{
	"id": "49221bcf-0a9d-4533-9019-6af5217f5c2c",
	"created_at": "2026-04-06T00:21:11.182326Z",
	"updated_at": "2026-04-10T13:11:28.088778Z",
	"deleted_at": null,
	"sha1_hash": "49b2f645e047414eafadc8f09b64af08474f90f4",
	"title": "Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2881449,
	"plain_text": "Gafgyt Malware Variant Exploits GPU Power and Cloud Native\r\nEnvironments\r\nBy Assaf Morag\r\nPublished: 2024-08-14 · Archived: 2026-04-05 19:57:57 UTC\r\nAqua Nautilus researchers discovered a new variant of Gafgyt botnet. This campaign is targeting machines with\r\nweak SSH passwords, executing 2 binaries from memory to increase the Gafgyt botnet and mine crypto currency\r\nwith GPU power, indicating that the IoT botnet is targeting more robust servers running on cloud native\r\nenvironments. In this blog we explain about the campaign, the techniques used and how to detect and protect your\r\nenvironments. \r\nPreviously on Gafgyt \r\nGafgyt, also known as Bashlite or Lizkebab, is a botnet malware that targets Internet of Things (IoT) devices. It\r\nemerged around 2014 and primarily exploits weak or default credentials to gain control of devices such as routers,\r\ncameras, and DVRs. Once infected, these devices become part of a botnet used to launch distributed denial-of-service (DDoS) attacks, overwhelming targets with massive amounts of traffic. Gafgyt spreads by scanning for\r\nvulnerable devices and has seen various iterations and enhancements over the years. Its source code has been\r\nleaked, leading to numerous variants and adaptations, further complicating cybersecurity efforts. \r\nAttack Flow \r\nIn this attack we see a successful brute force attempt on our SSH honeypot which is configured with a very weak\r\npassword. The attacking server (a part of the botnet) executes some shell commands via the SSH connection and\r\ntransfers the main payloads. Next, a crypto mining attack is executed, and the honeypot becomes a part of the\r\nbotnet, scanning the internet, seeking to detect a weakly configured SSH user and password and initiate similar\r\nattack. \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 1 of 14\n\nFigure 1: Gafgyt attack flow\r\nInitial Access \r\nThe initial access is gained by brute forcing to an internet connected SSH with weak password. Once access is\r\ngained a few commands to inspect and prepare the server are executed and 2 payloads are passed via the newly\r\nestablished SSH connection. \r\nSystem Discovery \r\nA few checks are conducted mainly to determine if the machine has already been infected by this variant of\r\nGafgyt and to check if another malware is running and if so to kill it.  \r\nEstablishing if the malware is running: \r\nFigure 2: Checking if the malware is already running\r\nKilling competition: \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 2 of 14\n\nFigure 3: Killing competing malware\r\nNext the two binaries are executed in memory. \r\nExecuting the cryptominer: \r\nFigure 4: Executing the XMRIG cryptominer\r\nExecuting the worm: \r\nFigure 5: Executing Gafgyt malware\r\nConfiguration alteration: \r\nFigure 6: Modifying configurations\r\n/etc/sysctl.conf is a configuration file in Unix-like operating systems used to modify kernel parameters at\r\nruntime. It allows system administrators to tune system performance, enhance security, and customize kernel\r\nbehavior. The file specifies parameters in the format parameter = value , such as enabling IP forwarding\r\n( net.ipv4.ip_forward = 1 ) or reducing the tendency to swap ( vm.swappiness = 10 ). Changes are applied\r\nusing the command sudo sysctl -p . This file is essential for optimizing system performance and security,\r\nenabling dynamic adjustments to various kernel settings like networking, memory management, and filesystem\r\nbehavior. \r\nLastly history and logs files are deleted to evade detection. \r\nHistory deletion: \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 3 of 14\n\nFigure 7: History deletion\r\nld-musl-x86 and systemd-net analysis\r\nDuring runtime there were two ELF files dropped to memory ( /dev/shm ). The first one is ld-musl-x86 (MD5:\r\nee929477b6144874974b1dc0b77e57a1) it is detected in Virus Total (VT) as Gafgyt SSH scanner, and the second\r\none is systemd-net  (MD5: b5b96a1bec4829501b85e6fe1c5044f5) and it is detected in VT as an XMR\r\ncryptominer.  \r\nThe names of these binaries indicate that the threat actors are putting emphasis on defense evasion as these names\r\nare masquerading as legitimate components related to the Linux operating system environment. \r\nld-musl-x86 refers to the dynamic linker for the musl libc implementation on the x86 architecture. The reference\r\nto musl is interesting as it is lightweight, fast, and simple implementation of the standard library for Linux-based\r\noperating systems, often available in alpine for instance. Musl is usually present in embedded systems or\r\ncontainers, this supports the broad view that Gafgyt is targeting IoTs but also our understanding that this variant of\r\nGafgyt is also targeting cloud native environments. \r\nsystemd-net  is likely referring to components related to network management within the systemd suite of\r\nsystem and service managers for Linux operating systems.  \r\nThis ELF binary ld-musl-x86  is a Go-compiled executable. It contains various functionalities based on the\r\nGafgyt source code including generating IP addresses and ports, scanning the internet for exposed SSH and Telnet\r\nservices, conducting brute force, inspecting the findings and initiating infection. \r\nIn the inspection phase the malware is using various checks to establish that this is a real server with the service\r\nrunning probably to avoid infecting low interaction honeypots. \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 4 of 14\n\nThe function backgroundlogic  in the malware is set to download from the threat actor’s server (at\r\n107.189.5.210) the file 1.txt, which is a brute force configuration file containing 179 sets of users and passwords. \r\nFigure 8: C2 IP address hard coded in Gafgyt\r\nAn analysis of this list may shed a brighter light on the targets of this botnet. \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 5 of 14\n\nFigure 9: Downloading an updated credentials list for brute force\r\nWhile historically Gafgyt variants target IoT devices, in this case our classification of the users shows another\r\nobjective. In the general purpose you can see usernames such as admin , app , ftp  and others which can fall\r\nunder any purpose to target Linux systems. \r\nUnder the gaming classification you can observe usernames such as counterstrike or minecraft . \r\nUnder IoTs you can see nvidia , raspberrypi and others. \r\nIn the cloud native category, we observe Hadoop , AWS , Azure , Ansible , devops  and many other usernames\r\nwhich indicate that this botnet is putting cloud native environments in sight. \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 6 of 14\n\nFigure 10: Distribution of targets as appears in the credentials list (pie chart)\r\nIn the binary there’s a telnet function that deploys this: \r\nFigure 11: Old dead IP in the Gafgyt binary\r\nWhile this IP address is inactive at the moment. A short search in our honeypots database and over the internet\r\nreveals that this was used in the past as part of the Gafgyt campaign. \r\nThis is the sora.sh script:\r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 7 of 14\n\nFigure 12: The sora.sh script content\r\nThe fact that the IP address is inactive may strengthen the code and impact the repurposing of this Gafgyt variant. \r\nThe cryptominer in use is XMRIG, a Monero cryptocurrency miner. As illustrated in Figure 4 above, the\r\nexecution code of the miner includes the flags --cuda  and --opencl . IoT devices are generally characterized\r\nby their low power consumption, modest computational power, and capability to operate with limited memory and\r\nstorage. However, in this case, the threat actor is seeking to run a cryptominer using the --opencl and --\r\ncuda  flags, which leverage GPU and Nvidia GPU computational power. This, combined with the fact that the\r\nthreat actor’s primary impact is cryptomining rather than DDoS attacks, supports our claim that this variant differs\r\nfrom previous ones. It is aimed at targeting cloud-native environments with strong CPU and GPU capabilities. \r\nPotential Exposure in the Wild \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 8 of 14\n\nShodan, the search engine for Internet-connected devices, was utilized to identify servers with exposed SSH. By\r\nquerying Shodan for publicly accessible SSH, we uncovered more than 30 million internet connected instances.\r\nThis highlights the critical need for securing your server against brute force attacks and potential exploitation,\r\nwhen using these network protocols. \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 9 of 14\n\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 10 of 14\n\nFigure 13: Shodan data for exposed SSH\r\nDetection and Remediation with Aqua’s CNAPP \r\nIn this blog we covered an attack against a server with an exposed to the internet port using SSH protocol.\r\nUtilizing SSH protocol to manage remote servers is extremely popular and adopted by many organizations and\r\nindividuals. While best practice suggests using RSA keys many still use user and password to protect the access to\r\nthe server.  \r\nIn this case, we show a possible scenario of a misconfiguration, namely a weak username and password that were\r\neasily guessed by the attacker. Our honeypot had Utilized Aqua’s advanced Runtime Protection solution to detect\r\nmalicious and suspicious behavior in runtime.  \r\nIn Figure 14 below, you can observe how Aqua Runtime Protection detected the attack in real time and alerted on\r\nthe intrusion. \r\nFigure 14: Aqua’s platform, runtime detection for this attack\r\nAs you can see above, there were 7 alerts, indicating Fileless execution and cryptomining execution. On the right\r\npane you can see that the binary ld-musl-x86  was executed in the path /dev/shm , namely from memory. The\r\nlow number of alerts, illustrate the precision of Aqua’s runtime logic, as it is set to invoke in the events of a real\r\nattack based on behavioral analysis of millions of attacks that were caught in Aqua’s honeypots and thoroughly\r\nanalyzed by the Nautilus. \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 11 of 14\n\nIn case you wish to further understand what happened before the fileless execution and which events are linked to\r\nthis execution and relevant, you can press the timeline  button and observe the relevant history, related to this\r\nalert. In this case, we can see that the binary was dropped to the container during runtime. \r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 12 of 14\n\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 13 of 14\n\nFigure 15: Aqua’s platform, incident timeline breakdown\r\nLastly as you can see in Figure 16 below, Aqua Runtime Protection also generates audit logs. In this case, your\r\nSOC analysts or IR teams wish to further investigate the intrusion. Mind that in this attack there were over 96,000\r\naudit logs, that can be filtered based on numerous filters such as container name, container ID, MITRE Technique,\r\nEnforce group, Cloudfoundry organization and many more. Enabling to isolate the malicious events and focus on\r\nthe investigation. \r\nFigure 16: Audit log indicate of events in the container level, during the Gafgyt attack\r\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence\r\nrelated to software development life cycle in cloud native environments, supports the team's data needs, and helps\r\nAqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research\r\nhas been featured in leading information security publications and journals worldwide, and he has presented at\r\nleading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE\r\nATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The\r\ncourse covers both theoretical concepts and practical applications, providing valuable insights into the unique\r\nchallenges and strategies associated with securing cloud-native infrastructures.\r\nSource: https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nhttps://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/"
	],
	"report_names": [
		"gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments"
	],
	"threat_actors": [],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49b2f645e047414eafadc8f09b64af08474f90f4.pdf",
		"text": "https://archive.orkl.eu/49b2f645e047414eafadc8f09b64af08474f90f4.txt",
		"img": "https://archive.orkl.eu/49b2f645e047414eafadc8f09b64af08474f90f4.jpg"
	}
}