{"id":12528,"date":"2025-04-02T13:21:17","date_gmt":"2025-04-02T13:21:17","guid":{"rendered":"\/cybersecurity-blog\/?p=12528"},"modified":"2025-04-02T13:21:18","modified_gmt":"2025-04-02T13:21:18","slug":"how-to-hunt-and-investigate-linux-malware","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/","title":{"rendered":"How to Hunt and Investigate Linux Malware\u00a0"},"content":{"rendered":"\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-in-anyrun\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> cyber threats may be less common than Windows ones, but they can be equally if not more damaging. Defending against these requires proactive efforts. <\/p>\n\n\n\n<p>Eric Parker, a popular YouTube blogger and malware analyst, recently <a href=\"https:\/\/www.youtube.com\/watch?v=zBYeA_oyLqI\" target=\"_blank\" rel=\"noreferrer noopener\">showed his approach<\/a> to investigating and collecting intelligence on Linux malware. <\/p>\n\n\n\n<p>Here is a recap of his video.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to find Linux malware in Threat Intelligence Lookup&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a> offers a centralized database of fresh IOCs, IOAs, and IOBs. It lets you search across threat data extracted from the latest malware and phishing samples analyzed by over 500,000 professionals and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\" target=\"_blank\" rel=\"noreferrer noopener\">15,000 companies around the globe<\/a> in ANY.RUN\u2019s <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_eric_parker&amp;utm_term=020425&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>.&nbsp;<\/p>\n\n\n\n<p>To start searching for Linux threats in TI Lookup, we can begin with the search query specifying the Ubuntu OS version used in the Interactive Sandbox.&nbsp;<\/p>\n\n\n\n<p>Here is the query: &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522os:%255C%252222.04.2%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">os:\u201d22.04.2\u201d<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"628\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4-1024x628.png\" alt=\"\" class=\"wp-image-12530\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4-1024x628.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4-768x471.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4-1536x943.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4-740x454.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-4.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup displaying results for the query<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Among the results, we can see shell scripts, malware, and can get an idea of what indicators of compromise there are. &nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry threat hunting with <span class=\"highlight\"> TI Lookup<\/span> <br>Get 50 trial requests to collect your first intel&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=linux_eric_parker&#038;utm_term=020425&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nTry now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Example 1: XORbot&nbsp;<\/h2>\n\n\n\n<p>One of the files we found here is tagged XORbot. It\u2019s a botnet primarily targeting Linux systems.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"350\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-1024x350.png\" alt=\"\" class=\"wp-image-12532\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-1024x350.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-300x103.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-768x263.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-1536x525.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-370x126.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-270x92.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2-740x253.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image2.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox analysis sessions featuring XORbot displayed by TI Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s explore one of the samples.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/77571bdc-5aae-4ec1-81dd-7e7c87ab1677\/\" target=\"_blank\" rel=\"noreferrer noopener\">View sample analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-1024x580.png\" alt=\"\" class=\"wp-image-12534\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-1024x580.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-1536x871.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3-740x419.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image3.png 1856w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis of XORbot in ANY.RUN\u2019s Interactive Sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox instantly shows numerous connection requests made by the botnet. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"613\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-3-613x1024.png\" alt=\"\" class=\"wp-image-12529\" style=\"width:432px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-3-613x1024.png 613w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-3-180x300.png 180w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-3-370x618.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-3-270x451.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-3-740x1235.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image-3.png 768w\" sizes=\"(max-width: 613px) 100vw, 613px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN&#8217;s Interactive Sandbox displays flags suspicious activity<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The malware also modifies ownership on the system and downloads additional payloads.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s move on to the next type of malicious software that you can find with TI Lookup, <a href=\"https:\/\/any.run\/malware-trends\/stealer\" target=\"_blank\" rel=\"noreferrer noopener\">stealers<\/a>.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Example 2: Linux Stealer &nbsp;<\/h2>\n\n\n\n<p>To find Linux stealers, we can simply combine the OS parameter with the threatName one. Here is the query we can submit to TI Lookup:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522os:%255C%252222.04.2%255C%2522%2520and%2520threatName:%255C%2522stealer%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">os:&#8221;22.04.2&#8243; and threatName:&#8221;stealer&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"582\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5-1024x582.png\" alt=\"\" class=\"wp-image-12536\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5-1024x582.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5-768x437.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5-1536x873.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5-740x421.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image5.png 1815w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup displays results for Linux stealers<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Although the list of stealer samples can hardly match that of Linux botnets, we can still find an interesting one to explore.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/da4117c2-5243-4fdb-a2de-67e7427dcf5a\/\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis of Linux stealer<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"581\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6-1024x581.png\" alt=\"\" class=\"wp-image-12537\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6-1024x581.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6-1536x871.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6-740x420.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image6.png 1850w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Stealer malware analyzed in ANY.RUN\u2019s Interactive Sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This one has an impressive list of malicious functionalities:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It immediately begins to mine crypto using the system\u2019s resources&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Joins a botnet and later can be used for conducting DDoS attacks&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7-1024x579.png\" alt=\"\" class=\"wp-image-12539\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7-1536x868.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image7.png 1850w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Suricata IDS inside ANY.RUN\u2019s Interactive Sandbox pointing to crypto mining activity<\/em><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Steals files and credentials from the potential victim&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scans other Linux devices for vulnerabilities using Shodan<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEnhance your threat hunting flow with <span class=\"highlight\">ANY.RUN&#8217;s Interactive Sandbox<\/span> <br>Analyze threats fast and with ease&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"http:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=linux_eric_parker&#038;utm_term=020425&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">What Makes Linux Malware Different&nbsp;<\/h2>\n\n\n\n<p>The big thing you are probably starting to notice is that Linux malware is very different from Windows malware. It is not usually targeting a desktop user.\u00a0<\/p>\n\n\n\n<p>It\u2019s not likely to have a campaign like email attachments or fake Fortnite swappers. &nbsp;<\/p>\n\n\n\n<p>Those do very rarely exist, but because very few people use Linux as their primary desktop operating system, it\u2019s much easier to target servers. &nbsp;<\/p>\n\n\n\n<p>This puts at risk corporate infrastructure and makes it particularly important for companies to use proper tools for proactive security like ANY.RUN\u2019s <a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_eric_parker&amp;utm_term=020425&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and Interactive Sandbox.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_eric_parker&amp;utm_term=020425&amp;utm_content=linktotiplans\">Reach out to us<\/a> to learn how they can help your company. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Example 3: Mirai Botnet&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s take one more look at a common Linux botnet.&nbsp;<\/p>\n\n\n\n<p>To find samples of Linux botnets, we submit the following search query to TI Lookup:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522os:%255C%252222.04.2%255C%2522%2520and%2520threatName:%255C%2522botnet%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">os:&#8221;22.04.2&#8243; and threatName:&#8221;botnet&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"598\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8-1024x598.png\" alt=\"\" class=\"wp-image-12540\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8-1024x598.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8-300x175.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8-768x449.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8-1536x898.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8-370x216.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8-740x432.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image8.png 1843w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox reports featuring analyses of Linux botnets displayed by TI Lookup <\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s pick <a href=\"https:\/\/app.any.run\/tasks\/da92afbf-1008-4ee9-92de-598f24b6ac5c\/\" target=\"_blank\" rel=\"noreferrer noopener\">this sandbox session<\/a>, which includes analysis of the Moobot version of Mirai.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"572\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9-1024x572.png\" alt=\"\" class=\"wp-image-12541\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9-1024x572.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9-768x429.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9-1536x858.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9-740x413.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/image9.png 1839w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The Interactive Sandbox instantly detects Mirai\u2019s activity with Suricata IDS<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The infection starts with the download of x86.elf file, which is the process that seems to start, then it goes through and then it ultimately gets deleted, which is another stealthing technique.\u00a0<\/p>\n\n\n\n<p>If we watch a sandbox session replay \u2013 nothing visibly happens which is very common with this kind of malware: on the system that it is targeting, there wouldn&#8217;t even be a graphical user interface. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"620\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagea-1024x620.png\" alt=\"\" class=\"wp-image-12543\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagea-1024x620.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagea-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagea-768x465.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagea-370x224.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagea-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagea-740x448.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/imagea.png 1481w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Process analysis inside ANY.RUN\u2019s Interactive Sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The only way you might be able to detect it is if you went through the processes, which can be done thanks to ANY.RUN\u2019s real-time logging of all processes and system activities.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Enrich your threat knowledge with TI Lookup\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Enrich your threat knowledge with TI Lookup<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nLearn about TI Lookup and its capabilities to see how it can contribute to <span class=\"highlight\">your company&#8217;s security<\/span>\n\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\"><div class=\"cta__split-link\">Explore more<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Secure Your Company Against Linux Threats&nbsp;<\/h2>\n\n\n\n<p>So how do you prevent Linux malware? The main thing is \u2013 watch out and make sure you don\u2019t have a weak root password on your system.&nbsp;<\/p>\n\n\n\n<p>To investigate and collect proactive intelligence on Linux threats that may target your infrastructure, use Threat Intelligence Lookup.&nbsp;<\/p>\n\n\n\n<p>With TI Lookup, your company can streamline:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Proactive Threat Identification:<\/strong> Search the database to proactively identify and update your defense&nbsp;based on the discovered intelligence.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster Research<\/strong>: Accelerate threat research by quickly connecting isolated IOCs to specific threats or known malware campaigns.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Real-Time Monitoring:<\/strong> Monitor evolving threats by <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-notifications\/\" target=\"_blank\" rel=\"noreferrer noopener\">receiving updates<\/a> on new results related to your indicators of interest.\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Incident Forensics:<\/strong> Enhance forensic analysis of security incidents by searching for contextual information on existing artifacts.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IOC, IOB, and IOA Collection<\/strong>: Discover additional indicators by searching the database for relevant threat information.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_eric_parker&amp;utm_term=020425&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals and 15,000 organizations worldwide. The Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. The threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=linux_eric_parker&amp;utm_term=020425&amp;utm_content=linktotiplans\">Integrate ANY.RUN&#8217;s Threat Intelligence suite in your organization \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Linux cyber threats may be less common than Windows ones, but they can be equally if not more damaging. Defending against these requires proactive efforts. Eric Parker, a popular YouTube blogger and malware analyst, recently showed his approach to investigating and collecting intelligence on Linux malware. Here is a recap of his video.&nbsp; How to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":12564,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,15,34,40],"class_list":["post-12528","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Hunt and Investigate Linux Malware\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn to hunt for Linux malware with ANY.RUN&#039;s Threat Intelligence Lookup and see how you can use it together with the Interactive Sandbox.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How to Hunt and Investigate Linux Malware\u00a0\",\"datePublished\":\"2025-04-02T13:21:17+00:00\",\"dateModified\":\"2025-04-02T13:21:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/\"},\"wordCount\":1026,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/\",\"name\":\"How to Hunt and Investigate Linux Malware\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-04-02T13:21:17+00:00\",\"dateModified\":\"2025-04-02T13:21:18+00:00\",\"description\":\"Learn to hunt for Linux malware with ANY.RUN's Threat Intelligence Lookup and see how you can use it together with the Interactive Sandbox.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Hunt and Investigate Linux Malware\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Hunt and Investigate Linux Malware\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn to hunt for Linux malware with ANY.RUN's Threat Intelligence Lookup and see how you can use it together with the Interactive Sandbox.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/","twitter_misc":{"Written by":"ANY.RUN"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How to Hunt and Investigate Linux Malware\u00a0","datePublished":"2025-04-02T13:21:17+00:00","dateModified":"2025-04-02T13:21:18+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/"},"wordCount":1026,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/","url":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/","name":"How to Hunt and Investigate Linux Malware\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-04-02T13:21:17+00:00","dateModified":"2025-04-02T13:21:18+00:00","description":"Learn to hunt for Linux malware with ANY.RUN's Threat Intelligence Lookup and see how you can use it together with the Interactive Sandbox.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-hunt-and-investigate-linux-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"How to Hunt and Investigate Linux Malware\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12528"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=12528"}],"version-history":[{"count":32,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12528\/revisions"}],"predecessor-version":[{"id":12574,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12528\/revisions\/12574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/12564"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=12528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=12528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=12528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}