Table of Contents
Emerging threat reports are short-form publications posted to this website to alert the network defender community to new, unreported threats that may be targeting their networks and systems. Identified today: three malicious ELF files have probably been circulating in the wild since at least April 14th of 2025. Due to limited context, I'm not sure where they would have been distributed. VirusTotal currently reports that no security vendors are flagging the files as malicious.
Name | Arch | sha256 |
---|---|---|
systemd-timesync | aarch64 | be61bd2b03c46a0a081d47876b9014f2af12363113c254282962d1e1856199c1 |
systemd-network | amd64 | 79b7cb2b27bec40d38e28720e9e9b7a95c3671d4b8a5b44503f060dc63da5004 |
systemd-resolve | amd64 | fdd2bfe6665ed097b5b6118821c61b79ab6905f6d7e791faf0563994eaf8de0a |
The actor is probably attempting to evade detection by blending in with various components of systemd.
This report and the indicators mentioned herein are TLP:CLEAR1. Samples obtained from open sources and analyzed for hobby.
Indicators of Compromise
v.takemname.xyz
- 47.238.60.121:443 (Hong Kong)
- be61bd2b03c46a0a081d47876b9014f2af12363113c254282962d1e1856199c1
- 79b7cb2b27bec40d38e28720e9e9b7a95c3671d4b8a5b44503f060dc63da5004
- fdd2bfe6665ed097b5b6118821c61b79ab6905f6d7e791faf0563994eaf8de0a
Analysis
The malware was certainly linked using Zig and written in Rust, using the following libraries:
ahash-0.8.11
anyhow-1.0.97
async-channel-2.3.1
async-compat-0.2.4
async-event-0.2.1
async-executor-1.13.0
async-global-executor-2.4.1
async-io-1.13.0
async-io-2.3.4
async-io-bufpool-0.1.2
async-lock-2.8.0
async-lock-3.4.0
async-std-1.13.1
async-task-4.7.1
bipe-0.2.8
blake3-1.5.5
blocking-1.6.1
bytes-1.9.0
cipher-0.4.4
concurrent-queue-2.5.0
crossbeam-queue-0.3.11
crossbeam-utils-0.8.20
curve25519-dalek-4.1.3
dashmap-6.0.1
event-listener-2.5.3
event-listener-5.3.1
fastrand-1.9.0
fastrand-2.1.0
futures-executor-0.3.31
futures-intrusive-0.5.0
futures-lite-2.3.0
futures-util-0.3.31
hashbrown-0.14.5
mio-1.0.2
num_cpus-1.16.0
once_cell-1.21.3
oneshot-0.1.8
parking-2.2.0
parking_lot_core-0.9.10
polling-2.8.0
polling-3.7.3
poly1305-0.8.0
portable-pty-0.9.0
quinn-0.11.7
quinn-proto-0.11.10
quinn-udp-0.5.4
rand-0.8.5
rand-0.9.0
rand_chacha-0.3.1
rand_chacha-0.9.0
rand_core-0.6.4
rand_core-0.9.3
ring-0.17.8
rustix-0.38.34
rustls-0.23.25
rustls-pki-types-1.11.0
rustls-webpki-0.103.0
serde-1.0.219
serde_json-1.0.140
slab-0.4.9
smallvec-1.13.2
smolscale-0.4.7
socket2-0.5.7
spin-0.9.8
st3-0.4.1
tachyonix-0.3.0
tinyvec-1.8.0
tokio-1.41.1
tracing-core-0.1.33
untrusted-0.9.0
uuid-1.16.0
whoami-1.6.0
zeroize-1.8.1
The binary appears to be obfuscated. If I am successful in reverse engineering the C2 protocol I will amend this post.
—
Comment form