{ "id": "0d7f18c6-5d18-47b7-b0f5-e16196b29e15", "created_at": "2026-04-06T00:07:38.402238Z", "updated_at": "2026-04-10T03:35:17.275856Z", "deleted_at": null, "sha1_hash": "0101b21e0ed2e986895fcd2438b51c43d08995ea", "title": "How to Hunt for DecisiveArchitect and Its JustForFun Implant | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 958296, "plain_text": "How to Hunt for DecisiveArchitect and Its JustForFun Implant |\r\nCrowdStrike\r\nBy Jamie Harries\r\nArchived: 2026-04-02 12:43:06 UTC\r\nThe security landscape is constantly developing to provide easier ways to establish endpoint visibility across\r\nnetworks through the use of endpoint detection and response (EDR) utilities. However, certain challenges still\r\nremain, particularly as a result of many organizations' need for systems running legacy or proprietary operating\r\nsystems, such as Solaris. If such systems are not adequately protected using other security controls or unless they\r\ncan only be accessed by systems with appropriate endpoint-based detection/prevention capabilities, this can cause\r\na gap in visibility for an organization that an adversary could abuse. On multiple occasions dating back to 2019,\r\nthe CrowdStrike Services Incident Response team, CrowdStrike Intelligence team and Falcon OverWatch™ team\r\nhave encountered an adversary targeting global entities, in particular telecommunications companies, to obtain\r\ntargeted personal user information — for example, call detail records (CDRs) or information relating to specific\r\nphone numbers. Similar to the activity cluster reported as LightBasin, this adversary primarily focuses on Linux\r\nand Solaris systems using a custom-built implant tracked by CrowdStrike Intelligence as JustForFun (also\r\npublicly known as BPFDoor). While this adversary does interact with Windows systems, mostly during the early\r\nstages of an intrusion, CrowdStrike has not yet identified any custom implants geared toward Windows systems.\r\nInstead, the adversary relies on publicly available tools, such as ldapdomaindump, or the post-exploitation\r\nframework Impacket, to target Windows systems from previously compromised Linux systems. CrowdStrike\r\nIntelligence is currently tracking these intrusions under the DecisiveArchitect activity cluster (also publicly known\r\nas Red Menshen); however, this activity is not currently attributed by CrowdStrike to a specific country-nexus.\r\nWhile CrowdStrike has primarily observed the adversary targeting telecommunications companies, other isolated\r\nincidents targeting organizations such as logistics entities have also been observed. DecisiveArchitect exhibits a\r\nhigh degree of operational security as part of their tactics to make it more difficult for defenders to identify and\r\ninvestigate their activity through the use of various defense evasion techniques. While other publicly available\r\nresearch highlights how the implant operates, this blog focuses on methods to hunt for this implant, or implants\r\nthat may operate in a similar manner, while also highlighting techniques of interest across Solaris systems.\r\nSpoofed Command Lines\r\nDecisiveArchitect utilizes a custom implant tracked by CrowdStrike as JustForFun, which is typically persisted\r\nusing SysVinit scripts. When executed, the implant overwrites the process command line within the process\r\nenvironment by randomly selecting a new command line from one of ten hard-coded options, listed in Figure 1.\r\n/sbin/udevd -d\r\n/sbin/mingetty /dev/tty6\r\n/usr/sbin/console-kit-daemon --no-daemon\r\nhald-addon-acpi: listening on acpi kernel interface /proc/acpi/event\r\nhttps://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/\r\nPage 1 of 7\n\ndbus-daemon --system\r\nhald-runner\r\npickup -l -t fifo -u\r\navahi-daemon: chroot helper\r\n/sbin/auditd -n\r\n/usr/lib/systemd/systemd-journald\r\nFigure 1. Hard-coded options for command-line spoofing in JustForFun\r\nWhen DecisiveArchitect interacts with the implants to establish an interactive shell on a system, the bash\r\nprocess spawned by the implant process displays the following command line instead. This makes it appear as if\r\nthe Postfix queue manager is executing as a way to hide itself from analysts and system administrators: qmgr -l\r\n-t fifo -u On Solaris systems, though the executable itself exhibits no mechanism for similar command-line\r\nspoofing, DecisiveArchitect achieves similar functionality through the use of LD_PRELOAD , such as the following\r\nexample identified within a SysVinit script: LD_PRELOAD=/lib/librbtinfo.so.1 /usr/lib/vtdaemon -c 16 When\r\nexecuted, the process only shows the command line /usr/lib/vtdaemon -c 16 , where the actual JustForFun\r\nimplant is the file /lib/librbtinfo.so.1 . As recently as April 2022, CrowdStrike observed further variations\r\nwith regard to DecisiveArchitect's tactics, techniques and procedures (TTPs), with the actor using the\r\nLD_PRELOAD environment variable across Linux systems as well, loading the JustForFun implant,\r\n/lib64/libcaac.so.1 , within the legitimate process /sbin/agetty . This highlights a deviation from the\r\nstandard list of spoofed command lines in Figure 1, likely as part of a further effort to remain undetected and\r\nemphasizing the importance of behavioral-based hunting and detection methods. The spoofed command line\r\nappears in commands such as ps that may be used to investigate suspicious activity on the host. The spoofed\r\ncommand line makes it less likely that the process will be treated as suspicious.\r\nSolaris Privilege Escalation Vulnerability Exploitation\r\nDecisiveArchitect targets Solaris systems via publicly available exploit code for CVE-2019-3010, a vulnerability\r\nin xscreensaver . Binaries used to exploit this vulnerability have usually been observed within a few minutes of\r\nthe JustForFun implant deployment. CVE-2019-3010 is a logic bug that utilizes the LD_PRELOAD technique to\r\nfacilitate local privilege escalation to the root user on Solaris 11 systems. Proof-of-concept (POC) code is publicly\r\navailable and was not modified by DecisiveArchitect.1\r\n Table 1 lists two files observed across Solaris systems\r\nrelated to this privilege escalation activity.\r\nFile Path Purpose\r\n/tmp/getuid.so CVE-2019-3010 exploit binary\r\n/usr/lib/secure/getuid.so CVE-2019-3010 exploit binary or log file\r\nTable 1. Solaris exploitation file details\r\nPersistence\r\nhttps://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/\r\nPage 2 of 7\n\nThe way in which DecisiveArchitect achieves persistence across Linux systems involves the usage of SysVinit\r\nscripts (i.e., rc.d/init.d scripts). Instead of simply creating a new script that references the JustForFun implants,\r\nDecisiveArchitect uses a more operational security-conscious approach by modifying existing SysVinit scripts to\r\nreference a small script file, which then finally references the JustForFun implant. The following highlights an\r\nexample, including the lines added to the legitimate SysVinit script /etc/rc.d/init.d/pcscd and the script\r\n/etc/sysconfig/pcscd referencing the JustForFun implant, /etc/sysconfig/pcscd.conf :\r\n/etc/rc.d/init.d/pcscd:\r\nLine 41: if \u003c -f /etc/sysconfig/pcscd \u003e ; then\r\nLine 42: /etc/sysconfig/pcscd\r\n/etc/sysconfig/pcscd:\r\n# Source config\r\nif \u003c -f /etc/sysconfig/pcscd.conf \u003e ; then\r\n /etc/sysconfig/pcscd.conf\r\nfi\r\nWith this method of nested persistence, if an analyst simply reviews a set of SysVinit scripts by themselves,\r\nidentifying the malicious line associated with the JustForFun implant would likely prove difficult without\r\nsubsequently reviewing all of the files referenced within the scripts. Additionally, as part of DecisiveArchitect’s\r\ncontinued commitment to operational security, the adversary modifies different legitimate SysVinit scripts across\r\nsystems, and uses different file names/paths for the implant and associated persistence-related scripts, making it\r\ndifficult to search across other systems for indicators identified through analysis of a single system.\r\nDetection and Hunting\r\nOne of the best ways to detect or hunt for this activity is to utilize EDR technology across supported Linux\r\nsystems, with machine learning capabilities to detect and prevent the malicious implants, and with hunting\r\ncapabilities to identify anomalous usage of common Linux system administration utilities or processes running\r\nwith spoofed command lines (such as the bash process running with the command line showing the Postfix\r\nqueue manager command line instead). Figures 2 and 3 highlight the CrowdStrike Falcon®® platform’s machine\r\nlearning capabilities and Falcon OverWatch detections associated with the JustForFun implant and JustForFun\r\ncommand-line tool. Please note: The examples in the following scenario have CrowdStrike Falcon® configured\r\nwith DETECTIONS ONLY and PREVENTIONS off. A properly configured Falcon instance, as noted\r\npreviously, would prevent the activity presented here.\r\nhttps://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/\r\nPage 3 of 7\n\nFigure 2. JustForFun implant detection (Click to enlarge)\r\nFigure 3. JustForFun command-line tool detections (Click to enlarge)\r\nBut, even if an organization has a significant number of legacy or proprietary systems, already has the adversary\r\nburrowed into their network, or simply does not have EDR software deployed across Linux systems, all is not lost.\r\nHunting for Traffic Signaling Implants\r\nGiven the fact the JustForFun implant opens a raw socket in order to wait for the magic packet, the built-in Linux\r\nutility lsof can be used to identify running processes with a raw socket open: lsof -RPnl | grep SOCK_RAW |\r\ngrep IP Even though this command alone cannot solely determine whether the implant is present — as there are\r\nlegitimate reasons for processes to have raw sockets open — analysts can highlight processes of interest for\r\nfurther investigation. Of particular importance is that DecisiveArchitect’s use of spoofed command lines means\r\nthat the lsof command will report the spoofed command line, as opposed to the actual malicious file, which\r\nmay make it difficult to determine whether the process is malicious or not through this alone. However, by\r\nrunning the lsof command against the process ID without any of the grep filtering, an analyst can list any\r\nopen files associated with that process, which should reveal the binary. An example of a true positive can be seen\r\nbelow, with the start of the line (i.e., the command line) displaying the start of one of the spoofed command lines\r\nlisted in Figure 1. It should be noted that DecisiveArchitect can quite easily change these spoofed command lines,\r\nso analysts should be conscious of other processes beyond those listed: dbus-daem 1215 0 root 3u pack 11912\r\nhttps://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/\r\nPage 4 of 7\n\n0t0 IP type=SOCK_RAW While the lsof command is not part of a default Solaris installation, similar commands\r\nexist for obtaining additional details from processes:\r\nfor _PIDno in /proc/*; do line=$(pfiles \"${_PIDno}\"); echo $_PIDno $line | grep bpf; done\r\nfor _PIDno in /proc/*; do line=$(pmap \"${_PIDno}\"); echo $_PIDno $line | grep libpcap; done\r\nfor _PIDno in /proc/*; do line=$(pldd \"${_PIDno}\"); echo $_PIDno $line | grep libpcap; done\r\nThe three commands above loop through every process, with the first command looking for a string indicative of a\r\nprocess running with a packet filter, and the other two searching for processes with the libpcap library loaded.\r\nAs with the lsof command, this alone cannot solely determine whether the implant is present, so an analyst\r\nwould need to further investigate the specific process to confirm the presence of the implant. DecisiveArchitect’s\r\ncapability to spoof command lines across Solaris systems also needs to be taken into account when investigating\r\nthese processes. When investigating any of these entries, one of the key questions to ask is whether the process in\r\nquestion has any reason to have a raw socket open, to be using a packet filter or to be utilizing the libpcap\r\nlibrary. One of the most common false positives relates to systems running processes such as tcpdump or other\r\npacket capture utilities. While these hunting techniques provide a relatively simple method for identifying\r\nDecisiveArchitect activity based on activity observed across multiple intrusions, CrowdStrike expects that\r\nDecisiveArchitect will continue development of their implant across both Linux and Solaris platforms, while also\r\nimproving their techniques regarding operational security of their intrusions to further hinder the ability of a\r\ndefender to identify or investigate their activity, which might include identifying ways to combat these hunting\r\ntechniques.\r\nConclusion\r\nDecisiveArchitect’s operations present a clear and present threat to telecommunications companies, as well as\r\nother organizations such as logistics entities. This blog highlights important details about DecisiveArchitect’s\r\nimplant, their abilities to operate on Solaris systems, and ways to hunt down the adversary’s implants to help\r\norganizations identify whether they have fallen victim to this campaign.\r\nEndnotes\r\n1. https\u003c:\u003e//github\u003c.\u003ecom/0xdea/exploits/blob/master/solaris/raptor_xscreensaver\r\nIndicators of Compromise (IOCs)\r\nIndicator Platform Purpose\r\n/run/lock/kdumpflush /run/lock/kdumpcab /var/lock/kdumpcab\r\n/var/lock/kdumpcache /dev/shm/kdmtmpflush /dev/shm/kdevtmpfls\r\n/dev/shm/ff\r\nLinux\r\nJustForFun implant\r\npathnames\r\n(temporary -\r\nrunning process)\r\n/etc/avahi/avahi.conf /etc/cups/cups /etc/cups/cups.conf\r\n/etc/gofer/gofor.conf /etc/gss/gss.conf /etc/jvm/jvm.conf\r\nLinux JustForFun implant\r\npathnames\r\nhttps://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/\r\nPage 5 of 7\n\n/etc/ntp/ntpd /etc/opt/opt.conf /etc/pm/pm.conf\r\n/etc/pulp/agent.conf /etc/ssl/ssl.conf /etc/sysconfig/kdumplog\r\n/etc/sysconfig/nfs.conf /etc/sysconfig/pcscd.conf\r\n/etc/xdg/xdg.conf /usr/java/jdk1.8.0_181-\r\namd64/.java/init.d/jexecd /usr/local/mysql/bin/myisambug\r\n/lib64/libcaac.so.1\r\n(persistent - on disk)\r\n/lib/librbtinfo.so.1 /usr/lib/autofs/mountd\r\n/opt/VRTSvcs/bin/IP/online_Agent\r\nSolaris\r\nJustForFun implant\r\npathnames\r\n/run/lock/lvv /run/lock/lvm/lv /var/run/lvm/vm /dev/shm/sem Linux\r\nJustForFun CLI\r\nutility pathnames\r\n/tmp/getuid.so /usr/lib/secure/getuid.so Solaris\r\nCVE-2019-3010\r\nexploitation-related\r\nfiles (not unique to\r\nDecisiveArchitect)\r\n/usr/local/bin/GetADUsers.py /usr/local/bin/GetNPUsers.py\r\n/usr/local/bin/GetUserSPNs.py /usr/local/bin/atexec.py\r\n/usr/local/bin/dcomexec.py /usr/local/bin/dpapi.py\r\n/usr/local/bin/esentutl.py /usr/local/bin/getArch.py\r\n/usr/local/bin/getPac.py /usr/local/bin/getST.py\r\n/usr/local/bin/getTGT.py /usr/local/bin/goldenPac.py\r\n/usr/local/bin/ifmap.py /usr/local/bin/karmaSMB.py\r\n/usr/local/bin/lookupsid.py /usr/local/bin/mimikatz.py\r\n/usr/local/bin/mqtt_check.py /usr/local/bin/mssqlclient.py\r\n/usr/local/bin/mssqlinstance.py /usr/local/bin/netview.py\r\n/usr/local/bin/nmapAnswerMachine.py /usr/local/bin/ntfs-read.py\r\n/usr/local/bin/ntlmrelayx.py /usr/local/bin/opdump.py\r\n/usr/local/bin/ping.py /usr/local/bin/ping6.py\r\n/usr/local/bin/psexec.py /usr/local/bin/raiseChild.py\r\n/usr/local/bin/rdp_check.py /usr/local/bin/reg.py\r\n/usr/local/bin/registry-read.py /usr/local/bin/rpcdump.py\r\n/usr/local/bin/sambaPipe.py /usr/local/bin/samrdump.py\r\n/usr/local/bin/secretsdump.py /usr/local/bin/services.py\r\n/usr/local/bin/smbclient.py /usr/local/bin/smbexec.py\r\n/usr/local/bin/smbrelayx.py /usr/local/bin/smbserver.py\r\n/usr/local/bin/sniff.py /usr/local/bin/sniffer.py\r\n/usr/local/bin/split.py /usr/local/bin/ticketer.py\r\n/usr/local/bin/wmiexec.py /usr/local/bin/wmipersist.py\r\n/usr/local/bin/wmiquery.py\r\nLinux\r\nImpacket post-exploitation\r\nframework scripts\r\n(not unique to\r\nDecisiveArchitect)\r\nhttps://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/\r\nPage 6 of 7\n\n/usr/local/bin/ldapdomaindump /usr/local/bin/ldd2bloodhound Linux\r\nldapdomaindump\r\nbinaries used for\r\nActive Directory\r\nreconnaissance (not\r\nunique to\r\nDecisiveArchitect)\r\nc:\\users\\use.bat c:\\users\\one.ps1 Windows Unknown scripts\r\nAdditional Resources\r\nRead about another threat that targets the telecommunications sector in this blog: LightBasin: A Roaming\r\nThreat to Telecommunications Companies.\r\nDownload the CrowdStrike 2022 Global Threat Report for insights into adversaries tracked by\r\nCrowdStrike Intelligence in 2020.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/\r\nhttps://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/" ], "report_names": [ "how-to-hunt-for-decisivearchitect-and-justforfun-implant" ], "threat_actors": [ { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "9c8a7541-1ce3-450a-9e41-494bc7af11a4", "created_at": "2023-01-06T13:46:39.358343Z", "updated_at": "2026-04-10T02:00:03.300601Z", "deleted_at": null, "main_name": "Red Menshen", "aliases": [ "Earth Bluecrow", "Red Dev 18" ], "source_name": "MISPGALAXY:Red Menshen", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434058, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0101b21e0ed2e986895fcd2438b51c43d08995ea.pdf", "text": "https://archive.orkl.eu/0101b21e0ed2e986895fcd2438b51c43d08995ea.txt", "img": "https://archive.orkl.eu/0101b21e0ed2e986895fcd2438b51c43d08995ea.jpg" } }