.ie/2021/07/05/procfs-bash-tricks-and-detecting-cowrie/ ([#528](https://github.com/timb-machine/linux-malware/issues/528)) - Persistence, Defense Evasion, Linux, Device application sandboxing
-* https://righteousit.wordpress.com/2021/12/20/hudaks-honeypot-part-1/ ([#38](https://github.com/timb-machine/linux-malware/issues/38)) - honeypot, Linux
-* https://github.com/timb-machine/obscure-forensics ([#267](https://github.com/timb-machine/linux-malware/issues/267))
 * https://github.com/anelshaer/Remote-Linux-Triage-Collection-using-OSquery ([#529](https://github.com/timb-machine/linux-malware/issues/529)) - Linux
-* https://github.com/DevinRTK/rtk-eLibrary ([#631](https://github.com/timb-machine/linux-malware/issues/631)) - Persistence, Defense Evasion, Discovery, Collection, Linux, Cloud hosted services, Internal enterprise services, Internal specialist services, Multi-cloud/Cloud-to-cloud enterprise
 
 ### Defensive Yara
 
 #### Personal rules
 
-* enterpriseapps2.yara ([#283](https://github.com/timb-machine/linux-malware/issues/283)) - Hunts for enterprise app binaries
-* unixredflags3.yara ([#285](https://github.com/timb-machine/linux-malware/issues/285)) - Hunts for UNIX red flags
-* aix.yara ([#280](https://github.com/timb-machine/linux-malware/issues/280)) - Hunts for AIX binaries
-* ciscotools.yara ([#279](https://github.com/timb-machine/linux-malware/issues/279)) - Hunts for references to our tools
-* luckscan.yara ([#286](https://github.com/timb-machine/linux-malware/issues/286)) - Hunts for references to luckscan
 * canvasspectre.yara ([#284](https://github.com/timb-machine/linux-malware/issues/284)) - Hunts for CANVAS Spectre
+* luckscan.yara ([#286](https://github.com/timb-machine/linux-malware/issues/286)) - Hunts for references to luckscan
+* ciscotools.yara ([#279](https://github.com/timb-machine/linux-malware/issues/279)) - Hunts for references to our tools
+* aix.yara ([#280](https://github.com/timb-machine/linux-malware/issues/280)) - Hunts for AIX binaries
+* enterpriseapps2.yara ([#283](https://github.com/timb-machine/linux-malware/issues/283)) - Hunts for enterprise app binaries
 * enterpriseunix2.yara ([#282](https://github.com/timb-machine/linux-malware/issues/282)) - Hunts for enterprise UNIX binaries
-* pscan.yara ([#287](https://github.com/timb-machine/linux-malware/issues/287)) - Hunts for references to pscan
 * adonunix2.yara ([#281](https://github.com/timb-machine/linux-malware/issues/281)) - Hunts for binaries that attack AD on UNIX
+* pscan.yara ([#287](https://github.com/timb-machine/linux-malware/issues/287)) - Hunts for references to pscan
+* unixredflags3.yara ([#285](https://github.com/timb-machine/linux-malware/issues/285)) - Hunts for UNIX red flags
 
 #### Other rules
 
-* https://github.com/Yara-Rules/rules ([#288](https://github.com/timb-machine/linux-malware/issues/288))
 * https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar ([#419](https://github.com/timb-machine/linux-malware/issues/419)) - attack:T1205.002:Socket Filters, BPFDoor, Tricephalic Hellkeeper, Unix.Backdoor.RedMenshen, JustForFun, https://github.com/timb-machine/linux-malware/issues/418, DecisiveArchitect, Linux
+* https://github.com/Yara-Rules/rules ([#288](https://github.com/timb-machine/linux-malware/issues/288))
diff --git a/intel/LM135.json b/intel/LM135.json
index 1714ef90..bdbbb3a5 100644
--- a/intel/LM135.json
+++ b/intel/LM135.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware binaries\r\n\r\n### Parent threat\r\n\r\nImpact\r\n\r\n### Finding\r\n\r\nhttps://samples.vx-underground.org/samples/Families/Fastcash/\r\n\r\n### Industry reference\r\n\r\n_No response_\r\n\r\n### Malware reference\r\n\r\nFastCash\r\n[/malware/binaries/FastCash](../tree/main/malware/binaries/FastCash)\r\n\r\n### Actor reference\r\n\r\nHiddenCobra\r\nLazarus\r\nAPT38\r\n\r\n### Component\r\n\r\nAIX, Banking\r\n\r\n### Scenario\r\n\r\nInternal specialist services\r\n\r\n### Scenario variation\r\n\r\nEnclave deployment\r\n","closed":false,"createdAt":"2022-04-19T23:18:07Z","labels":[{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpINQ","name":"missing:tag:T1070.003","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpLsA","name":"missing:tag:T1546.004","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpMOA","name":"missing:tag:T1552.003","description":"","color":"C2E0C6"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpOww","name":"missing:tag:T1021.002","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIsG9w","name":"missing:tag:T1021.001","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABQWZJhA","name":"deprecated:template","description":"","color":"F9D0C4"}],"number":135,"title":"[Intel]: https://samples.vx-underground.org/samples/Families/Fastcash/"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware binaries\r\n\r\n### Parent threat\r\n\r\nImpact\r\n\r\n### Finding\r\n\r\nhttps://samples.vx-underground.org/samples/Families/Fastcash/\r\n\r\n### Industry reference\r\n\r\n_No response_\r\n\r\n### Malware reference\r\n\r\nFastCash\r\n[/malware/binaries/FastCash](../tree/main/malware/binaries/FastCash)\r\nhttps://github.com/timb-machine/linux-malware/issues/312\r\nhttps://github.com/timb-machine/linux-malware/issues/815\r\nhttps://github.com/timb-machine/linux-malware/issues/407\r\n\r\n### Actor reference\r\n\r\nHiddenCobra\r\nLazarus\r\nAPT38\r\n\r\n### Component\r\n\r\nAIX, Banking\r\n\r\n### Scenario\r\n\r\nInternal specialist services\r\n\r\n### Scenario variation\r\n\r\nEnclave deployment\r\n","closed":false,"createdAt":"2022-04-19T23:18:07Z","labels":[{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpINQ","name":"missing:tag:T1070.003","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpLsA","name":"missing:tag:T1546.004","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpMOA","name":"missing:tag:T1552.003","description":"","color":"C2E0C6"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpOww","name":"missing:tag:T1021.002","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIsG9w","name":"missing:tag:T1021.001","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABQWZJhA","name":"deprecated:template","description":"","color":"F9D0C4"}],"number":135,"title":"[Intel]: https://samples.vx-underground.org/samples/Families/Fastcash/"}
diff --git a/intel/LM312.json b/intel/LM312.json
index c79795ef..478a2708 100644
--- a/intel/LM312.json
+++ b/intel/LM312.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nPersistence, Impact, Defense Evasion, Privilege Escalation\r\n\r\n### Finding\r\n\r\nhttps://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf\r\n\r\n### Industry reference\r\n\r\nattack:T1565.002:Transmitted Data Manipulation\r\nattack:T1055:Process Injection\r\nattack:T1055.009:Proc Memory\r\nattack:T1564.001:Hidden Files and Directories\r\nattack:T1574:Hijack Execution Flow\r\nattack:T1567:Financial Theft\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/135\r\nFastCash\r\n\r\n### Actor reference\r\n\r\nHidden Cobra\r\n\r\n### Component\r\n\r\nAIX\r\nBanking\r\n\r\n### Scenario\r\n\r\n_No response_\r\n\r\n","closed":false,"createdAt":"2022-04-20T09:47:58Z","labels":[{"id":"LA_kwDOFx8IA88AAAABGKCuAw","name":"ignore:submodule","description":"","color":"CA3460"},{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpHxw","name":"missing:tag:T1057","description":"","color":"BFDADC"},{"id":"LA_kwDOFx8IA88AAAABIIpI1w","name":"missing:tag:T1070.004","description":"","color":"E99695"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpLIQ","name":"missing:tag:T1491","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpOww","name":"missing:tag:T1021.002","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpPLA","name":"missing:tag:T1027.002","description":"","color":"0052CC"},{"id":"LA_kwDOFx8IA88AAAABIIpRDQ","name":"missing:tag:T1560","description":"","color":"BFDADC"},{"id":"LA_kwDOFx8IA88AAAABIIpTBQ","name":"missing:tag:Non-persistentStorage","description":"","color":"C2E0C6"},{"id":"LA_kwDOFx8IA88AAAABIIqG3Q","name":"missing:tag:T1574.006","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIqnNg","name":"missing:tag:T1518","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIu46w","name":"missing:tag:T1558","description":"","color":"D93F0B"},{"id":"LA_kwDOFx8IA88AAAABS-M7DQ","name":"missing:tag:wltm","description":"","color":"0052CC"}],"number":312,"title":"[Intel]: https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nPersistence, Impact, Defense Evasion, Privilege Escalation\r\n\r\n### Finding\r\n\r\nhttps://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf\r\n\r\n### Industry reference\r\n\r\nattack:T1565.002:Transmitted Data Manipulation\r\nattack:T1055:Process Injection\r\nattack:T1055.009:Proc Memory\r\nattack:T1564.001:Hidden Files and Directories\r\nattack:T1574:Hijack Execution Flow\r\nattack:T1567:Financial Theft\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/135\r\nFastCash\r\nhttps://github.com/timb-machine/linux-malware/issues/815\r\nhttps://github.com/timb-machine/linux-malware/issues/407\r\n\r\n### Actor reference\r\n\r\nHidden Cobra\r\n\r\n### Component\r\n\r\nAIX\r\nBanking\r\n\r\n### Scenario\r\n\r\n_No response_\r\n\r\n","closed":false,"createdAt":"2022-04-20T09:47:58Z","labels":[{"id":"LA_kwDOFx8IA88AAAABGKCuAw","name":"ignore:submodule","description":"","color":"CA3460"},{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpHxw","name":"missing:tag:T1057","description":"","color":"BFDADC"},{"id":"LA_kwDOFx8IA88AAAABIIpI1w","name":"missing:tag:T1070.004","description":"","color":"E99695"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpLIQ","name":"missing:tag:T1491","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpOww","name":"missing:tag:T1021.002","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpPLA","name":"missing:tag:T1027.002","description":"","color":"0052CC"},{"id":"LA_kwDOFx8IA88AAAABIIpRDQ","name":"missing:tag:T1560","description":"","color":"BFDADC"},{"id":"LA_kwDOFx8IA88AAAABIIpTBQ","name":"missing:tag:Non-persistentStorage","description":"","color":"C2E0C6"},{"id":"LA_kwDOFx8IA88AAAABIIqG3Q","name":"missing:tag:T1574.006","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIqnNg","name":"missing:tag:T1518","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIu46w","name":"missing:tag:T1558","description":"","color":"D93F0B"},{"id":"LA_kwDOFx8IA88AAAABS-M7DQ","name":"missing:tag:wltm","description":"","color":"0052CC"}],"number":312,"title":"[Intel]: https://github.com/fboldewin/FastCashMalwareDissected/raw/master/Operation%20Fast%20Cash%20-%20Hidden%20Cobra%E2%80%98s%20AIX%20PowerPC%20malware%20dissected.pdf"}
diff --git a/intel/LM544.json b/intel/LM544.json
index bf465ff7..a0ecc13a 100644
--- a/intel/LM544.json
+++ b/intel/LM544.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nInitial Access, Discovery, Lateral Movement, Collection, Impact\n\n### Finding\n\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\n\n### Industry reference\n\nattack:T1486:Data Encrypted for Impact\n\n### Malware reference\n\nCheerscrypt\n\n### Actor reference\n\nEmperor Dragonfly\n\n### Component\n\nLinux, VMware\n\n### Scenario\n\n_No response_\n\n","closed":false,"createdAt":"2022-10-08T16:29:44Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpHxw","name":"missing:tag:T1057","description":"","color":"BFDADC"},{"id":"LA_kwDOFx8IA88AAAABIIpI1w","name":"missing:tag:T1070.004","description":"","color":"E99695"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpLIQ","name":"missing:tag:T1491","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpLsA","name":"missing:tag:T1546.004","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpOww","name":"missing:tag:T1021.002","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIsG9w","name":"missing:tag:T1021.001","description":"","color":"1D76DB"}],"number":544,"title":"[Intel]: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nInitial Access, Discovery, Lateral Movement, Collection, Impact\r\n\r\n### Finding\r\n\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\n\r\n### Industry reference\r\n\r\nattack:T1486:Data Encrypted for Impact\r\n\r\n### Malware reference\r\n\r\nCheerscrypt\r\nNight Sky\r\n\r\n### Actor reference\r\n\r\nEmperor Dragonfly\r\nBronze Starlight\r\n\r\n### Component\r\n\r\nLinux, VMware\r\n\r\n### Scenario\r\n\r\n_No response_\r\n\r\n","closed":false,"createdAt":"2022-10-08T16:29:44Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpHxw","name":"missing:tag:T1057","description":"","color":"BFDADC"},{"id":"LA_kwDOFx8IA88AAAABIIpI1w","name":"missing:tag:T1070.004","description":"","color":"E99695"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpLIQ","name":"missing:tag:T1491","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpLsA","name":"missing:tag:T1546.004","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpOww","name":"missing:tag:T1021.002","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIsG9w","name":"missing:tag:T1021.001","description":"","color":"1D76DB"}],"number":544,"title":"[Intel]: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group"}
diff --git a/intel/LM695.json b/intel/LM695.json
index c04b0787..1b6c1c45 100644
--- a/intel/LM695.json
+++ b/intel/LM695.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nImpact\n\n### Finding\n\nhttps://twitter.com/Unit42_Intel/status/1653760405792014336\n\n### Industry reference\n\n_No response_\n\n### Malware reference\n\nBlackSuit\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2023-06-25T06:44:43Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"}],"number":695,"title":"[Intel]: https://twitter.com/Unit42_Intel/status/1653760405792014336"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nImpact\r\n\r\n### Finding\r\n\r\nhttps://twitter.com/Unit42_Intel/status/1653760405792014336\r\n\r\n### Industry reference\r\n\r\nattack:T1486:Data Encrypted for Impact\r\n\r\n### Malware reference\r\n\r\nwltm\r\nBlackSuite\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2023-06-25T06:44:43Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":695,"title":"[Intel]: https://twitter.com/Unit42_Intel/status/1653760405792014336"}
diff --git a/intel/LM710.json b/intel/LM710.json
index b662cebe..d07811fe 100644
--- a/intel/LM710.json
+++ b/intel/LM710.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nResource Development, Initial Access, Execution, Persistence, Defense Evasion\r\n\r\n### Finding\r\n\r\nhttps://twitter.com/xnand_/status/1676336329985077249\r\n\r\n### Industry reference\r\n\r\nuses:FakeExploit\r\nattack:T1588:Obtain Capabilities\r\nattack:T1608:Stage Capabilities\r\nattack:T1585:Establish Accounts\r\nattack:T1583.008:Malvertising\r\nattack:T1036:Masquerading\r\nexploit:CVE-2023-35829\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/711\r\nhttps://github.com/timb-machine/linux-malware/issues/724\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2023-07-09T09:40:51Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":710,"title":"[Intel]: https://twitter.com/xnand_/status/1676336329985077249"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nResource Development, Initial Access, Execution, Persistence, Defense Evasion\r\n\r\n### Finding\r\n\r\nhttps://twitter.com/xnand_/status/1676336329985077249\r\n\r\n### Industry reference\r\n\r\nuses:FakeExploit\r\nattack:T1588:Obtain Capabilities\r\nattack:T1608:Stage Capabilities\r\nattack:T1585:Establish Accounts\r\nattack:T1583.008:Malvertising\r\nattack:T1036:Masquerading\r\nexploit:CVE-2023-35829\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/711\r\nhttps://github.com/timb-machine/linux-malware/issues/724\r\nhttps://github.com/timb-machine/linux-malware/issues/814\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2023-07-09T09:40:51Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":710,"title":"[Intel]: https://twitter.com/xnand_/status/1676336329985077249"}
diff --git a/intel/LM711.json b/intel/LM711.json
index 21a93581..1563baa4 100644
--- a/intel/LM711.json
+++ b/intel/LM711.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware source\r\n\r\n### Parent threat\r\n\r\nResource Development, Initial Access, Execution, Persistence, Defense Evasion\r\n\r\n### Finding\r\n\r\nhttps://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc\r\n\r\n### Industry reference\r\n\r\nuses:FakeExploit\r\nattack:T1588:Obtain Capabilities\r\nattack:T1608:Stage Capabilities\r\nattack:T1585:Establish Accounts\r\nattack:T1583.008:Malvertising\r\nattack:T1036:Masquerading\r\nexploit:CVE-2023-35829\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/710\r\nhttps://github.com/timb-machine/linux-malware/issues/724\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2023-07-09T09:46:38Z","labels":[{"id":"LA_kwDOFx8IA88AAAABIIpJBQ","name":"ignore:tag:T1070.004","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIwnUA","name":"ignore:tag:T1215","description":"","color":"E99695"}],"number":711,"title":"[Intel]: https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware source\r\n\r\n### Parent threat\r\n\r\nResource Development, Initial Access, Execution, Persistence, Defense Evasion\r\n\r\n### Finding\r\n\r\nhttps://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc\r\n\r\n### Industry reference\r\n\r\nuses:FakeExploit\r\nattack:T1588:Obtain Capabilities\r\nattack:T1608:Stage Capabilities\r\nattack:T1585:Establish Accounts\r\nattack:T1583.008:Malvertising\r\nattack:T1036:Masquerading\r\nexploit:CVE-2023-35829\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/710\r\nhttps://github.com/timb-machine/linux-malware/issues/724\r\nhttps://github.com/timb-machine/linux-malware/issues/814\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2023-07-09T09:46:38Z","labels":[{"id":"LA_kwDOFx8IA88AAAABIIpJBQ","name":"ignore:tag:T1070.004","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIwnUA","name":"ignore:tag:T1215","description":"","color":"E99695"}],"number":711,"title":"[Intel]: https://github.com/timb-machine-mirrors/ChriSanders22-CVE-2023-35829-poc"}
diff --git a/intel/LM724.json b/intel/LM724.json
index 18f39c30..d3585141 100644
--- a/intel/LM724.json
+++ b/intel/LM724.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nResource Development, Initial Access, Execution, Persistence, Defense Evasion\r\n\r\n### Finding\r\n\r\nhttps://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/\r\n\r\n### Industry reference\r\n\r\nuses:FakeExploit\r\nattack:T1588:Obtain Capabilities\r\nattack:T1608:Stage Capabilities\r\nattack:T1585:Establish Accounts\r\nattack:T1583.008:Malvertising\r\nattack:T1036:Masquerading\r\nexploit:CVE-2023-35829\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/710\r\nhttps://github.com/timb-machine/linux-malware/issues/711\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2023-07-15T00:56:36Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":724,"title":"[Intel]: https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nResource Development, Initial Access, Execution, Persistence, Defense Evasion\r\n\r\n### Finding\r\n\r\nhttps://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/\r\n\r\n### Industry reference\r\n\r\nuses:FakeExploit\r\nattack:T1588:Obtain Capabilities\r\nattack:T1608:Stage Capabilities\r\nattack:T1585:Establish Accounts\r\nattack:T1583.008:Malvertising\r\nattack:T1036:Masquerading\r\nexploit:CVE-2023-35829\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/710\r\nhttps://github.com/timb-machine/linux-malware/issues/711\r\nhttps://github.com/timb-machine/linux-malware/issues/814\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2023-07-15T00:56:36Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":724,"title":"[Intel]: https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/"}
diff --git a/intel/LM765.json b/intel/LM765.json
index b88ab6c9..09064e81 100644
--- a/intel/LM765.json
+++ b/intel/LM765.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nBreach reports\r\n\r\n### Parent threat\r\n\r\nInitial Access\r\n\r\n### Finding\r\n\r\nhttps://www.freedownloadmanager.org/blog/?p=664\r\n\r\n### Industry reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/766\r\n\r\n### Malware reference\r\n\r\n_No response_\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-01-09T21:39:55Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"}],"number":765,"title":"[Intel]: https://www.freedownloadmanager.org/blog/?p=664"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nBreach reports\r\n\r\n### Parent threat\r\n\r\nInitial Access, Credential Access\r\n\r\n### Finding\r\n\r\nhttps://www.freedownloadmanager.org/blog/?p=664\r\n\r\n### Industry reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/766\r\nFree Download Manager\r\nhttps://github.com/timb-machine/linux-malware/issues/816\r\n\r\n### Malware reference\r\n\r\nwltm\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-01-09T21:39:55Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":765,"title":"[Intel]: https://www.freedownloadmanager.org/blog/?p=664"}
diff --git a/intel/LM766.json b/intel/LM766.json
index 9d74320e..1ea6e67f 100644
--- a/intel/LM766.json
+++ b/intel/LM766.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nBreach reports\n\n### Parent threat\n\nInitial Access\n\n### Finding\n\nhttp://securelist.com/backdoored-free-download-manager-linux-malware/110465/\n\n### Industry reference\n\nhttps://github.com/timb-machine/linux-malware/issues/765\n\n### Malware reference\n\n_No response_\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-01-09T21:41:59Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"}],"number":766,"title":"[Intel]: http://securelist.com/backdoored-free-download-manager-linux-malware/110465/"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nBreach reports\r\n\r\n### Parent threat\r\n\r\nInitial Access, Credential Access, Collection, Command and Control\r\n\r\n### Finding\r\n\r\nhttp://securelist.com/backdoored-free-download-manager-linux-malware/110465/\r\n\r\n### Industry reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/765\r\nFree Download Manager\r\nhttps://github.com/timb-machine/linux-malware/issues/816\r\nattack:T1071.004:DNS\r\nattack:T1105:Ingress Tool Transfer\r\nattack:T1560.001:Archive via Utility\r\n\r\n### Malware reference\r\n\r\nwltm\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-01-09T21:41:59Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":766,"title":"[Intel]: http://securelist.com/backdoored-free-download-manager-linux-malware/110465/"}
diff --git a/intel/LM777.json b/intel/LM777.json
index 0b3adb64..7b10b52b 100644
--- a/intel/LM777.json
+++ b/intel/LM777.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware PoCs\n\n### Parent threat\n\nPersistence, Privilege Escalation, Defense Evasion, Command and Control\n\n### Finding\n\nhttps://github.com/R3tr074/brokepkg\n\n### Industry reference\n\nuses:ProcessTreeSpoofing\nuses:AbnormalSignal\r\nuses:TamperCredStruct\r\nuses:HiddenPort\r\nattack:T1547.006:Kernel Modules and Extensions\r\nattack:T1564.001:Hidden Files and Directories\r\nattack:T1573:Encrypted Channel\r\nattack:T1205:Traffic Signaling\n\n### Malware reference\n\nBrokePkg\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-01-17T23:39:03Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpLIQ","name":"missing:tag:T1491","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIqpBQ","name":"missing:tag:T1548.003","description":"","color":"0052CC"}],"number":777,"title":"[Intel]: https://github.com/R3tr074/brokepkg"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware PoCs\r\n\r\n### Parent threat\r\n\r\nPersistence, Privilege Escalation, Defense Evasion, Command and Control\r\n\r\n### Finding\r\n\r\nhttps://github.com/R3tr074/brokepkg\r\n\r\n### Industry reference\r\n\r\nuses:ProcessTreeSpoofing\r\nuses:AbnormalSignal\r\nuses:TamperCredStruct\r\nuses:PortHiding\r\nattack:T1547.006:Kernel Modules and Extensions\r\nattack:T1564.001:Hidden Files and Directories\r\nattack:T1573:Encrypted Channel\r\nattack:T1205:Traffic Signaling\r\n\r\n### Malware reference\r\n\r\nBrokePkg\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-01-17T23:39:03Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpLIQ","name":"missing:tag:T1491","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIqpBQ","name":"missing:tag:T1548.003","description":"","color":"0052CC"}],"number":777,"title":"[Intel]: https://github.com/R3tr074/brokepkg"}
diff --git a/intel/LM779.json b/intel/LM779.json
index 8ecc1b81..a9e0d6e5 100644
--- a/intel/LM779.json
+++ b/intel/LM779.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nDefensive tools\n\n### Parent threat\n\nDefense Evasion\n\n### Finding\n\nhttps://github.com/Achiefs/fim\n\n### Industry reference\n\n_No response_\n\n### Malware reference\n\n_No response_\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-01-18T00:05:36Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAABIIpNsg","name":"missing:tag:T1590","description":"","color":"FEF2C0"}],"number":779,"title":"[Intel]: https://github.com/Achiefs/fim"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nDefensive tools\r\n\r\n### Parent threat\r\n\r\nCredential Access, Defense Evasion, Persistence\r\n\r\n### Finding\r\n\r\nhttps://github.com/Achiefs/fim\r\n\r\n### Industry reference\r\n\r\nattack:T1556.003:Pluggable Authentication Modules\r\nattack:T1562.012:Disable or Modify Linux Audit System\r\nattack:T1601:Modify System Image\r\n\r\n### Malware reference\r\n\r\n_No response_\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-01-18T00:05:36Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABIIpG-Q","name":"ignore:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHVw","name":"ignore:tag:T1048","description":"","color":"1D76DB"},{"id":"LA_kwDOFx8IA88AAAABIIpJ0w","name":"ignore:tag:T1071.001","description":"","color":"F9D0C4"},{"id":"LA_kwDOFx8IA88AAAABIIpM2Q","name":"ignore:tag:T1567","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpNXQ","name":"ignore:tag:T1573","description":"","color":"C2E0C6"},{"id":"LA_kwDOFx8IA88AAAABIIpNyQ","name":"ignore:tag:T1590","description":"","color":"C5DEF5"}],"number":779,"title":"[Intel]: https://github.com/Achiefs/fim"}
diff --git a/intel/LM785.json b/intel/LM785.json
index fec57f36..40f91e31 100644
--- a/intel/LM785.json
+++ b/intel/LM785.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nImpact\n\n### Finding\n\nhttps://twitter.com/Unit42_Intel/status/1653760405792014336\n\n### Industry reference\n\nattack:T1486:Data Encrypted for Impact\n\n### Malware reference\n\nwltm\r\nBlackSuite\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-01-30T00:35:56Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":785,"title":"[Intel]: https://twitter.com/Unit42_Intel/status/1653760405792014336"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nImpact\n\n### Finding\n\nhttps://twitter.com/Unit42_Intel/status/1653760405792014336\n\n### Industry reference\n\nattack:T1486:Data Encrypted for Impact\n\n### Malware reference\n\nwltm\r\nBlackSuite\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":true,"createdAt":"2024-01-30T00:35:56Z","labels":[{"id":"MDU6TGFiZWwzMTg1ODY3NTgy","name":"duplicate","description":"This issue or pull request already exists","color":"cfd3d7"}],"number":785,"title":"[Intel]: https://twitter.com/Unit42_Intel/status/1653760405792014336"}
diff --git a/intel/LM787.json b/intel/LM787.json
index d56a2098..6c335dae 100644
--- a/intel/LM787.json
+++ b/intel/LM787.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nSupply chain attacks\n\n### Parent threat\n\nInitial Access, Discovery, Command and Control\n\n### Finding\n\nhttps://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/\n\n### Industry reference\n\nuses:npm\r\nattack:T1195.001:Compromise Software Dependencies and Development Tools\r\nattack:T1082:System Information Discovery\n\n### Malware reference\n\n_No response_\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-01-30T00:56:51Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":787,"title":"[Intel]: https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nSupply chain attacks\r\n\r\n### Parent threat\r\n\r\nInitial Access, Discovery, Command and Control\r\n\r\n### Finding\r\n\r\nhttps://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/\r\n\r\n### Industry reference\r\n\r\ndelivery:NPM\r\nattack:T1195.001:Compromise Software Dependencies and Development Tools\r\nattack:T1082:System Information Discovery\r\n\r\n### Malware reference\r\n\r\n_No response_\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-01-30T00:56:51Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":787,"title":"[Intel]: https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/"}
diff --git a/intel/LM792.json b/intel/LM792.json
index 7ff743bd..5d13e06d 100644
--- a/intel/LM792.json
+++ b/intel/LM792.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nImpact\r\n\r\n### Finding\r\n\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\n\r\n### Industry reference\r\n\r\nattack:T1486:Data Encrypted for Impact\r\n\r\n### Malware reference\r\n\r\nNight Sky\r\nCheerscrypt\r\n\r\n### Actor reference\r\n\r\nEmperor Dragonfly\r\nBronze Starlight\r\n\r\n### Component\r\n\r\nLinux, VMware\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-01-30T10:36:21Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":792,"title":"[Intel]: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nImpact\r\n\r\n### Finding\r\n\r\nhttps://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group\r\n\r\n### Industry reference\r\n\r\nattack:T1486:Data Encrypted for Impact\r\n\r\n### Malware reference\r\n\r\nNight Sky\r\nCheerscrypt\r\n\r\n### Actor reference\r\n\r\nEmperor Dragonfly\r\nBronze Starlight\r\n\r\n### Component\r\n\r\nLinux, VMware\r\n\r\n### Scenario\r\n\r\n_No response_","closed":true,"createdAt":"2024-01-30T10:36:21Z","labels":[{"id":"MDU6TGFiZWwzMTg1ODY3NTgy","name":"duplicate","description":"This issue or pull request already exists","color":"cfd3d7"}],"number":792,"title":"[Intel]: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group"}
diff --git a/intel/LM793.json b/intel/LM793.json
index 2f0a3dfd..3933851b 100644
--- a/intel/LM793.json
+++ b/intel/LM793.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nOffensive tools\n\n### Parent threat\n\nDefense Evasion\n\n### Finding\n\nhttps://github.com/dsnezhkov/zombieant\n\n### Industry reference\n\nattack:T1562:Impair Defenses\n\n### Malware reference\n\n_No response_\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-01-31T22:17:12Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"}],"number":793,"title":"[Intel]: https://github.com/dsnezhkov/zombieant"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nOffensive tools\r\n\r\n### Parent threat\r\n\r\nPersistence, Privilege Escalation, Defense Evasion\r\n\r\n### Finding\r\n\r\nhttps://github.com/dsnezhkov/zombieant\r\n\r\n### Industry reference\r\n\r\nattack:T1562:Impair Defenses\r\nattack:T1574.006:Dynamic Linker Hijacking\r\n\r\n### Malware reference\r\n\r\n_No response_\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-01-31T22:17:12Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"},{"id":"LA_kwDOFx8IA88AAAABIIpG-Q","name":"ignore:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpHQQ","name":"missing:tag:T1048","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIpJtA","name":"missing:tag:T1071.001","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpMvQ","name":"missing:tag:T1567","description":"","color":"FEF2C0"},{"id":"LA_kwDOFx8IA88AAAABIIpNVg","name":"missing:tag:T1573","description":"","color":"006B75"},{"id":"LA_kwDOFx8IA88AAAAB08ao3Q","name":"triage","description":"Automated analysis performed","color":"eeeeee"}],"number":793,"title":"[Intel]: https://github.com/dsnezhkov/zombieant"}
diff --git a/intel/LM799.json b/intel/LM799.json
index 269a2010..12d9f83e 100644
--- a/intel/LM799.json
+++ b/intel/LM799.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nBreach reports\n\n### Parent threat\n\nPersistence\n\n### Finding\n\nhttps://github.com/mttaggart/I-S00N\n\n### Industry reference\n\n_No response_\n\n### Malware reference\n\nReptile\n\n### Actor reference\n\nAPT41\n\n### Component\n\nLinux, AIX, Solaris, HP-UX\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-02-24T01:01:06Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"}],"number":799,"title":"[Intel]: https://github.com/mttaggart/I-S00N"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nBreach reports\r\n\r\n### Parent threat\r\n\r\nPersistence\r\n\r\n### Finding\r\n\r\nhttps://bitbucket.org/workspacespain/i-s00n-translated\r\n\r\n### Industry reference\r\n\r\nuses:Leak\r\nuses:Blocklisted\r\n\r\n### Malware reference\r\n\r\nReptile\r\n\r\n### Actor reference\r\n\r\nAPT41\r\n\r\n### Component\r\n\r\nLinux, AIX, Solaris, HP-UX\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-02-24T01:01:06Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":799,"title":"[Intel]: https://bitbucket.org/workspacespain/i-s00n-translated"}
diff --git a/intel/LM802.json b/intel/LM802.json
index 114d39a6..3d33a4e3 100644
--- a/intel/LM802.json
+++ b/intel/LM802.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware source\n\n### Parent threat\n\nDefense Evasion, Command and Control\n\n### Finding\n\nhttps://pastebin.com/kmmJuuQP\n\n### Industry reference\n\nattack:T1205.002:Socket Filters\r\nattack:T1205:Traffic Signaling\r\nuses:BPF\r\nuses:Non-persistentStorage\r\nuses:ProcessTreeSpoofing\n\n### Malware reference\n\nBPFDoor\r\n[/malware/binaries/BPFDoor](https://github.com/timb-machine/linux-malware/tree/main/malware/binaries/BPFDoor)\r\nUnix.Backdoor.RedMenshen\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-02-24T19:26:28Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":802,"title":"[Intel]: https://pastebin.com/kmmJuuQP"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware source\r\n\r\n### Parent threat\r\n\r\nDefense Evasion, Command and Control\r\n\r\n### Finding\r\n\r\nhttps://pastebin.com/kmmJuuQP\r\n\r\n### Industry reference\r\n\r\nattack:T1205.002:Socket Filters\r\nattack:T1205:Traffic Signaling\r\nuses:BPF\r\nuses:Non-persistentStorage\r\nuses:ProcessTreeSpoofing\r\n\r\n### Malware reference\r\n\r\nBPFDoor\r\n[/malware/binaries/BPFDoor](../tree/main/malware/binaries/BPFDoor)\r\nUnix.Backdoor.RedMenshen\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-02-24T19:26:28Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":802,"title":"[Intel]: https://pastebin.com/kmmJuuQP"}
diff --git a/intel/LM803.json b/intel/LM803.json
index c5755abf..7d909dd1 100644
--- a/intel/LM803.json
+++ b/intel/LM803.json
@@ -1 +1 @@
-{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nDefense Evasion\n\n### Finding\n\nhttps://unfinished.bike/fun-with-the-new-bpfdoor-2023\n\n### Industry reference\n\nattack:T1205.002:Socket Filters\r\nattack:T1205:Traffic Signaling\r\nuses:BPF\r\nuses:Non-persistentStorage\r\nattack:T1070.006:Timestomp\r\nattack:T1070.004:File Deletion\n\n### Malware reference\n\nBPFDoor\r\n[/malware/binaries/BPFDoor](https://github.com/timb-machine/linux-malware/tree/main/malware/binaries/BPFDoor)\r\nwltm\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-02-25T15:12:21Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":803,"title":"[Intel]: https://unfinished.bike/fun-with-the-new-bpfdoor-2023"}
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nDefense Evasion\r\n\r\n### Finding\r\n\r\nhttps://unfinished.bike/fun-with-the-new-bpfdoor-2023\r\n\r\n### Industry reference\r\n\r\nattack:T1205.002:Socket Filters\r\nattack:T1205:Traffic Signaling\r\nuses:BPF\r\nuses:Non-persistentStorage\r\nattack:T1070.006:Timestomp\r\nattack:T1070.004:File Deletion\r\n\r\n### Malware reference\r\n\r\nBPFDoor\r\n[/malware/binaries/BPFDoor](../tree/main/malware/binaries/BPFDoor)\r\nwltm\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-02-25T15:12:21Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":803,"title":"[Intel]: https://unfinished.bike/fun-with-the-new-bpfdoor-2023"}
diff --git a/intel/LM808.json b/intel/LM808.json
new file mode 100644
index 00000000..f63ea763
--- /dev/null
+++ b/intel/LM808.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nExecution, Persistence, Discovery, Collection, Command and Control, Exfiltration\r\n\r\n### Finding\r\n\r\nhttps://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf\r\n\r\n### Industry reference\r\n\r\nattack:T1574.006:Dynamic Linker\r\nattack:T1059.004:Unix Shell\r\nattack:T1053.003:Cron\r\nattack:T1559:Inter-Process Communication\r\nattack:T1205.001:Port Knocking\r\nattack:T1001.003:Protocol Impersonation\r\nattack:T1573.002:Asymmetric Cryptography\r\nattack:T1572:Protocol Tunneling\r\nattack:T1560.002:Archive via Library\r\nattack:T1041:Exfiltration Over C2 Channel\r\nattack:T1005:Data from Local System\r\nattack:T1124:System Time Discovery\r\nattack:T1518:Software Discovery\r\nattack:T1071.Application Layer Protocol\r\nuses:BPF\r\nuses:Non-persistentStorage\r\n\r\n### Malware reference\r\n\r\nPygmy Goat\r\nEarthWorm\r\nEarthwrom\r\nwltm\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\nEnterprise with satellite facilities","closed":false,"createdAt":"2024-12-06T00:35:16Z","labels":[{"id":"LA_kwDOFx8IA88AAAABIIpG2w","name":"missing:tag:T1005","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpJBQ","name":"ignore:tag:T1070.004","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpKUQ","name":"ignore:tag:T1083","description":"","color":"E99695"},{"id":"LA_kwDOFx8IA88AAAABIIpLPA","name":"ignore:tag:T1491","description":"","color":"E99695"},{"id":"LA_kwDOFx8IA88AAAABIIpLvg","name":"ignore:tag:T1546.004","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIpNyQ","name":"ignore:tag:T1590","description":"","color":"C5DEF5"},{"id":"LA_kwDOFx8IA88AAAABIIpPNg","name":"ignore:tag:T1027.002","description":"","color":"BFDADC"},{"id":"LA_kwDOFx8IA88AAAABIIpQDA","name":"ignore:tag:T1053.003","description":"","color":"BFD4F2"},{"id":"LA_kwDOFx8IA88AAAABIIpTBQ","name":"missing:tag:Non-persistentStorage","description":"","color":"C2E0C6"},{"id":"LA_kwDOFx8IA88AAAABIIqBDg","name":"ignore:tag:T1098.004","description":"","color":"BFD4F2"},{"id":"LA_kwDOFx8IA88AAAABIIqG3Q","name":"missing:tag:T1574.006","description":"","color":"FBCA04"},{"id":"LA_kwDOFx8IA88AAAABIIsqlw","name":"ignore:tag:T1021.004","description":"","color":"0E8A16"},{"id":"LA_kwDOFx8IA88AAAABIIyEcA","name":"ignore:tag:T1552.004","description":"","color":"D93F0B"},{"id":"LA_kwDOFx8IA88AAAABS-M7DQ","name":"missing:tag:wltm","description":"","color":"0052CC"}],"number":808,"title":"[Intel]: https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf"}
diff --git a/intel/LM809.json b/intel/LM809.json
new file mode 100644
index 00000000..b944ffea
--- /dev/null
+++ b/intel/LM809.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nInitial Access, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Command and Control\n\n### Finding\n\nhttps://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/\n\n### Industry reference\n\n_No response_\n\n### Malware reference\n\n_No response_\n\n### Actor reference\n\n_No response_\n\n### Component\n\nAIX\n\n### Scenario\n\nInternal enterprise services","closed":false,"createdAt":"2024-12-06T09:05:29Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":809,"title":"[Intel]: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/"}
diff --git a/intel/LM810.json b/intel/LM810.json
new file mode 100644
index 00000000..4abb99e1
--- /dev/null
+++ b/intel/LM810.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nCommand and Control\n\n### Finding\n\nhttps://x.com/haxrob/status/1762821513680732222\n\n### Industry reference\n\nattack:T1071:Application Layer Protocol\r\nattack:T1572:Protocol Tunneling\n\n### Malware reference\n\nGTPDOOR\r\nwltm\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux, Telecomms\n\n### Scenario\n\nInternal specialist services","closed":false,"createdAt":"2024-12-06T09:14:47Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"}],"number":810,"title":"[Intel]: https://x.com/haxrob/status/1762821513680732222"}
diff --git a/intel/LM811.json b/intel/LM811.json
new file mode 100644
index 00000000..0cf586e6
--- /dev/null
+++ b/intel/LM811.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nDefensive tools\n\n### Parent threat\n\nExecution, Persistence, Privilege Escalation, Defense Evasion\n\n### Finding\n\nhttps://github.com/stratosphereips/StratosphereLinuxIPS\n\n### Industry reference\n\n_No response_\n\n### Malware reference\n\n_No response_\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-12-06T09:19:59Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABGKCsrQ","name":"missing:submodule","description":"","color":"fef2c0"}],"number":811,"title":"[Intel]: https://github.com/stratosphereips/StratosphereLinuxIPS"}
diff --git a/intel/LM812.json b/intel/LM812.json
new file mode 100644
index 00000000..d658c21d
--- /dev/null
+++ b/intel/LM812.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nOffensive tools\n\n### Parent threat\n\nReconnaissance, Initial Access, Execution, Persistence, Privilege Escalation, Discovery, Collection, Command and Control\n\n### Finding\n\nhttps://github.com/grisuno/LazyOwn\n\n### Industry reference\n\n_No response_\n\n### Malware reference\n\n_No response_\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\n_No response_","closed":false,"createdAt":"2024-12-06T09:22:34Z","labels":[{"id":"LA_kwDOFx8IA87xeZo8","name":"new","description":"","color":"fbca04"},{"id":"LA_kwDOFx8IA88AAAABGKCsrQ","name":"missing:submodule","description":"","color":"fef2c0"}],"number":812,"title":"[Intel]: https://github.com/grisuno/LazyOwn"}
diff --git a/intel/LM813.json b/intel/LM813.json
new file mode 100644
index 00000000..d808feca
--- /dev/null
+++ b/intel/LM813.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nSupply chain attacks\r\n\r\n### Parent threat\r\n\r\nCredential Access\r\n\r\n### Finding\r\n\r\nhttps://github.com/SecurityFail/kompromat\r\n\r\n### Industry reference\r\n\r\nattack:T1552.004:Private Keys\r\n\r\n### Malware reference\r\n\r\n_No response_\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux, HP-UX, AIX, Solaris\r\n\r\n### Scenario\r\n\r\nInternal specialist services","closed":false,"createdAt":"2024-12-06T09:25:20Z","labels":[{"id":"LA_kwDOFx8IA88AAAABGKCsrQ","name":"missing:submodule","description":"","color":"fef2c0"}],"number":813,"title":"[Intel]: https://github.com/SecurityFail/kompromat"}
diff --git a/intel/LM814.json b/intel/LM814.json
new file mode 100644
index 00000000..0015f98b
--- /dev/null
+++ b/intel/LM814.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nMalware reports\r\n\r\n### Parent threat\r\n\r\nResource Development, Initial Access, Execution, Persistence, Defense Evasion\r\n\r\n### Finding\r\n\r\nhttps://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware\r\n\r\n### Industry reference\r\n\r\nuses:Non-persistentStorage\r\nuses:FakeExploit\r\nattack:T1588:Obtain Capabilities\r\nattack:T1608:Stage Capabilities\r\nattack:T1585:Establish Accounts\r\nattack:T1583.008:Malvertising\r\nattack:T1036:Masquerading\r\nattack:T1037.004:RC Scripts\r\nattack:T1098.004: SSH Authorized Keys\r\nexploit:CVE-2023-35829\r\n\r\n### Malware reference\r\n\r\nhttps://github.com/timb-machine/linux-malware/issues/710\r\nhttps://github.com/timb-machine/linux-malware/issues/711\r\nhttps://github.com/timb-machine/linux-malware/issues/724\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-12-06T09:36:50Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":814,"title":"[Intel]: https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware"}
diff --git a/intel/LM815.json b/intel/LM815.json
new file mode 100644
index 00000000..ef367784
--- /dev/null
+++ b/intel/LM815.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nPersistence, Privilege Escalation, Defense Evasion, Impact\n\n### Finding\n\nhttps://haxrob.net/fastcash-for-linux/\n\n### Industry reference\n\nattack:T1565.002:Transmitted Data Manipulation\r\nattack:T1055:Process Injection\r\nattack:T1055.009:Proc Memory\r\nattack:T1564.001:Hidden Files and Directories\r\nattack:T1574:Hijack Execution Flow\r\nattack:T1567:Financial Theft\r\nattack:T1027.002:Software Packing\r\nuses:Non-persistentStorage\r\nattack:T1027.013:Encrypted/Encoded File\n\n### Malware reference\n\nFastCash\r\nhttps://github.com/timb-machine/linux-malware/issues/407\r\nhttps://github.com/timb-machine/linux-malware/issues/312\r\nhttps://github.com/timb-machine/linux-malware/issues/135\r\nwltm\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux, Banking\n\n### Scenario\n\nInternal specialist services","closed":false,"createdAt":"2024-12-06T10:08:01Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":815,"title":"[Intel]: https://haxrob.net/fastcash-for-linux/"}
diff --git a/intel/LM816.json b/intel/LM816.json
new file mode 100644
index 00000000..5555281e
--- /dev/null
+++ b/intel/LM816.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\r\n\r\nSupply chain attacks\r\n\r\n### Parent threat\r\n\r\nInitial Access, Persistence, Credential Access, Command and Control\r\n\r\n### Finding\r\n\r\nhttps://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/\r\n\r\n### Industry reference\r\n\r\nFree Download Manager\r\nhttps://github.com/timb-machine/linux-malware/issues/765\r\nhttps://github.com/timb-machine/linux-malware/issues/766\r\nattack:T1053.003:Cron\r\nattack:T1555.005:Password Managers\r\nuses:Non-persistentStorage\r\n\r\n### Malware reference\r\n\r\nwltm\r\n\r\n### Actor reference\r\n\r\n_No response_\r\n\r\n### Component\r\n\r\nLinux\r\n\r\n### Scenario\r\n\r\n_No response_","closed":false,"createdAt":"2024-12-06T10:15:00Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":816,"title":"[Intel]: https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/"}
diff --git a/intel/LM817.json b/intel/LM817.json
new file mode 100644
index 00000000..76add95c
--- /dev/null
+++ b/intel/LM817.json
@@ -0,0 +1 @@
+{"author":{"id":"MDQ6VXNlcjEzMzMwOTE3","is_bot":false,"login":"timb-machine","name":"Tim Brown"},"body":"### Area\n\nMalware reports\n\n### Parent threat\n\nResource Development, Persistence, Defense Evasion\n\n### Finding\n\nhttps://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/\n\n### Industry reference\n\nattack:T1542.003:Bootkit\r\nattack:T1547.006:Kernel Modules and Extensions\r\nattack:T1587.00:Malware\r\nattack:T1587.002Code Signing Certificates\r\nattack:T1106:Native API\r\nattack:T1129:Shared Modules\r\nattack:T1574.006:Dynamic Linker\r\nattack:T1542.003\r\nattack:T1014:Rootkit\r\nattack:T1562:Impair Defenses\r\nattack:T1564:Hide Artifacts\r\n\r\n\r\n\r\n\n\n### Malware reference\n\nBootkitty\r\nBCDropper\r\nBCObserver\n\n### Actor reference\n\n_No response_\n\n### Component\n\nLinux\n\n### Scenario\n\nConsumer, Internal enterprise services, Enterprise with satellite facilities, Enterprise with contracted services and/or non-employee access","closed":false,"createdAt":"2024-12-06T12:30:02Z","labels":[{"id":"LA_kwDOFx8IA87xeTYe","name":"confirmed","description":"","color":"61DD50"}],"number":817,"title":"[Intel]: https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/"}