Recent investigations by Unit 42, the threat intelligence arm of Palo Alto Networks, have unearthed a concerning trend: threat actors are increasingly developing and adapting Linux Executable and Linkable Format (ELF) malware to target cloud infrastructure.
With cloud adoption skyrocketing and Linux-based systems underpinning the vast majority of cloud workloads estimates suggest between 70% and 90% of cloud compute instances attackers are finding fertile ground for deploying evolved malware families.
ELF is the standard file format for executables and shared libraries on Linux. Due to Linux’s dominance in cloud environments, ELF files are an ideal vector for malware seeking persistence, evasion, and widespread impact.
Unit 42’s research highlights five evolving ELF-based malware families: NoodleRAT, Winnti (Linux variants), SSHdInjector, Pygmy Goat, and AcidPour.
Each family has seen at least two significant codebase updates in the past year, and each has been observed in the wild at least 20 times evidence of active development and deployment.
Attacks leveraging ELF binaries are growing in sophistication, often targeting vulnerabilities or misconfigurations in cloud-native and containerized deployments.
For example, attackers employ techniques such as dynamic linker hijacking to inject malicious code into legitimate processes. This often involves abusing environment variables like LD_PRELOAD to achieve stealthy code injection:
textLD_PRELOAD=/path/to/malicious.so /usr/sbin/sshd
Here, /path/to/malicious.so contains code that is loaded before any legitimate system libraries, allowing attackers to intercept system calls or hijack processes.
NoodleRAT
NoodleRAT is a backdoor supporting both Windows and Linux, but its Linux variant is ELF-based and particularly dangerous. Capabilities include:
Notably, NoodleRAT has been used by Chinese-speaking actors and has targeted organizations across Asia-Pacific, including India, Thailand, Malaysia, and others.
The Linux version of Winnti abuses LD_PRELOAD to persist resident in memory without tampering with system binaries. It provides:
Winnti is frequently linked to China-nexus actors such as Starchy Taurus (aka Winnti Group, BARIUM) and is used for cyberespionage.
SSHdInjector is a Linux backdoor that injects code into the SSH daemon at runtime, enabling:
SSHdInjector has been deployed by groups like Digging Taurus (aka Daggerfly, Evasive Panda), targeting governments and telcos.
Originally discovered on Sophos XG firewalls, this backdoor exploits vulnerable libraries (libsophos.so, CVE-2022-1040) and uses LD_PRELOAD to inject into sshd. Notable features:
Targets include government agencies and NGOs in Asia-Pacific.
AcidRain targets MIPS-based devices, while AcidPour, its successor, is compiled for x86—expanding its reach to x86-based cloud infrastructure. Both are destructive wipers that:
AcidPour is linked to Russian groups (Razing Ursa, aka Sandworm, Voodoo Bear) and could be especially damaging if actors gain shell access via web shell, misconfiguration, or container escape.
With cloud-based security alerts up 388% in 2024, and organizations reporting a 45% increase in advanced persistent threat (APT) attacks, defenders must adapt. Modern cloud endpoint detection and response (EDR) solutions, like Palo Alto Networks’ Cortex Cloud, now employ machine learning to flag suspicious binaries.
How ML-Based ELF Detection Works
Cortex Cloud’s ML module was tested on over 100 unique ELF binaries across the five malware families. Detection scores:
Test results showed 92.3% of samples scored as suspicious or malicious, and 61.5% scored above 0.85 (malicious). The model considers factors such as:
Example: Cortex XDR Alert for Unknown ELF Binary
Security teams are alerted when an unknown ELF binary is executed. The Cortex XDR interface shows a chain of related events and detailed process information, speeding remediation.
Given the threats, experts recommend:
LD_PRELOAD and unusual binary execution.For the most robust protection, Palo Alto Networks customers are encouraged to use:
If you suspect a compromise, reach out to Unit 42 Incident Response for urgent assistance.
As cloud migration accelerates, threat actors are shifting their focus to Linux ELF malware, tailoring proven techniques for cloud environments.
The rise of backdoors, wipers, and sophisticated evasion methods such as dynamic linker hijacking and rootkit functionality means defenders must stay ahead with advanced detection and response.
Machine learning-powered endpoint security is proving essential in identifying and blocking these emerging threats.
With organizations increasingly reliant on cloud infrastructure, now is the time to fortify Linux workloads and containers against the next wave of ELF-based attacks.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…