The Evolution of Linux Binaries in Targeted Cloud Operations
By: Nathaniel Quist, Bill Batchelor
June 10, 2025
https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/
| Notes |
|---|
| Linux malware |
| Unit 42 |
| ELF |
| cloud |
| backdoor, RAT, wiper, exploit |
| “each of the malware strains accounted for at least 20 unique sightings of samples in the wild over the last year. This means that threat actors are actively using them.” |
| Palo Alto Networks |
| Cortex Cloud |
| Unit 42 Incident Response Team |
| APT |
| persistence |
| “Researchers estimate that between 70% and 90% of all computational instances within cloud environments are based on variants (also known as flavors) of Linux OS.” |
| NoodleRAT, Winnti, SSHdInjector, Pygmy Goat, AcidPour |
| dynamic linker hijacking |
| LD_PRELOAD |
| SSH, sshd |
| command and control |
| exfiltration |
| reverse shell |
| SOCKS proxy |
| encrypted c2 comms |
| scheduled code execution |
| process name spoofing |
| NoodleRAT https://www.trendmicro.com/en_us/research/24/f/noodle-rat-reviewing-the-new-backdoor-used-by-chinese-speaking-g.html |
| NoodleRAT has Windows and Linux variants. |
| NoodleRAT has similarities to Rekoobe and Tiny SHell |
| NoodleRAT observed in cybercriminal and cyberespionage intrusions: Rocke and Cloud Snooper campaign. |
| Rocke https://blog.talosintelligence.com/rocke-champion-of-monero-miners/ |
| Cloud Snooper https://news.sophos.com/en-us/2020/02/25/cloud-snooper/ |
| Linux variant of NoodleRAT has targeted: Thailand, India, Japan, Malaysia, Taiwan. |
| Asia-Pacific region |
| Winnti |
| multiplatform malware |
| Winnti has Windows and Linux versions |
| Winnti used by several China-nexus threat actors |
| Starchy Taurus (aka Winnti Group and BARIUM) |
| Nuclear Taurus (aka Tumbleweed Typhoon, THORIUM, Bronze Vapor). |
| consists of: ELF executable (libxselinux) and LD_PRELOAD dynamic library (libxselinux.so). |
| SSHdInjector – credential theft, RCE, filesystem access, shell, exfiltration |
| Pygmy Goat |
| Pygmy Goat discovered on Sophos XG firewall devices https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf |
| rootkit |
| libsophos.so vulnerable to authentication bypass (CVE-2022-1040). |
| specially crafted ICMP packets |
| port knocking |
| magic bytes embedded in SSH traffic |
| cron job persistence |
| non-governmental organizations (NGOs), |
| healthcare and transportation sectors |
| Acid Pour/AcidRain https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/ |
| Razing Ursa (aka Sandworm, Voodoo Bear) https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/#:~:text=Research-,Razing%20Ursa,-Also%20Known%20As |
| targets modems and routers |
| MIPS architecture https://en.wikipedia.org/wiki/MIPS_architecture |
| x86 |
| industrial control systems |
| storage arrays |
| ioctl |
| evasion |
| machine learning |