{
	"id": "d259a388-fa7a-45bf-b2d3-c918840ca182",
	"created_at": "2026-04-06T00:18:04.889502Z",
	"updated_at": "2026-04-10T13:11:44.807197Z",
	"deleted_at": null,
	"sha1_hash": "fc74c428b0bccae718df1f0f92eb7e2c9105b5d3",
	"title": "perfctl: A Stealthy Malware Targeting Millions of Linux Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 13883852,
	"plain_text": "perfctl: A Stealthy Malware Targeting Millions of Linux Servers\r\nBy Assaf Morag\r\nPublished: 2024-10-03 · Archived: 2026-04-05 19:07:04 UTC\r\nIn this blog post, Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has\r\nactively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you\r\nhave a Linux server connected to the internet, you could be at risk. In fact, given the scale, we strongly believe the\r\nattackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this\r\nmalware any Linux server could be at risk.\r\nWe discovered numerous incident reports in community forums, all describing indicators of compromise linked to\r\nthis malware. The community has widely referred to it as the “perfctl malware,” and we have adopted this name. \r\nThis post will explore the malware’s architecture, components, defense evasion tactics, persistence mechanisms,\r\nand how we managed to detect it. Perfctl is particularly elusive and persistent, employing several sophisticated\r\ntechniques, including: \r\nIt utilizes rootkits to hide its presence. \r\nWhen a new user logs into the server, it immediately stops all “noisy” activities, lying dormant until the\r\nserver is idle again. \r\nIt utilizes Unix socket for internal communication and TOR for external communication. \r\nAfter execution, it deletes its binary and continues to run quietly in the background as a service. \r\nIt copies itself from memory to various locations on the disk, using deceptive names. \r\nIt opens a backdoor on the server and listens for TOR communications. \r\nIt attempts to exploit the Polkit vulnerability (CVE-2021-4034) to escalate privileges. \r\nIn all the attacks observed, the malware was used to run a cryptominer, and in some cases, we also detected the\r\nexecution of proxy-jacking software. During one of our sandbox tests, the threat actor utilized one of the\r\nmalware’s backdoors to access the honeypot and started deploying some new utilities to better understand the\r\nnature of our server, trying to understand what exactly we are doing to its malware. \r\nElusive Malware Dominates Developer Forums \r\nOur story begins with an attack we monitored on one of our honeypots. Typically, we check if anyone has already\r\ndocumented the attack, as this allows us to analyze it more thoroughly and compare our findings with those of\r\nother researchers. However, in this case, we found no report about the malware that had targeted our honeypot. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 1 of 34\n\nWhat we did find, though, were numerous references to a perfctl  malware, this immediately drew our\r\nattention, as this was one of the names of our malware. These are in various languages across several developer\r\ncommunities and forums, we carefully reviewed these posts and found that the indicators of compromise\r\nmentioned in them are the same as the ones we’ve seen in our attack. Usually in some of these posts you can find\r\nreplies with links to reports about the malware written by researchers. But in this case, however, none of these had\r\nlinks to such reports. Here are some of the posts we came across: Reddit, freelancer, Stack Overflow (Spanish),\r\nforobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese),\r\nsvrforum (Korean), exabytes, virtualmin, serverfault and many others. \r\nThe name perfctl  comes from the cryptominer process that drains the system’s resources, causing significant\r\nissues for many Linux developers. By combining “perf” (a Linux performance monitoring tool) with “ctl”\r\n(commonly used to indicate control in command-line tools), the malware authors crafted a name that appears\r\nlegitimate. This makes it easier for users or administrators to overlook during initial investigations, as it blends in\r\nwith typical system processes. \r\nTowards the end of our research, we saw the first report covered by the researchers of Cado Security, but they only\r\ntell a very small part of the story of perfctl malware. \r\nThe Attack Flow \r\nAfter exploiting a vulnerability (as in our case) or a misconfiguration, the main payload is downloaded from an\r\nHTTP server controlled by the attacker. \r\nIn our case, the main payload was named httpd , and it demonstrated multiple layers of execution, showcasing a\r\ndeliberate design to ensure persistence and evade detection. Once executed, the main payload copies itself from\r\nmemory to a new location in the ‘/tmp’ directory, runs the new binary from there, terminates the original process,\r\nand then deletes the initial binary to cover its tracks. \r\nThe main payload is now executed from the /tmp directory under a different name. Based on what we’ve seen\r\nthe malware chose the name of the process that originally executed it, thus it looks less suspicious, if the system is\r\nexamined. \r\nIn our case the malware was executed by sh , thus the name of the malware was changed from httpd to sh .\r\nAt this point, it functions as both a dropper and a local command-and-control (C2) process. The malware contains\r\nan exploit to CVE-2021-4034, which it is trying to run in order to gain root privilege on the server. \r\nThe malware continues to copy itself from memory to half a dozen other locations, with names that appear as\r\nconventional system files. It also drops a rootkit and a few popular Linux utilities that were modified to serve as\r\nuser land rootkits (i.e. ldd, lsof). A cryptominer is also dropped and in some executions, we also observed some\r\nproxy-jacking software transferred from a remote server and executed.   \r\nAs part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the\r\n/tmp  directory, and stores data there that influences its operation. This data includes host events, locations of the\r\ncopies of itself, process names, communication logs, tokens, and additional log information. Additionally, the\r\nmalware uses environment variables to store data that further affects its execution and behavior. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 2 of 34\n\nAll the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms\r\nand hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending\r\nits activity when it detects a new user in the btmp  or utmp files and terminating any competing malware to\r\nmaintain control over the infected system. \r\nBelow is the complete attack flow: \r\nFigure 1: The entire attack flow\r\nAs noted earlier, numerous files are written to disk or modified, primarily in the / tmp , / usr , and\r\n/root  directories, as shown in the diagram below. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 3 of 34\n\nFigure 2: Files dropped or written to disk\r\nIn this blog and its appendices, we will explain the purpose of these files and the role each plays in the attack\r\nflow. \r\nPerfctl Attack Highlights \r\nThe main binary httpd is a packed, stripped and obfuscated ELF (MD5: 656e22c65bf7c04d87b5afbe52b8d800) .\r\nIf you type the download url in the browser the integer 1 is printed to screen. If you try downloading the .php\r\nfile without a specific user agent, you will receive a file with the integer 1 . This response indicates that this file\r\nis completely innocent. But if you use the correct user agent it will drop the malware (size of ~9mb). This is a\r\nclever way to conceal the malware. \r\nAfter it is downloaded and executed the malware copies itself from memory using another running process name,\r\nand it saves the process ID of that running process under /tmp/.apid . \r\nFigure 3: httpd is copying itself from memory\r\nHttpd then stops and deletes itself. This technique is called ‘process masquerading’ or ‘process replacement’ and\r\nit’s done for defense evasion and obfuscation. It can make security researchers life a bit harder to follow the\r\nmalware execution flow. \r\nThe new Httpd binary is now saved in the /tmp directory under the name of the process that executed it sh in\r\nour case, but we’ve also seen other names when we used other processes to run it. The binary sh is also copying\r\nitself from memory to various locations, as it saves itself as libpprocps.so and also as\r\n/root/.config/cron/perfcc ,   /usr/bin/perfcc , and /usr/lib/libfsnkdev.so . In annex 3 – The main\r\npayload below, we discuss in detail about this and explain our hypothesis to why the threat actor chose these\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 4 of 34\n\nnames. This shows of a thought in regard to persistence as the malware author creates a lot of locations to which\r\nthe malware is copied. \r\nPersistence \r\nThe attacker modifies the ~/.profile script, which sets up the environment during user login. This script is\r\ndesigned to execute the malware first, followed by the legitimate workload expected to run on the server. It checks\r\nif /root/.config/cron/perfcc is an executable file, and if so, it runs the malware. \r\nAdditionally, the script ensures that in Bash environments, the ~/.bashrc file is executed, applying user-specific\r\nconfigurations such as aliases and environment variables—likely to maintain normal server operations while the\r\nmalware runs. Finally, the script suppresses mesg  errors to avoid any visible warnings during execution. \r\nThe binary wizlmsh is dropped to /usr/bin (MD5: ba120e9c7f8896d9148ad37f02b0e3cb). It is a very small\r\nbinary (12kb), that runs as a service in the background. Initially, it receives argc, and argv, and verify the\r\nexecution of main payload (httpd) after it is written into /tmp either as sh or bash  or any other name. It is\r\nresponsible for the persistence of perfctl malware. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 5 of 34\n\nFigure 4: wizlmsh main function\r\nDefense Evasion\r\nThe rootkit has several purposes. One of the main purposes is to hook various functions and modify their\r\nfunctionality. The rootkit itself is an ELF 64-bit LSB shared object (.so) file named libgcwrap.so  (MD5:\r\n835a9a6908409a67e51bce69f80dd58a). The rootkit is using LD_PRELOAD to load itself before other libraries.  \r\nFigure 5: The revised LD_Preload content\r\nIt does various interesting manipulations, including hooking to Libpam symbols. Specifically, to the function\r\npam_authenticate , which is used by PAM to authenticate users. Hooking or overwriting this function could\r\nallow unauthorized actions during the authentication process, such as bypassing password checks, logging\r\ncredentials, or modifying the behavior of authentication mechanisms. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 6 of 34\n\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 7 of 34\n\nFigure 6: Functions the rootkit hooks\r\nLibpcap symbols, specifically to the function pcap_loop , which is widely used for capturing network traffic.\r\nThis is used to prevent recording of the malware traffic.   \r\nThe threat actors are also using a few user land rootkits. They drop a few legitimate utilities such as ldd . These\r\nutilities were modified to hide specific attack elements. So, if the rigged crontab is used, for instance, it won’t\r\nshow cron jobs created during the attack.  \r\nIn the first step the malware replaces the /etc/profile so the path will be set on /bin/.local/bin:$PATH . In\r\nthis path the threat actor is bypassing the directory where the utilities are called from. We’ve seen in some\r\nmalware runs 2 binaries and in other 4 binaries, depending on which utilities exist originally on the server.  \r\nIn our attacks the malware dropped crontab , lsof , ldd  and top . These tweaked binaries will hide\r\nmalicious activities, in case someone is using them.  \r\nFigure 7: The new content inserted by the threat actor to ‘/etc/profile’\r\nIn appendix 5 – User land rootkits we explain in detail why we think these utilities were chosen by the threat\r\nactor. \r\nMain Impact\r\nThe main impact of the attack is resource hijacking. In all cases we observed a monero cryptominer (XMRIG)\r\nexecuted and exhausting the server’s CPU resources. The cryptominer is also packed and encrypted. Once\r\nunpacked and decrypted it communicates with cryptomining pools. \r\nAs reflected in Figure 8 below, the cryptomining pools are accessed via TOR. \r\nFigure 8: Cryptomining traffic\r\nMoreover, in some of the attacks we’ve seen proxy-jacking via various vendors. We’ve seen the communication\r\nwith the following domains: bitping.com , earn.fm , speedshare.app , and repocket.com . \r\nThe domain repocket.com, for instance, is associated with the Repocket platform, which is a service that allows\r\nusers to earn money by sharing their unused internet bandwidth.  \r\nIn addition, we can observe the usage of the bitping daemon usage, which provide similar bandwidth payment\r\nservices. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 8 of 34\n\nFigure 9: Logging in to bitping\r\nTOR communication\r\nThe binary sh  is also initiating communication via Tor with few servers (i.e. 80.67.172.162, 176.10.107.180,\r\n78.47.18.110, 95.217.109.36, 145.239.41.102). \r\nWhile the communication is encrypted, you can observe the TOR log left on our honeypot. \r\nFigure 10: TOR sessions log\r\nAdditional Threat Intelligence \r\nWe recorded several dozen attacks of perfctl. We saw 3 download servers involved in these attacks\r\n(46.101.139.173, 104.183.100.189 and 198.211.126.180).  \r\nThe first two IP addresses seem to be linked to vulnerable servers that were previously hacked by the threat actor\r\nand the third one could be owned by the threat actor. All 3 IP addresses store and hide artifacts used in this\r\ncampaign.  \r\nIn most of the attacks we see that the binaries were dropped from IP address 46.101.139.173. An inspection of this\r\nIP address showed that this is a compromised webserver. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 9 of 34\n\nFigure 11: Compromised website serves as download server\r\nIterating over this download server, we see a compromised site on a server in Germany. \r\nWe noticed some artifacts, well-hidden between the site’s scripts. We see 3 main payloads. One is avatar.php,\r\nwhich was used as part of the attack on our honeypot. When using the browser to reach to the webpage with\r\navatar.php or downloading it without a specific user agent leads to 1  being displayed of screen or a .php  file\r\nwith the digit 1 .  \r\nIn addition, there is another file named aoip , which was uploaded 2 months later and two others dark.css and\r\ncsdark.css  which were uploaded later. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 10 of 34\n\nFigure 12: Files hosted on the webserver\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 11 of 34\n\nFigure 13: Files hosted on the webserver\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 12 of 34\n\nFigure 14: Files hosted on the webserver\r\nThe binary aoip is a replication of the main payload ( sh / httpd ). \r\nCsdark.css and dark.css weren’t analyzed during this research but look very interesting. \r\nOn IP address 198.211.126.180 we found just the file checklist.php  which is the main payload ( sh / httpd ). \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 13 of 34\n\nFigure 15: Compromised website serves as download server\r\nOn IP address 104.183.100.189 we found another innocent compromised website. \r\nFigure 16: Compromised website serves as download server\r\nIt looks like this website stores this XML file which when decoded (base64) is actually the rconf script.  \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 14 of 34\n\nFigure 17: malicious XML\r\nFrom what we see on these websites, there are few artifacts used to execute the exploitation of misconfigured and\r\nvulnerable (in our recorded attacks) Linux servers. We identified a very long list of almost 20K directory traversal\r\nfuzzing list, seeking for mistakenly exposed configuration files and secrets. There are also a couple of follow-up\r\nfiles (such as the XML) the attacker to exploit the misconfiguration. In the table below you can see the analysis of\r\nthe paths, which shows that perfctl is mainly looking to exploit misconfigurations.  \r\nCategory \r\nCount of\r\nPaths \r\nExample Paths  Potential Vulnerability \r\nCredentials  1,717 \r\n/access_credentials.json,\r\n/access_keys.json, /accesskeys.php \r\nPotential for unauthorized access to\r\ncredentials, sensitive token or key\r\nexposure \r\nConfiguration  12,196 \r\nTypical files include .conf, .ini,\r\n.json, .xml configurations \r\nMisconfigurations could lead to\r\nsecurity weaknesses \r\nLogin  1,362 \r\nPaths include login, auth, signin,\r\nadmin related files \r\nRisks of unauthorized access through\r\nlogin interfaces \r\nUnknown  4,647 \r\nPaths not fitting the above\r\ncategories \r\nUnknown, requires further\r\ninvestigation \r\nDetection of “Perfctl” Malware \r\nTo detect Perfctl malware you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been\r\ndeployed on your server. These may indicate cryptomining activities, especially during idle times. \r\nMonitoring Suspicious System Behavior\r\n1. Inspect /tmp , /usr , and /root  directories for suspicious binaries, especially hidden or masquerading\r\nas system files (e.g., perfctl , sh , libpprocps.so , perfcc , libfsnkdev.so ). Inspect your /home\r\ndirectory, look for /.local/bin directory with various utilities installed such as ldd , top  etc. \r\n2. Monitor processes for high resource usage, such as binaries like httpd or sh behaving unusually or\r\nrunning from unexpected locations like /tmp . \r\n3. Check system logs for modifications to ~/.profile , and /etc/ld.so.preload  files. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 15 of 34\n\nNetwork Traffic Analysis\r\n1. Capture network traffic to detect TOR-based communication to external IPs like 80.67.172.162 ,\r\n176.10.107.180 , etc. \r\n2. Look for outbound connections to cryptomining pools or proxy-jacking services. \r\n3. Monitor traffic to known malicious hosts or IPs (e.g., 46.101.139.173 , 104.183.100.189 , and\r\n198.211.126.180 ). \r\nFile and Process Integrity Monitoring\r\nDetect modifications in key system utilities like ldd , top , lsof , and crontab , which might have been\r\nreplaced with trojanized versions. \r\nLog Analysis\r\nReview logs for unauthorized use of system binaries, presence of suspicious cron jobs, and errors in mesg  to\r\ndetect possible tampering.  \r\nDetection of “Perfctl” Malware with Aqua Security \r\nFirst, we can see some runtime incidents. Below you can see alerts indicating some new binaries were dropped\r\nand executed, meaning a drift in our container, in addition to shared object dropped during runtime. These are the\r\nadditional httpd malware files and the rootkit. \r\nFigure 18: Incidents screen on Aqua Security Platform\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 16 of 34\n\nWe can continue the investigation of this attack by examining the audit logs of these incidents. During this\r\nincident there were above 22K audit events, thus we will need to search for specific events, namely, to investigate\r\nthe attack.  \r\nFigure 19: Audit logs screen on Aqua Security Platform\r\nWe can filter on specific hosts, containers, enforce groups, cloud resources or even pods. We decided to search for\r\nspecific events based on the MITRE framework. We used the masquerading technique which is used to describe\r\ndropped and executed events. There were 465 incidents, we can now go over all the files that were dropped (or\r\nmodified) during the attack.\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 17 of 34\n\nFigure 20: Audit logs screen on Aqua Security Platform\r\nWe can learn for instance about the swapping of some binaries with user land rootkits. \r\nFigure 21: Audit logs screen on Aqua Security Platform\r\nYou can also learn about inbound traffic or setting up port listening. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 18 of 34\n\nFigure 22: Audit logs screen on Aqua Security Platform\r\nMitigation of “Perfctl” Malware \r\n1. Patch Vulnerabilities: Ensure that all vulnerabilities are patched. Particularly internet facing applications\r\nsuch as RocketMQ servers and CVE-2021-4034 (Polkit). Keep all software and system libraries up to date.\r\n2. Restrict File Execution: Set noexec on  /tmp , /dev/ shm and other writable directories to prevent\r\nmalware from executing binaries directly from these locations.\r\n3. Disable Unused Services: Disable any services that aren’t required, particularly those that may expose the\r\nsystem to external attackers, such as HTTP services.\r\n4. Implement Strict Privilege Management: Restrict root access to critical files and directories. Use Role-Based Access Control (RBAC) to limit what users and processes can access or modify.\r\n5. Network Segmentation: Isolate critical servers from the internet or use firewalls to restrict outbound\r\ncommunication, especially TOR traffic or connections to cryptomining pools. \r\n6. Deploy Runtime Protection: Use advanced anti-malware and behavioral detection tools that can detect\r\nrootkits, cryptominers, and fileless malware like perfctl . \r\nAppendices \r\nAppendix 1: Initial Access\r\nCVE-2023-33246 is a vulnerability found in RocketMQ , which is a software that manages messages. This\r\nvulnerability allows unauthorized execution of commands on systems where RocketMQ is installed. This issue\r\noccurs because RocketMQ does not adequately check who is trying to access it, which means anyone, even\r\nwithout permission, can make changes or execute commands. The problem is made worse because the parts of\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 19 of 34\n\nRocketMQ that handle storing and delivering messages were not designed to be directly accessible over the\r\ninternet, and they don’t require authentication for performing sensitive operations like updating settings. This\r\nmakes it relatively easy for attackers to exploit this vulnerability. \r\nThe initial access was gained via this vulnerability (CVE-2023-33246), led to download and execution of the shell\r\nscript rconf  with the following command:  \r\nFigure 23: Execution script\r\nIn Figure 24 below, you can observe the entire rconf  script, next we will do a breakdown and explanation of the\r\ncontent.  \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 20 of 34\n\nFigure 24: The rconf script\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 21 of 34\n\nAppendix 2: Execution Script Analysis\r\nAs depicted in Figure 25 below, the script starts with a function that appears to perform a simplified HTTP GET\r\nrequest using a TCP socket directly, mimicking some basic behavior of the curl command. The threat actor is\r\nusing this, in case the targeted server doesn’t contain curl or wget. \r\nFigure 25: A snippet from the rconf script, illustrating implementation of a HHTP get request command\r\nAs you can see in Figure 26 below, the script continues with a simple if condition, that will ensure that the\r\ntargeted attacked server OS architecture is x86_64. This shows that the threat actor is targeting specific\r\narchitecture and won’t run on arm for instance.\r\nFigure 26: A snippet from the rconf script, illustrating inspection of the targeted host architecture\r\nNext, the threat actor verifies that the / tmp  directory exists and has read, write, and execute permissions. This\r\ndirectory will be used later to store logs, which the malware will update and from which the malware will read\r\ninstructions or system status. \r\nFigure 27: A snippet from the ‘rconf’ script, illustrating inspection the ‘/tmp’ path\r\nAs illustrated in Figure 28 below, the threat actor also verifies that the /tmp directory is mounted with\r\nexecutable permissions. If the noexec option is found in the mount options (no execution permissions), it\r\nremounts /tmp with the exec option, allowing execution of binaries from the /tmp directory. This might be\r\nnecessary for scripts or applications that require executing temporary files stored in /tmp . \r\nFigure 28: A snippet from the ‘rconf’ script, illustrating further inspection of the ‘/tmp’ directory\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 22 of 34\n\nIn addition, the threat actor is creating two directories under /tmp  path, which will be used later as auxiliary\r\nwhen running the main payload. \r\nFigure 29: A snippet from the ‘rconf’ script, illustrating creation of directories under the ‘/tmp’ path\r\nNext the threat actor is setting the environment variable A2ZNODE to localhost , if it is not already defined. \r\nFigure 30: A snippet from the ‘rconf’ script, illustrating inspection of the environment variables\r\nIn addition, the threat actor is also setting the environment variable VEI to rmq  which can stand for vulnerability\r\nexploited index to RocketMQ or something similar. Next, this script processes the /tmp/.xdiag/vei file by\r\nappending the value of the VEI variable ( rmq ) to it. If the file /tmp/.xdiag/vei does not exist or is empty, it\r\nchecks if a secondary file /tmp/.xdiag/vei.1 exists. If it does, the script processes the contents of\r\n/tmp/.xdiag/vei , sorts and removes duplicates, and appends the value of VEI. If /tmp/.xdiag/vei.1 does not\r\nexist, it directly writes the value of VEI to /tmp/.xdiag/vei . Finally, it unsets the VEI variable \r\nFigure 31: A snippet from the ‘rconf’ script, illustrating preparation of the ‘/tmp’ directory for the malware\r\noperation and logging\r\nFinally, this script manages the installation of the main payload by ensuring no other instances are running,\r\ndownloading the necessary file, and starting a web server. It uses either curl, wget, or the custom download\r\nfunction (mentioned above), verifies the downloaded file, and runs it if valid. The script also includes safeguards\r\nto prevent multiple installations from occurring simultaneously. This is important because the initial curl of this\r\nscript rconf  runs iteratively various times throughout the attack. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 23 of 34\n\nFigure 32: A snippet from the ‘rconf’ script, illustrating download and installation of the malware under the name\r\n‘httpd’\r\nNow the main payload avatar.php was downloaded, renamed to httpd  and executed, we can focus on this\r\nbinary. \r\nAppendix 3: The main payload (‘httpd’ and ‘sh’) analysis\r\nAnalysis of httpd \r\nThe binary httpd  is a packed ELF ( MD5: 656e22c65bf7c04d87b5afbe52b8d800 ) bears many detections in\r\nVirusTotal, including general Linux Trojan, Coinminer, Exploitation tool for CVE-2021-4034, malware dropper\r\netc. \r\nOur analysis shows that in a way all these detections are correct, as in a nutshell this is a multipurpose malware-dropper that contains all the above. Its operation is very interesting as it incorporates dozens of techniques to\r\nremain hidden and persistent. Based on our analysis below we speculate the campaign with this malware started\r\nabout a year ago, and it remained quite anonymous and undetected. \r\nAs per the main payload, it is named in the download server as avatar.php, after it is downloaded, it’s renamed to\r\nhttpd . The machine is fingerprinted by various commands such as uname −a , then it starts unpacking itself.  \r\nNext, the httpd executable is copied from the running process into to /tmp directory, as illustrated in Figure 33\r\nbelow. What’s interesting is that it finds the name of the process name that ran it, and saves itself under the /tmp\r\ndirectory with the same name. It also saves the pid under the /tmp/.apid . Lastly, httpd deletes itself. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 24 of 34\n\nFigure 33: httpd copies itself from memory\r\nThis technique is called “process masquerading” or “process replacement”. It is often done for the following\r\nreasons: \r\n1. Defense Evasion: By deleting the original binary and copying itself to another location, the malware\r\navoids detection from static file-based security measures that might be monitoring the original location.\r\nThe /tmp  directory is a common target because it is typically writable and frequently used for temporary\r\nfiles, making it less suspicious. \r\n2. Obfuscation: Deleting the original binary and killing itself can make it harder for security analysts to trace\r\nback the activity to the original payload, thereby complicating forensic analysis. \r\nAnalysis of sh \r\nThe binary sh (MD5: 656e22c65bf7c04d87b5afbe52b8d800) is an exact copy of httpd . After sh  is\r\nexecuted, it sleeps for 10 minutes. Next it collects information about the OS.  \r\nNext, sh drops nine binaries. Four are exact duplication of sh / httpd . A cryptominer and a rootkit (discussed\r\nbelow in ‘The Rootkit’ section). There are 3 lean binaries ldd , top and wizlmsh . The first 2 are user land\r\nrootkits, in some executions we also saw lsof and crontab . Wizlmsh is used to ensure the malware is\r\nrunning.\r\nThe malware opens a Unix socket to communicate with all the process it will run in the future. Via\r\n/tmp/.xdiag/int/.per.s , it writes logs, which will later be used by other dropped components as part of the\r\nattack.  \r\nThe malware is also running various operations such as shutting down security controls, as seen in the example\r\nbelow: \r\nFigure 34: Shutting down security controls\r\nThe binary sh is also copying itself from memory to various location, as illustrated below it saves itself as\r\nlibpprocps.so and also as /root/.config/cron/perfcc , /usr/bin/perfcc , and /usr/lib/libfsnkdev.so . \r\nFigure 35: sh copying itself from memory \r\nThis is a tactic used for persistence, stealth, and possibly for privilege escalation. Below we discuss the various\r\npath chosen: \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 25 of 34\n\n1. The path /root/.config/cron/perfcc : This path is quite deceptive because it mimics a configuration\r\ndirectory under the root user, which might be overlooked by security scans assuming it’s a legitimate\r\nconfig file. The inclusion of cron  in the path suggests an attempt to associate the malware with cron\r\njobs. \r\n2. The path /usr/bin/perfcc : The path /usr/bin is a standard directory for executable programs\r\naccessible to all users. Placing malware here could allow it to be executed like a normal system command,\r\nmaking detection harder. Naming the malware perfcc  might be an attempt to masquerade as a legitimate\r\nsystem utility or command, reducing suspicion. \r\n3. The binaries /usr/lib/libpprocps.so and /usr/lib/libfsnldev.so : These paths suggest the malware\r\nis impersonating shared libraries. /usr/lib is commonly used for storing shared libraries required by\r\ninstalled applications. The path libpprocps.so might be intended to appear related to the legitimate\r\nprocps , a library and set of commands that includes utilities like ps , top , etc., which are used to\r\ndisplay information about currently running processes.  \r\nThe choice of these paths generally reflects a strategy to blend in with normal system operations, either by\r\nappearing as a utility or library that might regularly be executed or loaded by other processes. \r\nAppendix 4: The main rootkit (libgcwrap.so)\r\nThe rootkit has several purposes. One of the main purposes is to hook various functions and modify their\r\nfunctionality. The rootkit itself is an ELF 64-bit LSB shared object ( .so ) file named libgcwrap.so . The\r\nrootkit is using LD_PRELOAD to load itself before other libraries.  \r\nAs illustrated in Figure 36 below, rootkit strings are encrypted with XOR and this function is iterating through an\r\narray, while performing XOR decryption on each element in the array.  \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 26 of 34\n\nFigure 36: XOR decrypt array\r\nYou can see in Figure 37 below the xor_decrypt function responsible to decrypt a string by iterating over each\r\nbyte of the input string, doing XOR with the key 0xAC. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 27 of 34\n\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 28 of 34\n\nFigure 37: XOR decrypt  \r\nIt does various interesting manipulations, including hooking to Libpam symbols. Specifically, to the function\r\npam_authenticate , which is used by PAM to authenticate users. Hooking or overwriting this function could\r\nallow unauthorized actions during the authentication process, such as bypassing password checks, logging\r\ncredentials, or modifying the behavior of authentication mechanisms.  \r\nIn addition, the rootkit is also designed to hook Libpcap symbols, specifically to the function pcap_loop , which\r\nis widely used for capturing network traffic.  \r\nBelow we discuss what the attacker is trying to do with these hookings: \r\n1. Network Traffic Manipulation: By hooking pcap_loop, an attacker could alter the behavior of\r\napplications that rely on libpcap for capturing network traffic. This could include security monitoring tools,\r\nnetwork analyzers, and other systems that perform packet analysis. Manipulating this function could lead\r\nto missed detections, altered traffic logs, or leakage of sensitive data. \r\n2. Data Eavesdropping: The hooked function might be modified to stealthily copy certain data passing\r\nthrough the network to a location controlled by an attacker, effectively creating a data exfiltration pathway. \r\n3. Persistence and Evasion: Placing malicious code in /tmp  and hooking critical functions like\r\npcap_loop can be part of a strategy to maintain persistence on a host with minimal detection. This setup\r\nallows an attacker to continue malicious activities even after primary payloads are detected and removed. \r\nAppendix 5: User Land Rootkits ‘top’, ‘ldd’, ‘crontab’ and ‘lsof’\r\nThe malware Perfctl is dropping in the path /home/???/.local/bin/  4 binaries. In our case top, ldd, lsof and\r\ncrontab.  \r\nBelow is the snippet executing top: \r\nFigure 38: top execution\r\nAs seen in Figure 38 above, in the first row the script checks if the environment variable ABWTRX  is set, if it exists\r\nthis shell script won’t run. This is probably to check if the binary originally exists on the server or not. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 29 of 34\n\nNext the variables r and m are defined as top and perfctl accordingly. We assume that perfctl  in this case is the\r\nobject to hide which is the cryptominer. \r\nNext the script iterates over the /.local/bin binaries to save them in the environment variable PATH. Now the script\r\nchecks if the environment variable AAZHDE is set. Just a reminder. The initial script, when the server is first\r\ncompromised, sets the environment variable AAZHDE . This is an inspection to verify that the “normal” course of\r\nthe execution of this malware remains. Probably to evade sandbox execution. \r\nIf AAZHDE is set, the binary top is executed passing all the arguments that were passed during the script\r\nexecution. \r\nAAZHDE isn’t set, the script executes various commands. Including, 2 trap commands. These trap commands\r\nexecute deletion of the directory /tmp/smpr when the script exists or if it is interrupted by a user. It then\r\nrecreates /tmp/smpr than it sets the environment variable AAZHDE as 1 . \r\nNext, the cryptominer is stopped, and the file /tmp/.apid is deleted. Finally, AAZHDE is unset and top is\r\nexecuted. \r\nLastly, the environment variable AAZHDE is unset and the binary top is executed. \r\nBelow is the snippet executing ldd:\r\nFigure 39: ldd execution\r\nThis snippet is very similar to the one of top . As seen in Figure 37 above, in the first row the script checks if the\r\nenvironment variable ABWTRX  is set, if it exists this shell script won’t run. This is probably to check if the\r\ncryptominer is running or not (we will get to that next), if the cryptominer is running this script exits, otherwise it\r\nruns and executes the cryptominer. \r\nThe binary top  receives 2 parameters, as pointer to an executable and a pointer to the argv. It performs multiple\r\nsteps including initialization, environment setup, cryptographic operations, data manipulation, and eventually\r\nexecuting another program. It also runs infinite loop to keep the process running in the background. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 30 of 34\n\nFigure 40: top binary\r\nYou can see two functions modify_lookup_table_with_offset and libc_xor_cipher , which are used to de-obfuscate various sections in memory. Next, there are several checks of the environment variables and errors. \r\nLastly, if all conditions are met, we see and execution of a binary (provided as argument during top execution). \r\nFigure 41: top binary\r\nTop is used for real-time monitoring of system performance and processes. Thus, if a developer encounters a\r\nslowdown in the system corresponding to cryptomining activity and asks to check the cpu of all running\r\nprocesses, the new tempered with top  will not show the cryptominer’s cpu consumption. \r\nLdd is used to display the shared libraries (dynamic dependencies) required by an executable or a shared library. It\r\nshows which libraries an application depends on, as well as the paths to those libraries. The threat actor wants to\r\nhide malicious libraries and dependencies used by the malware, preventing detection during inspections.  \r\nCrontab is used to schedule and manage recurring tasks (cron jobs) to run at specified times on Linux/Unix\r\nsystems. \r\nlsof Lists open files and shows which processes are using them, including files, sockets, and network connections. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 31 of 34\n\nThis makes perfect sense that the threat actor is trying to modify the results of these utilities as they may be used\r\nby developers or security engineers to evaluate the server and understand what is attacking the machine.    \r\nAppendix 6: Unix Socket Communication\r\nThe binary sh is opening a Unix socket to write and read from various files in the /tmp  directory. \r\nIn the table below we review these files: \r\n# Path Use\r\n1 /tmp/.xdiag/cp Malware pathname\r\n2 /tmp/.xdiag/exi victim’s IP address\r\n3 /tmp/.xdiag/p Malware Int marker\r\n4 /tmp/.xdiag/elog Events log\r\n5 /tmp/.xdiag/ver Malware version (string)\r\n6 /tmp/.xdiag/uid User ID\r\n7 /tmp/.xdiag/int/.e.lock Malware Int marker\r\n8 /tmp/.xdiag/hroot/cp Malware pathname\r\n9 /tmp/.xdiag/hroot/hscheck Heartbeat check\r\n10 /tmp/.xdiag/tordata/control_auth_cookie.tmp Cookie\r\n11 /tmp/.xdiag/tordata/cached-certs.tmp Certificates cache\r\n12 / tmp/.xdiag/tordata/cached-microdesc-consensus.tmp Tor data\r\n13 /tmp/.xdiag/tordata/state.tmp State of TOR logs\r\nFor instance, as illustrated in Figure 40 below, in the file below the malware inserted the result of ls on the\r\n/ tmp  directory. \r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 32 of 34\n\nFigure 42: lgctr file content\r\nAppendix 7:\r\nIndications of Compromise (IOCs)\r\nType Value Comment\r\nIP Addresses\r\nIP Addresses 211.234.111.116 Attacker IP\r\nIP Addresses 46.101.139.173 Download server\r\nIP Addresses 104.183.100.189 Download server\r\nIP Address 198.211.126.180 Download server\r\nDomains\r\nDomains bitping.com Proxy-jacking service\r\nDomains earn.fm Proxy-jacking service\r\nDomains speedshare.app Proxy-jacking service\r\nDomains repocket.com Proxy-jacking service\r\nFiles\r\nBinary file MD5: 656e22c65bf7c04d87b5afbe52b8d800 Malware\r\nBinary file MD5: 6e7230dbe35df5b46dcd08975a0cc87f Cryptominer\r\nBinary file MD5: 835a9a6908409a67e51bce69f80dd58a Rootkit\r\nBinary file MD5: cf265a3a3dd068d0aa0c70248cd6325d Idd\r\nBinary file MD5: da006a0b9b51d56fa3f9690cf204b99f top\r\nBinary file MD5: ba120e9c7f8896d9148ad37f02b0e3cb wizlmsh\r\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence\r\nrelated to software development life cycle in cloud native environments, supports the team's data needs, and helps\r\nAqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research\r\nhas been featured in leading information security publications and journals worldwide, and he has presented at\r\nleading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE\r\nATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 33 of 34\n\ncourse covers both theoretical concepts and practical applications, providing valuable insights into the unique\r\nchallenges and strategies associated with securing cloud-native infrastructures.\r\nIdan Revivo\r\nIdan is the Head of Security Research at Aqua Security. He manages a team of researchers who are focused on\r\nthreat hunting and vulnerability research in containers, serverless, and cloud native technologies.\r\nSource: https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nhttps://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/\r\nPage 34 of 34",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/"
	],
	"report_names": [
		"perfctl-a-stealthy-malware-targeting-millions-of-linux-servers"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434684,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc74c428b0bccae718df1f0f92eb7e2c9105b5d3.pdf",
		"text": "https://archive.orkl.eu/fc74c428b0bccae718df1f0f92eb7e2c9105b5d3.txt",
		"img": "https://archive.orkl.eu/fc74c428b0bccae718df1f0f92eb7e2c9105b5d3.jpg"
	}
}