HomeCybersecurity Lifehacks
Linux Malware: Types, Families and Trends 
HomeCybersecurity Lifehacks
Linux Malware: Types, Families and Trends 

You’re probably familiar with the tagline “America runs on Dunkin.” Well, if the writers who came up with it worked in the Free Software Foundation, they might as well say, “The Internet runs on Linux.” The only difference is that they’d be factually correct. 

Linux is the primary operating system for many application backends, including Apache and Nginx — systems responsible for delivering a large part of the internet’s content. 

In cloud computing, Linux is the operating system of choice for platforms like Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure. Its lightweight and modular design allows Linux to operate on low-power devices, such as sensors, smart home gadgets, and wearables, which makes the OS ubiquitous in Internet of Things (IoT) devices: sensors, smart home gadgets, and wearables.  

Linux malware is on the rise  

Linux is often praised for being more secure and having fewer vulnerabilities out of the box compared to Microsoft Windows. This is true, but it doesn’t mean Linux is entirely invulnerable for malware.   

Since 2018, there’s been a shift in focus among hackers who began developing new Lunux malware. As of March 2018, 15,762 new Linux malware variants were developed, a remarkably sharp increase from the 4,706 new variants developed by March 2017.  

And the IBM Security Report titled “Attacks on Industries Supporting COVID-19 Response Efforts Double” highlights: “Cybercriminals Accelerate Use of Linux Malware – With a 40% increase in Linux-related malware families in the past year, and a 500% increase in Go-written malware in the first six months of 2020, attackers are accelerating a migration to Linux malware.” 

This trend creates a massive risk to both companies and individuals. 

ANY.RUN provides the easiest way to analyze Linux malware 

Get started free

Most popular Linux threats  

Linux malware can cause data leaks and encryption, resulting in financial damage. When it comes to malware families, they are essentially the same as those targeting Windows PCs: 

  • Trojans: A trojan is malware disguised as legitimate software or embedded within another program. The term “trojan” doesn’t describe its function but refers to its delivery method. 
  • Botnets: Botnets are networks of devices controlled by a central command-and-control panel. They are often used in DDoS attacks to overwhelm target servers, causing system downtime. Often, botnets utilize IoT devices with online capabilities, which typically run on Linux. 
  • Ransomware: Ransomware blocks access to your device or files and demands payment to restore your access. Your data remains encrypted and inaccessible until you pay for the decryption key. 
  • Rootkits: Rootkits are a type of malware designed to be undetectable. Once installed, they can manipulate the operating system to hide other malware, change system functions, or deeply control system components. For example, a rootkit can conceal malware from antivirus software, falsely indicating that the system is clean. 
  • Cryptojacking: Cryptojacking malware hijacks a computer’s resources to mine cryptocurrency. Digital currencies like Bitcoin require “mining” — that’s when a computer is used to solve complex mathematical problems to validate transactions, earning currency in return. But mining is expensive — it requires powerful hardware and generates huge electricity bills. To avoid these costs, malicious actors infect other people’s computers, using their processing power without permission. This results in slower computer performance, higher energy use, and faster wear and tear on hardware. 

Popular Linux malware families 

In recent years numerous malware families targeting Linux systems emerged. Here are a few noteworthy ones: 


CloudSnooper is a sophisticated malware targeting Linux-based cloud environments that showcases a multifaceted approach to evasion and persistence. Its core functionality hinges on exploiting the iptables rules to create covert communication channels. Specifically, it manipulates these rules to allow traffic from a specific set of IP addresses, effectively bypassing standard firewall protections and enabling external C2 communication. Its rootkit capabilities enable deep system integration, concealing its presence by manipulating system calls and utilizing legitimate system binaries. 


Mirai is a well-known IoT botnet that capitalizes on the vulnerabilities of devices with weak security protocols. It scans for and infects these devices using a list of common default credentials, subsequently integrating them into a network for DDoS attacks. Mirai can close network ports on infected devices to prevent further unauthorized access. This malware’s impact is amplified by the abundance of poorly secured IoT devices and its open-source nature. 


RansomExx is a targeted ransomware strain known for attacks against enterprises and governments. It is easily identifiable by the “.ransomexx” extension, which it appends to encrypted files. The malware itself is not new, but it has only recently gained a Linux-targeting variant. The main attack vectors of this malware is spear-phishing, where it’s delivered to systems with IcedID trojan. 


EvilGnome is designed to masquerade as a GNOME shell extension, disguising itself to resemble legitimate GNOME processes. This approach allows it to remain largely undetected by conventional security tools. The modular design of this infostealer includes components for keylogging and downloading additional payloads, making it a popular tool for targeted espionage.  


GonnaCry is another Linux-based ransomware. This one is written in Python. It encrypts files using the AES-256 algorithm and appends the “.GonnaCry” extension to them. Notably, GonnaCry operates without a command and control server, instead, it displays a ransom note with payment instructions directly to the user. This ransomware is known for being open-source, which potentially allows other cybercriminals to modify and repurpose it. 


Tycoon is a multi-platform ransomware that targets both Windows and Linux systems, notable for its use of a Java-based file format to remain under the radar. It’s known to append unique extensions like “.redrum”, “.grinch”, or “.thanos”. Tycoon is deployed through targeted attacks, often exploiting weak security in remote desktop protocols. After infection, it compresses the files in a password-protected ZIP archive to hinder recovery efforts. 

Tools you can use to analyze Linux malware 

Analyzing Linux malware accurately is essential for robust security. While there are several open-source network security toolkits available, none match the user-friendliness of ANY.RUN‘s interactive sandbox, especially with a new Ubuntu VM available for everyone now.  

Try ANY.RUN for Linux with a free account 

Register now

However, expect changes soon, though we’re keeping the details under wraps for now. 

  • Rootkit Hunter & Check Rootkit: These tools, Rkhunter, and chkrootkit, scan local systems to detect malicious software, including malware and viruses that conceal their presence on a system. 
  • Volatility: Volatility is an open-source memory forensics framework designed for cloud security. It’s used in incident response and malware analysis.  
  • Lynis: Lynis is a command-line tool that scans either local or remote systems. It helps auditors find potential network security issues. 
  • Kali Linux: Kali Linux is a distribution tailored for penetration testing, ethical hacking, and digital forensics. It includes a variety of security penetration and management tools for network discovery and research, helping to uncover cybersecurity vulnerabilities. 

Closing thoughts on Linux security threats 

Linux is inherently more secure than Windows, largely due to its robust open-source community. This community rigorously oversees resources and insists on transparency from companies developing Linux software, many of which are also open source. 

However, Linux’s widespread use, especially in cloud hosting, makes it an attractive target for attackers. Compromising Linux-based platforms could grant access to vast resources. Therefore, Linux users must be vigilant about the increasing risks their systems face. As we move forward into 2024, prioritizing system, data, and network security and maintenance is crucial — no matter the operating system. 

About ANY.RUN 

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.   

Request a demo today and enjoy 14 days of free access to our Enterprise plan.    

Request demo → 

What do you think about this post?

1 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.