{
	"id": "8fcc4d7e-2937-4701-a4b8-3067fce11afd",
	"created_at": "2026-04-06T00:13:44.645971Z",
	"updated_at": "2026-04-10T03:21:40.541442Z",
	"deleted_at": null,
	"sha1_hash": "dea40452d38db008f23cd3803493d7a2e3e87065",
	"title": "Lightning Framework: New “Swiss Army Knife” Linux Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1254713,
	"plain_text": "Lightning Framework: New “Swiss Army Knife” Linux Malware\r\nBy Ryan Robinson\r\nPublished: 2022-07-21 · Archived: 2026-04-02 11:57:31 UTC\r\nLightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the\r\nability to install rootkits.\r\nYear after year Linux environments increasingly become the target of malware due to continued threat actor\r\ninterest in the space. Malware targeting Linux environments surged in 2021, with a large amount of innovation\r\nresulting in new malicious code, especially in ransomwares, trojans, and botnets. With the rise in use of the cloud,\r\nit is no wonder that malware innovation is still accelerating at breakneck speed in this realm.\r\nThis is a technical analysis of a previously undocumented and undetected Linux threat called the Lightning\r\nFramework. It is rare to see such an intricate framework developed for targeting Linux systems. Lightning is a\r\nmodular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of\r\nrootkit, as well as the capability to run plugins. The framework has both passive and active capabilities for\r\ncommunication with the threat actor, including opening up SSH on an infected machine, and a polymorphic\r\nmalleable command and control configuration. We are releasing this blog for informational purposes. We do not\r\nhave all the files that are referenced in the framework, but hope that this release will help others if they possess\r\nother pieces of the jigsaw puzzle. We have not observed this malware being used in attacks in the wild.\r\nTechnical Analysis of Lightning Framework\r\nThe framework consists of a downloader and core module, with a number of plugins. Some of the plugins used by\r\nthe malware are open-source tools. Below is a figure of the framework layout:\r\nOverview of the Modules\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 1 of 14\n\nName Name on Disk Description\r\nLightning.Downloader kbioset\r\nThe persistent module that downloads\r\nthe core module and its plugins\r\nLightning.Core kkdmflush\r\nThe main module of the Lightning\r\nFramework\r\nLinux.Plugin.Lightning.SsHijacker soss\r\nThere is a reference to this module\r\nbut no sample found in the wild yet.\r\nLinux.Plugin.Lightning.Sshd sshod\r\nOpenSSH with hardcoded private and\r\nhost keys\r\nLinux.Plugin.Lightning.Nethogs nethoogs\r\nThere is a reference to this module\r\nbut no sample found in the wild yet.\r\nPresumably the software Nethogs\r\nLinux.Plugin.Lightning.iftop iftoop\r\nThere is a reference to this module\r\nbut no sample found in the wild yet.\r\nPresumably the software iftop\r\nLinux.Plugin.Lightning.iptraf iptraof\r\nThere is a reference to this module\r\nbut no sample found in the wild yet.\r\nPresumably the software IPTraf\r\nLinux.Plugin.RootkieHide libsystemd.so.2\r\nThere is a reference to this module\r\nbut no sample found in the wild yet.\r\nLD_PRELOAD Rootkit\r\nLinux.Plugin.Kernel elastisearch.ko\r\nThere is a reference to this module\r\nbut no sample found in the wild yet.\r\nLKM Rootkit\r\nLightning.Downloader\r\nThe main function of the downloader module is to fetch the other components and execute the core module.\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 2 of 14\n\nLightning Downloader result in Intezer Analyze\r\nThe downloader module starts by checking if it is located in the working directory /usr/lib64/seahorses/\r\nunder the name kbioset . The framework makes heavy use of typosquatting and masquerading in order to remain\r\nundetected. The reference to seahorses masquerades the password and key manager software seahorse. If not it\r\nwill relocate itself to that working directory and execute that copy. The downloader will fingerprint the host name\r\nand network adapters to generate a GUID, which will be sent to the command and control (C2) server. \r\nBuilding the GUID\r\nThe downloader will then contact the C2 to fetch the following modules and plugins:\r\nLinux.Plugin.Lightning.SsHijacker\r\nLinux.Plugin.Lightning.Sshd\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 3 of 14\n\nLinux.Plugin.Lightning.Nethogs\r\nLinux.Plugin.Lightning.iftop\r\nLinux.Plugin.Lightning.iptraf\r\nLightning.Core\r\nResources fetched from the C2\r\nThe method of contacting the C2 will be described below in the malleable C2 section (click here to jump to that\r\nsection). The downloader will then execute the core module (kkdmflush). \r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 4 of 14\n\nExecution of the core module\r\nLightning.Core\r\nThe core module is the main module in this framework, it is able to receive commands from the C2 and execute\r\nthe plugin modules. The module has many capabilities and uses a number of techniques to hide artifacts to remain\r\nrunning under the radar. \r\nThe core module modifies the name of the calling thread of the module to kdmflush, to make it appear that it is a\r\nkernel thread. \r\nUsing prctl to modify calling thread name\r\nNext the core module sets up persistence by creating a script that is executed upon system boot. This is achieved\r\nby first creating a file located at /etc/rc.d/init.d/elastisearch . The name appears to typosquat elasticsearch.\r\nThe following contents are written to the file:\r\n#!/bin/bash\r\n# chkconfig:2345 90 20\r\n/usr/lib64/seahorses/kbioset \u0026\r\nThis script will execute the downloader module upon boot. The service is then added using the chkconfig\r\nutility. \r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 5 of 14\n\nCreation of the init.d script and service\r\nThe timestamp of the file is modified to hide artifacts, a technique known as “timestomping”. The file has its last\r\nmodified time edited to match that of either whoami , find , or su . It will look for each file respectively until it\r\nfinds one. This technique is used for most of the files that the framework creates.\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 6 of 14\n\nFile timestamp modification function\r\nThe malware will attempt to hide its Process ID (PID) and any related network ports. This is achieved by writing\r\nthe frameworks running PIDs to two files: hpi and hpo . These files are parsed and then the existence of the file\r\nproc/y.y is checked. If the file exists, it means that a rootkit has been installed. The PIDs are written to\r\nproc/y.y for use by the rootkit, which may scrub any reference to files running in the framework from\r\ncommands such as ps and netstat .\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 7 of 14\n\nWriting PID to proc/y.y if it exists (Indication that rootkit exists)\r\nThe core module will generate a GUID in the same manner as the downloader and contact the C2. The response is\r\nparsed and the command is executed. The core module has the following commands:\r\nCommand Description\r\nSystemInfo Fingerprints the machine\r\nPureShellCommand Runs Shell command\r\nRunShellPure Starts the Linux.Plugin.Lightning.Sshd (SSH Daemon) plugin\r\nCloseShellPure Terminates the Linux.Plugin.Lightning.Sshd plugin\r\nDisconnect Exits the Core module\r\nGetRemotePathInfo Collects the summary of given path\r\nKeepAlive No action, connection remains alive\r\nUploadFileHeader Checks access of file\r\nFileEdit Gets contents of file and time meta\r\nTryPassSSH Adds a public key to the root/.ssh/authorized_keys file\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 8 of 14\n\nDeleteVecFile Deletes the specified file or path\r\nPreDownloadFile Calculates a checksum of the file\r\nDownloadFile Sends a file to the C2\r\nDeleteGuid Removes the framework\r\nUpdateVersion Calls the Downloader module to update the framework\r\nUpdateRemoteVersion Updates the framework including the downloader\r\nSocks5 Sets up a Socks5 proxy\r\nRestorePlug The same as UpdateVersion\r\nGetDomainSetting Fetches the contents of the malleable C2 configuration file (cpc)\r\nSetDomainSetting Updates the contents of the malleable C2 configuration file (cpc)\r\nInstallKernelHide Fetches the OS release\r\nRemoveKernelHide Removes kernel module\r\nUpdateKernelVersion Removes the kernel module and runs uname -r\r\nOverrideFile Overwrites specified file\r\nUploadFileContent Writes data sent from server to file\r\nLocalPluginRequest Either write the LD_PRELOAD rootkit or LKM rootkit\r\nNetwork Communication\r\nNetwork communication in the Core and Downloader modules are performed over TCP sockets. The data is\r\nstructured in JSON. The C2 is stored in a polymorphic encoded configuration file that is unique for every single\r\ncreation. This means that configuration files will not be able to be detected through techniques such as hashes. The\r\nkey is built into the start of the encoded file.\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 9 of 14\n\nEncoded malleable C2 configuration profile\r\nThe dynamic XOR decoding routine \r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 10 of 14\n\nThe decoded configuration is structured in JSON. The default configuration in the analyzed sample uses a local IP\r\naddress 10.2.22[.]67 with the port 33229 . \r\nDecoded default configuration\r\nThere is a passive mode of communication available if the actor executes the RunShellPure command. This starts\r\nan SSH service on the infected machine with the Linux.Plugin.Lightning.Sshd plugin. The plugin is an OpenSSH\r\ndaemon that has hardcoded private and host keys, allowing the attacker to SSH into the machine with their own\r\nSSH key, creating a secondary backdoor. \r\nHardcoded keys inside the modified OpenSSH daemon\r\nSummary\r\nThe Lightning Framework is an interesting malware as it is not common to see such a large framework developed\r\nfor targeting Linux. Although we do not have all the files, we can infer some of the missing functionality based on\r\nstrings and code of the modules that we do possess. Check out our next blog here about detection opportunities for\r\nLightning Framework using osquery.\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 11 of 14\n\nWe would like to extend a huge thanks to our friends and partners at IBM and SentinelOne for their help during\r\ninvestigating this threat.\r\nIOCs for Lightning Framework\r\nHashes\r\nSigma Detection Rules\r\ntitle: Lightning Framework File Path\r\nstatus: experimental\r\ndescription: Detects creation of files related to Lightning Framework.\r\nauthor: Intezer\r\nreferences:\r\n - https://intezer.com\r\nlogsource:\r\n product: linux\r\n category: file_create\r\ndetection:\r\n selection1:\r\n TargetFilename|startswith:\r\n - '/usr/lib64/seahorses/'\r\n selection2:\r\n TargetFilename|contains:\r\n - 'kbioset'\r\n - 'cpc'\r\n - 'kkdmflush'\r\n - 'soss'\r\n - 'sshod'\r\n - 'nethoogs'\r\n - 'iftoop'\r\n - 'iptraof'\r\n condition: selection1 and selection2\r\nfalsepositives:\r\n - Unknown.\r\ntitle: Lightning Default C2 Communication\r\nstatus: experimental\r\ndescription: Detects communication to default local ip for Lightning Framework\r\nauthor: Intezer\r\nreferences:\r\n - https://intezer.com\r\nlogsource:\r\n category: firewall\r\ndetection:\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 12 of 14\n\nselect_outgoing:\r\n dst_ip: 10.2.22.67\r\n dst_port: 33229\r\n condition: select_outgoing\r\nfalsepositives:\r\n - Unknown.\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Description\r\nPersistence\r\nBoot or Logon\r\nInitialization Scripts\r\nT1037\r\nAn init.d script is used for\r\npersistence of downloader\r\nmodule\r\nPersistence SSH Authorized Keys T1098.004\r\nSSH keys can be added to the\r\nauthorized_keys file\r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation\r\nT1027\r\nThe C2 profile is encoded on\r\ndisk\r\nDefense\r\nEvasion\r\nDeobfuscate/Decode Files\r\nor Information\r\nT1140\r\nThe C2 profile is decoded with\r\na dynamic XOR algorithm\r\nDefense\r\nEvasion\r\nHide Artifacts T1564\r\nMany artifacts are hidden\r\nincluding ports, PIDs, and file\r\ntimestamps\r\nDefense\r\nEvasion\r\nMasquerading T1036\r\nMany files are masqueraded as\r\nother files or tasks\r\nDefense\r\nEvasion\r\nRootkit T1014\r\nLKM and LD_PRELOAD\r\nrootkits are used\r\nDefense\r\nEvasion\r\nTimestomp T1070.006\r\nFiles created by Lightning are\r\nmodified to match that of other\r\nutilities\r\nDefense\r\nEvasion\r\nFile Deletion T1070.004\r\nThe framework has the ability\r\nto remove itself\r\nDiscovery\r\nFile and Directory\r\nDiscovery\r\nT1083\r\nThe framework can list files and\r\ndirectories on infected systems\r\nDiscovery\r\nNetwork Service\r\nDiscovery\r\nT1046\r\nMultiple plugins can be used to\r\nperform network service\r\ndiscovery\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 13 of 14\n\nDiscovery Network Sniffing T1040\r\nMultiple plugins can be used to\r\nperform network sniffing\r\nDiscovery\r\nSystem Information\r\nDiscovery\r\nT1082\r\nLightning can perform detailed\r\nsystem fingerprinting\r\nCommand and\r\nControl\r\nData Encoding T1132 Data from the C2 is encoded\r\nCommand and\r\nControl\r\nNon-Application Layer\r\nProtocol\r\nT1095\r\nCommunication with the C2 is\r\nperformed over TCP\r\nCommand and\r\nControl\r\nProxy T1090\r\nThe framework has the ability\r\nto start a Socks5 proxy\r\nCommand and\r\nControl\r\nExfiltration Over C2\r\nChannel\r\nT1041 Data can be exfiltrated\r\nSource: https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nhttps://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
	],
	"report_names": [
		"lightning-framework-new-linux-threat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434424,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dea40452d38db008f23cd3803493d7a2e3e87065.pdf",
		"text": "https://archive.orkl.eu/dea40452d38db008f23cd3803493d7a2e3e87065.txt",
		"img": "https://archive.orkl.eu/dea40452d38db008f23cd3803493d7a2e3e87065.jpg"
	}
}