{"id":15182,"date":"2025-07-31T10:26:55","date_gmt":"2025-07-31T10:26:55","guid":{"rendered":"\/cybersecurity-blog\/?p=15182"},"modified":"2025-11-07T12:46:16","modified_gmt":"2025-11-07T12:46:16","slug":"arm-linux-malware-sandbox","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/","title":{"rendered":"Detect ARM Malware in Seconds with Debian Sandbox for Stronger Enterprise Security\u00a0"},"content":{"rendered":"\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=introducing_debian_arm&amp;utm_term=310725&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a> provides SOC teams with the fastest solution for analyzing and detecting cyber threats targeting <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malware-threats\/\">Windows, Linux, and Android<\/a> systems. Now, our selection of VMs has been expanded to include Linux Debian 12.2 64-bit (ARM).&nbsp;&nbsp;<\/p>\n\n\n\n<p>With the rapid rise of ARM-based malware, the sandbox helps businesses tackle this threat through proactive analysis and early detection.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why ARM-based Malware is a Serious Threat to Your Company&nbsp;<\/h2>\n\n\n\n<p>ARM processors are widely used in resource-constrained IoT devices, embedded systems, and even low-power servers, often deployed with weak security. These devices become prime targets for attackers looking to build massive botnets, steal resources, or gain unauthorized access. The three most popular types of ARM-based malware include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/botnet\" target=\"_blank\" rel=\"noreferrer noopener\">Botnets<\/a>: Turning devices into \u201czombies\u201d for DDoS attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/crypto-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cryptojackers<\/a>: Hijacking CPU for cryptocurrency mining.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/backdoor\/\" target=\"_blank\" rel=\"noreferrer noopener\">Backdoors<\/a>: Maintaining persistent unauthorized system access.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>By expanding the capabilities to identify these threats, companies can prevent large-scale incidents in their infrastructure and reduce costs associated with downtime, recovery, and incident response.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nIntegrate ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox in your SOC<\/span><br> Automate threat analysis, cut MTTD, &#038; boost detection rate&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/contact-us\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=introducing_debian_arm&#038;utm_term=310725&#038;utm_content=linktocontactus\" target=\"_blank\" rel=\"noopener\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Launch Your First Malware Analysis in Linux Debian (ARM) VM&nbsp;<\/h2>\n\n\n\n<p>The new OS is now available to all <a href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-enterprise-plan\/\" target=\"_blank\" rel=\"noreferrer noopener\">Enterprise users<\/a>, unlocking deeper analysis capabilities for ARM-based threats. &nbsp;<\/p>\n\n\n\n<p>To select the Linux Debian VM, follow these simple steps:&nbsp;&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Open <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=introducing_debian_arm&amp;utm_term=310725&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive sandbox<\/a>.&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"791\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2-1024x791.png\" alt=\"\" class=\"wp-image-15187\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2-1024x791.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2-300x232.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2-768x594.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2-1536x1187.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2-370x286.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2-270x209.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2-740x572.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagea-2.png 1682w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Click on the Operating system dropdown menu<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Navigate to the <em>New analysis<\/em> window.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Open the <em>Operating system<\/em> menu&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"795\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-1024x795.png\" alt=\"\" class=\"wp-image-15189\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-1024x795.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-300x233.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-768x596.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-1536x1193.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-370x287.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-270x210.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-385x300.png 385w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3-740x575.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imageb-3.png 1674w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Select Debian (ARM) from the available OS options<\/em><\/figcaption><\/figure><\/div>\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Click on <em>Linux Debian 12.2 (ARM, 64 bit)<\/em><strong> <\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>Upload a file\/URL you want to analyze, configure the rest of your settings, and run your analysis.&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>The update further empowers your security team to detect malware and phishing early with ANY.RUN\u2019s Interactive Sandbox:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ensure fast analysis<\/strong>: Accelerate triage, incident response, and threat hunting with a dedicated ARM environment for instant insights into any threat\u2019s behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cut costs<\/strong>: Analyze ARM-based malware along with Windows, Android, Linux x86 threats directly in ANY.RUN\u2019s sandbox, eliminating the need for multiple platforms.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improve incident escalation<\/strong>: Gather rich, actionable data during Tier 1 analysis to enhance informed handoffs to Tier 2 to mitigate active attacks more effectively.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Grow team\u2019s expertise<\/strong>: Help your SOC analysts enhance their skills by analyzing real-world ARM threats, building confidence and knowledge through hands-on investigations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Real-World Use Case: Kaiji Botnet&nbsp;<\/h2>\n\n\n\n<p>To demonstrate how ANY.RUN\u2019s Linux Debian 12.2 (ARM, 64-bit) Sandbox operates, we analyzed a real-world sample of the Kaiji botnet, malware specifically compiled for the ARM architecture.&nbsp;<\/p>\n\n\n\n<p>Kaiji is a botnet that targets Linux-based servers and IoT devices. Once executed, it performs system reconnaissance, masks its presence, disables security mechanisms like SELinux, and ensures persistence through systemd services and cron jobs. It replaces core system utilities and hides malicious activity by filtering command output, all of which are captured inside the sandbox.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s take a closer look at how Kaiji behaves from the moment it lands on the sandbox:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/b1494b5d-7af9-433f-8839-0e52a9289688\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=introducing_debian_arm&amp;utm_term=310725&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View real case inside sandbox<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-1024x568.png\" alt=\"\" class=\"wp-image-15191\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-2048x1136.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image3-5-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Kaiji botnet analyzed inside ANY.RUN sandbox<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Fast Detection with Instant Verdict<\/strong>&nbsp;<\/h3>\n\n\n\n<p>In this real-world case, ANY.RUN\u2019s Debian 12.2 ARM sandbox detected the Kaiji botnet in just <strong>25 seconds, <\/strong>as shown in the top-right corner of the sandbox interface. The threat was flagged as <em>malicious activity<\/em> and accurately labeled <em>kaiji <\/em>and <em>botnet<\/em>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"213\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagec-2-1024x213.png\" alt=\"\" class=\"wp-image-15193\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagec-2-1024x213.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagec-2-300x62.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagec-2-768x160.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagec-2-370x77.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagec-2-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagec-2-740x154.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/imagec-2.png 1220w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>25 seconds for the detection of Kaiji botnet inside ANY.RUN\u2019s Debian sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This kind of speed delivers real value for security teams:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Respond faster:<\/strong> A near-instant verdict means teams can act before the threat spreads.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce manual work:<\/strong> Quick detection cuts down time spent digging through logs or unclear alerts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improve SOC efficiency:<\/strong> Faster detection supports lower MTTR and smarter alert triage.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stay ahead of evolving threats:<\/strong> With ARM-based malware on the rise, fast, reliable detection is key to staying protected.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Full Visibility with Process Tree<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Beyond fast detection, ANY.RUN\u2019s sandbox gives complete visibility into the attack\u2019s behavior. On the right side of the screen, the <a href=\"https:\/\/any.run\/cybersecurity-blog\/process-tree-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>process tree<\/strong><\/a> lays out every action taken by the malware. Clicking on each process reveals detailed information, from execution paths to commands and TTPs used.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"678\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-1024x678.png\" alt=\"\" class=\"wp-image-15195\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-1024x678.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-300x199.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-768x509.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-1536x1017.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-2048x1356.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-370x245.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-270x179.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image5-7-740x490.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious process with all the relevant TTPs displayed inside the interactive sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In this Kaiji case, for example, we can see how the malware attempts to <a href=\"https:\/\/any.run\/cybersecurity-blog\/6-persistence-mechanisms-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">maintain persistence<\/a> by modifying <strong>\/etc\/crontab <\/strong>to run the <strong>\/.mod<\/strong> script every minute. This script keeps the malicious process running in the background, even if one of the persistence methods fails; a tactic clearly visible and traceable through the sandbox\u2019s behavioral logs.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"645\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image6-8-1024x645.png\" alt=\"\" class=\"wp-image-15197\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image6-8-1024x645.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image6-8-300x189.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image6-8-768x484.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image6-8-370x233.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image6-8-270x170.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image6-8-740x466.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image6-8.png 1048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Kaiji botnet maintains persistence by modifying \/etc\/crontab<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>This level of insight helps SOC teams not only detect threats quickly, but understand them deeply, supporting better response, reporting, and threat hunting.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Track Network and File Activity in Real Time<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Just below the VM window, ANY.RUN displays all <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malicious-network-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>network connections<\/strong><\/a> and <strong>file modifications<\/strong> made by the malware, offering analysts a complete picture of how the threat operates.&nbsp;<\/p>\n\n\n\n<p>In this case, Kaiji\u2019s behavior is clearly visible: the malware replaces key system utilities and intercepts user commands, passing them to the original tools while filtering the output to hide signs of infection. This is handled via the <strong>\/etc\/profile.d\/gateway.sh<\/strong> script, which uses sed to remove specific keywords like 32676, dns-tcp4, and the names of hidden files from command output; a stealthy <a href=\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\" target=\"_blank\" rel=\"noreferrer noopener\">evasion technique<\/a> that can be easily overlooked without deep behavioral analysis.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"630\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-1024x630.png\" alt=\"\" class=\"wp-image-15199\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-1024x630.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-300x185.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-768x473.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-1536x946.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-2048x1261.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-370x228.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image7-7-740x456.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Kaiji replaces core system utilities via the \/etc\/profile.d\/gateway.sh script<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<p>With this visibility, security teams can trace every move, catch hidden modifications, and build accurate IOCs for future detection and response.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Complete Results, Ready to Investigate or Share<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Once the analysis is complete, ANY.RUN\u2019s sandbox gives you everything you need to take the next step. The <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> tab gathers all critical indicators, including IPs, domains, file hashes, and more, in one place, so there\u2019s no need to jump between views or dig through raw logs.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"352\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3-1024x352.png\" alt=\"\" class=\"wp-image-15201\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3-1024x352.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3-300x103.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3-768x264.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3-1536x527.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3-370x127.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3-270x93.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3-740x254.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image8-3.png 1544w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>IOCs neatly organized inside ANY.RUN\u2019s sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>You\u2019ll also get a <a href=\"https:\/\/any.run\/cybersecurity-blog\/guide-to-malware-analysis-reports\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>clear, structured report<\/strong><\/a> that maps out the full attack chain from start to finish. Whether you&#8217;re documenting a case, sharing findings with your team, or enriching threat intelligence feeds, the report is built to support fast, confident action.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-1024x586.png\" alt=\"\" class=\"wp-image-15203\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-1536x879.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-2048x1172.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/image9-2-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Exportable sandbox report with complete attack chain overview<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This end-to-end visibility makes every investigation smoother, and every response stronger.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Trusted by over 500,000 security professionals and 15,000+ organizations across finance, healthcare, manufacturing, and beyond, <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=introducing_debian_arm&amp;utm_term=310725&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps teams investigate malware and phishing threats faster and with greater precision.&nbsp;<\/p>\n\n\n\n<p><strong>Accelerate investigation and response: <\/strong>Use ANY.RUN\u2019s Interactive Sandbox to safely detonate suspicious files and URLs, observe real-time behavior, and extract critical insights, cutting triage and decision time dramatically.&nbsp;<\/p>\n\n\n\n<p><strong>Enhance detection with threat intelligence: <\/strong>Leverage Threat Intelligence Lookup and TI Feeds to uncover IOCs, tactics, and behavior patterns tied to active threats, 6empowering your SOC to stay ahead of attacks as they emerge.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=introducing_debian_arm&amp;utm_term=310725&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Request a trial of ANY.RUN\u2019s services to see how they can boost your SOC workflows.<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ANY.RUN\u2019s Interactive Sandbox provides SOC teams with the fastest solution for analyzing and detecting cyber threats targeting Windows, Linux, and Android systems. Now, our selection of VMs has been expanded to include Linux Debian 12.2 64-bit (ARM).&nbsp;&nbsp; With the rapid rise of ARM-based malware, the sandbox helps businesses tackle this threat through proactive analysis and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":15184,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[57,10,54,55,56],"class_list":["post-15182","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-anyrun","tag-cybersecurity","tag-features","tag-release","tag-update"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Detect ARM Malware in Seconds for Stronger Enterprise Security<\/title>\n<meta name=\"description\" content=\"Gain unmatched visibility into ARM malware attacks with ANY.RUN\u2019s Debian sandbox to ensure early detection.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Detect ARM Malware in Seconds with Debian Sandbox for Stronger Enterprise Security\u00a0\",\"datePublished\":\"2025-07-31T10:26:55+00:00\",\"dateModified\":\"2025-11-07T12:46:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/\"},\"wordCount\":1237,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"features\",\"release\",\"update\"],\"articleSection\":[\"Service Updates\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/\",\"name\":\"Detect ARM Malware in Seconds for Stronger Enterprise Security\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-07-31T10:26:55+00:00\",\"dateModified\":\"2025-11-07T12:46:16+00:00\",\"description\":\"Gain unmatched visibility into ARM malware attacks with ANY.RUN\u2019s Debian sandbox to ensure early detection.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Service Updates\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Detect ARM Malware in Seconds with Debian Sandbox for Stronger Enterprise Security\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detect ARM Malware in Seconds for Stronger Enterprise Security","description":"Gain unmatched visibility into ARM malware attacks with ANY.RUN\u2019s Debian sandbox to ensure early detection.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Detect ARM Malware in Seconds with Debian Sandbox for Stronger Enterprise Security\u00a0","datePublished":"2025-07-31T10:26:55+00:00","dateModified":"2025-11-07T12:46:16+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/"},"wordCount":1237,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","features","release","update"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/","url":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/","name":"Detect ARM Malware in Seconds for Stronger Enterprise Security","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-07-31T10:26:55+00:00","dateModified":"2025-11-07T12:46:16+00:00","description":"Gain unmatched visibility into ARM malware attacks with ANY.RUN\u2019s Debian sandbox to ensure early detection.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/arm-linux-malware-sandbox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"Detect ARM Malware in Seconds with Debian Sandbox for Stronger Enterprise Security\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15182"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=15182"}],"version-history":[{"count":20,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15182\/revisions"}],"predecessor-version":[{"id":16700,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15182\/revisions\/16700"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/15184"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=15182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=15182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=15182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}