{
	"id": "ded311cb-fb54-423d-ac93-3eb51820c84d",
	"created_at": "2026-04-06T00:21:31.585348Z",
	"updated_at": "2026-04-10T03:21:26.614731Z",
	"deleted_at": null,
	"sha1_hash": "373727b69112086f386cdd9ab21679f889076d96",
	"title": "Cryptocurrency-mining Malware Targets Linux Systems, Uses Rootkit for Stealth",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 937249,
	"plain_text": "Cryptocurrency-mining Malware Targets Linux Systems, Uses\r\nRootkit for Stealth\r\nArchived: 2026-04-05 12:36:05 UTC\r\nby Augusto II Remillano, Kiyoshi Obuchi, and Arvin Roi Macaraeg\r\nWith the popularity of cryptocurrencies, it is no surprise\r\nthat cybercriminals continue to develop and fine-tune various cryptocurrency-mining malwarenews- cybercrime-and-digital-threats. Indeed, this kind of threat is one of Trend Micro's most consistently detected malware,\r\naffecting a wide range of platforms and devices.\r\nWe recently encountered a cryptocurrency-mining malware (detected by Trend Micro as\r\nCoinminer.Linux.KORKERDS.AB) affecting Linux systems. It is notable for being bundled with a rootkit\r\ncomponent (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools.\r\nThis makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also\r\ncapable of updating and upgrading itself and its configuration file.\r\nInterestingly, the permission model in Unix and Unix-like operating systems like Linux make it tricky to run\r\nexecutables with privileges. We construe that this cryptocurrency-mining malware’s infection vector is a\r\nmalicious, third-party/unofficial or compromised plugin (i.e., media-streaming softwarenews- cybercrime-and-digital-threats). Installing one entails granting it admin rights, and in the case of compromised applications,\r\nmalware can run with the privileges granted to the application. It’s not an uncommon vector, as other Linux\r\ncryptocurrency-mining malware tools have also used this as an entry point.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth\r\nPage 1 of 6\n\nFigure 1: The cryptocurrency-mining malware’s infection chain\r\nTechnical analysis\r\nThe initial file (Trojan.Linux.DLOADER.THAOOAAK) connects and downloads a file from Pastebin. The\r\ndownloaded file, which is a shell script, is saved as /bin/httpdns. A scheduled task is created to run /bin/httpdns\r\nevery hour. Lastly, the downloaded shell script is executed. /bin/httpdns contains a shell script that connects and\r\ndownloads another base64-encoded text file. After decoding, the resulting file is also a shell script that is executed\r\nby /bin/httpdns.\r\nFigure 2: How the shell script is downloaded and saved\r\nOnce executed, the shell script first checks whether there is an update available for the malware. As of this\r\nwriting, the link contains the string “noupdate,” indicating that there are currently no updates for the malware. If\r\nthere is an update available, the shell script will then call its echocron function responsible for downloading and\r\nscheduling a task that will execute the malware update.\r\nFigure 3: Code snippet showing how the shell script calls echocron\r\nIf there are no updates available, the shell script will then proceed to its routine by first calling its downloadrun\r\nfunction (shown in Figure 4), which downloads the actual malicious cryptocurrency miner. Although the extension\r\nof the URL it connects to is .jpg, the actual file is an ELF executable; it is saved as /tmp/kworkerds. \r\nAfter downloading and executing the cryptocurrency-mining malware, the shell script then calls its init function,\r\nwhich downloads a version of the initial file. The downloaded file is saved as /usr/sbin/netdns and then installed\r\nas a service. Afterwards, the echocron function is called.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth\r\nPage 2 of 6\n\nFigure 4: Code snippets showing the malware’s downloadrun (top), init (center) and downloadrunxm (bottom)\r\nfunctions\r\nThe shell script will sleep for 10 seconds then check whether a connection was made on port 56415. If there were\r\nno connections, it will execute its downloadrunxm function. This function is responsible for downloading another\r\ncryptocurrency miner (Coinminer.Linux.KORKERDS.AA) in case the one downloaded by the downloadrun\r\nfunction didn’t work properly.\r\nFigure 5: The malware’s top function\r\nInstalling the rootkit component \r\nThe updated version of the malware has the top function, which is responsible for downloading and installing the\r\nrootkit. It first checks whether there is already a rootkit installed in the affected machine. If it fails to find one, it\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth\r\nPage 3 of 6\n\nwill download and install its rootkit and then save it as /usr/local/lib/libdns.so. \r\nTypically, process monitoring tools can detect the presence of a cryptocurrency miner. Figure 6 shows an image of\r\nthe htop (a process viewer/monitoring tool for Unix systems) detecting /tmp/kworkerds using up the resources of\r\nthe affected machine. As shown in Figure 6, the rootkit component hides the process causing the high\r\nconsumption of resources even if it’s detecting that the CPU usage of the affected system is at maximum. \r\nFigure 6: The htop tool detecting the miner’s process, /tmp/kworkerds (top); and how the process becomes\r\ninvisible after the rootkit is installed (bottom)\r\nThe rootkit component of the cryptocurrency-mining malware is a slightly modified/repurposed version of a\r\npublicly available code. Upon installation, all processes named “kworkerds” will be invisible to process\r\nmonitoring tools. These tools normally work by accessing the files located in the /proc/{PID} directories. By\r\nblocking access to a process’ /proc/{PID} directory, users won’t be able to detect it through normal means.\r\nTo that end, the rootkit hooks the readdir and readdir64 application programming interfaces (APIs) of the libc\r\nlibrary. These APIs are commonly used by process monitoring tools to get its information. Through preloading\r\n(storing files in the memory), the rootkit will override the normal library file by replacing the normal readdir file\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth\r\nPage 4 of 6\n\nwith the rootkit’s own version of readdir (Figure 7). Once the API is hooked, process monitoring tools won’t be\r\nable to see processes with the name “kworkerds”.\r\nFigure 7: Code snippets showing how the rootkit hides the cryptocurrency miner’s process from monitoring tools\r\nBest practices and Trend Micro solutions\r\nWhile the rootkit fails to hide the high CPU usage and the connections made by the cryptocurrency miner, it\r\nimproved its stealth by just editing a few lines of code and repurposing existing code or tools. And with the\r\nmalware’s capability to update itself, we expect its operators to add more functions to make their malware more\r\nprofitable. \r\nCryptocurrency-mining malware can cause significant performance issues, especially on Linux systems, given\r\ntheir ubiquity in running and maintaining business processes — from servers, workstations, application\r\ndevelopment frameworks, and databases to mobile devices. IT and system administrators should practice security\r\nhygiene, which includes:\r\nEnforcing the principle of least privilege by disabling, removing, or minimizing the use of unverified\r\nlibraries or repositories.\r\nHardening the systems by using verified security extensions that can help with issues like\r\nmisconfigurations.\r\nReducing the system’s attack surface through access control policies that manage access to files and system\r\nor network resources; and regular monitoring of systems and networks for anomalous activities.\r\nRegularly patching the systems to prevent vulnerabilities from being exploited; use updated versions of\r\nserver-based applications to lessen the risk of compromises; and employing security mechanisms such as\r\nintrusion detection and prevention systems. \r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth\r\nPage 5 of 6\n\nUsers and businesses can also consider adopting security solutions that can defend against cryptocurrency-mining\r\nmalware through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™\r\nsecurityproducts provides high-fidelity machine learning that can secure\r\nthe gatewayproducts and endpointproducts, and protect physical, virtual, and cloud workloads. With technologies\r\nthat employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection\r\nagainst ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities.\r\nXGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Securityproducts, User\r\nProtectionproducts, and Network Defenseproducts.\r\nIndicators of Compromise (IoCs):\r\nRelated hashes (SHA-256):\r\ncdd921a5de5d5fffc51f8c9140afa9d23f3736e591fce3f2a1b959d02ab4275e\r\n(Trojan.Linux.DLOADER.THAOOAAK)\r\nbaf93d22c9d1ae6954942704928aeeacbf55f22c800501abcdbacfbb3b2ddedf\r\n(Coinminer.Linux.KORKERDS.AB)\r\n0179fd8449095ac2968d50c23d37f11498cc7b5b66b94c03b7671109f78e5772\r\n(Coinminer.Linux.KORKERDS.AA)\r\n023c1094fb0e46d13e4b1f81f1b80354daa0762640cb73b5fdf5d35fcc697960\r\n(Rootkit.Linux.KORKERDS.AA)\r\nRelated malicious URL:\r\nhxxps://monero[.]minerxmr[.]ru/1/1535595427x-1404817712[.]jpg\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-syst\r\nems-uses-rootkit-for-stealth\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth"
	],
	"report_names": [
		"cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth"
	],
	"threat_actors": [],
	"ts_created_at": 1775434891,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/373727b69112086f386cdd9ab21679f889076d96.pdf",
		"text": "https://archive.orkl.eu/373727b69112086f386cdd9ab21679f889076d96.txt",
		"img": "https://archive.orkl.eu/373727b69112086f386cdd9ab21679f889076d96.jpg"
	}
}