home

Emerging Threat Report: Undetected Malware for GNU/Linux Probably Circulating in the Wild

April 27, 2025 ❖ Tags: threat-reporting, malware

Emerging threat reports are short-form publications posted to this website to alert the network defender community to new, unreported threats that may be targeting their networks and systems. Identified today: three malicious ELF files have probably been circulating in the wild since at least April 14th of 2025. Due to limited context, I'm not sure where they would have been distributed. VirusTotal currently reports that no security vendors are flagging the files as malicious.

Name Arch sha256
systemd-timesync aarch64 be61bd2b03c46a0a081d47876b9014f2af12363113c254282962d1e1856199c1
systemd-network amd64 79b7cb2b27bec40d38e28720e9e9b7a95c3671d4b8a5b44503f060dc63da5004
systemd-resolve amd64 fdd2bfe6665ed097b5b6118821c61b79ab6905f6d7e791faf0563994eaf8de0a

The actor is probably attempting to evade detection by blending in with various components of systemd.

This report and the indicators mentioned herein are TLP:CLEAR1. Samples obtained from open sources and analyzed for hobby.

Indicators of Compromise

  • v.takemname.xyz
  • 47.238.60.121:443 (Hong Kong)
  • be61bd2b03c46a0a081d47876b9014f2af12363113c254282962d1e1856199c1
  • 79b7cb2b27bec40d38e28720e9e9b7a95c3671d4b8a5b44503f060dc63da5004
  • fdd2bfe6665ed097b5b6118821c61b79ab6905f6d7e791faf0563994eaf8de0a

Analysis

The malware was certainly linked using Zig and written in Rust, using the following libraries:

  • ahash-0.8.11
  • anyhow-1.0.97
  • async-channel-2.3.1
  • async-compat-0.2.4
  • async-event-0.2.1
  • async-executor-1.13.0
  • async-global-executor-2.4.1
  • async-io-1.13.0
  • async-io-2.3.4
  • async-io-bufpool-0.1.2
  • async-lock-2.8.0
  • async-lock-3.4.0
  • async-std-1.13.1
  • async-task-4.7.1
  • bipe-0.2.8
  • blake3-1.5.5
  • blocking-1.6.1
  • bytes-1.9.0
  • cipher-0.4.4
  • concurrent-queue-2.5.0
  • crossbeam-queue-0.3.11
  • crossbeam-utils-0.8.20
  • curve25519-dalek-4.1.3
  • dashmap-6.0.1
  • event-listener-2.5.3
  • event-listener-5.3.1
  • fastrand-1.9.0
  • fastrand-2.1.0
  • futures-executor-0.3.31
  • futures-intrusive-0.5.0
  • futures-lite-2.3.0
  • futures-util-0.3.31
  • hashbrown-0.14.5
  • mio-1.0.2
  • num_cpus-1.16.0
  • once_cell-1.21.3
  • oneshot-0.1.8
  • parking-2.2.0
  • parking_lot_core-0.9.10
  • polling-2.8.0
  • polling-3.7.3
  • poly1305-0.8.0
  • portable-pty-0.9.0
  • quinn-0.11.7
  • quinn-proto-0.11.10
  • quinn-udp-0.5.4
  • rand-0.8.5
  • rand-0.9.0
  • rand_chacha-0.3.1
  • rand_chacha-0.9.0
  • rand_core-0.6.4
  • rand_core-0.9.3
  • ring-0.17.8
  • rustix-0.38.34
  • rustls-0.23.25
  • rustls-pki-types-1.11.0
  • rustls-webpki-0.103.0
  • serde-1.0.219
  • serde_json-1.0.140
  • slab-0.4.9
  • smallvec-1.13.2
  • smolscale-0.4.7
  • socket2-0.5.7
  • spin-0.9.8
  • st3-0.4.1
  • tachyonix-0.3.0
  • tinyvec-1.8.0
  • tokio-1.41.1
  • tracing-core-0.1.33
  • untrusted-0.9.0
  • uuid-1.16.0
  • whoami-1.6.0
  • zeroize-1.8.1

The binary appears to be obfuscated. If I am successful in reverse engineering the C2 protocol I will amend this post.

Comments for this page

    Click here to write a comment on this post.