踪有趣的 Linux（和 UNIX）恶意软件。提交 PR

• https://en.wikipedia.org/wiki/Linux_malware ( #17 ) - 初始访问、执行、持久化、权限提升、防御规避、凭证访问、发现、横向移动、收集、命令与控制、数据窃取、影响、DarkSide
• https://rp.os3.nl/ ( #30 )
• https://wikileaks.org/vault7/ ( #31 )
• https://www.linuxexperten.com/library/e-resources/linux-malware-ever-growing-list-2023 ( #622 ) - 侦察、资源开发、初始访问、执行、持久化、权限提升、防御规避、凭证访问、发现、横向移动、收集、命令与控制、数据窃取、影响、Linux
• https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896 ( #422 ) - 持久性、防御规避、命令与控制、攻击：T1205.002：套接字过滤器、攻击：T1036：伪装、攻击：T1070：主机上的指示器移除、攻击：T1205：流量信号、#420、#418、BPFDoor、Tricephalic Hellkeeper、Unix.Backdoor.RedMenshen、JustForFun、DecisiveArchitect、Linux、Solaris
• https://securelist.com/top-10-unattributed-apt-mysteries/107676/ ( #552 ) - Metador、Plexing Eagle、wltm、Linux、Solaris、电信
• https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf ( #20 ) - 初始访问、执行、持久化、权限提升、防御规避、凭证访问、发现、横向移动、收集、命令与控制、数据窃取、影响、LaZagne、Dalcs、Mirai、Gafgyt、Tsunami、IPStorm、Wellmess、FritzFrog、Linux
• https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations ( #32 )
• https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/ ( #638 ) - 资源开发、影响、攻击：T1486：数据加密以造成影响，#644，用途：交叉编译、LockBit、Linux、内部专家服务
• https://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/ ( #33 )
• https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives ( #41 ) - Impact, BlackCat, #512
• https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html ( #37 )
• https://reyammer.io/publications/2018_oakland_linuxmalware.pdf ( #28 )
• https://www.group-ib.com/resources/threat-research/oldgremlin.html ( #573 ) - 影响、OldGremlin、Linux
• https://malpedia.caad.fkie.fraunhofer.de/ ( #29 )
• https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/ ( #40 )
• https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf ( #21 ) - WINNTI
• https://ieeexplore.ieee.org/document/8418602 ( #25 )
• https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ ( #22 ) - AgeLocker、WellMail、TrickBot、IPStorm、Turla、QNAPCrypt、Carbanak
• https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html ( #34 )
• https://github.com/CiscoCXSecurity/presentations/raw/master/The%20UNIX%20malware%20landscape%20-%20Reviewing%20the%20goods%20at%20MALWAREbazaar%20v5.pdf ( #448 )
• https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf ( #23 ) - 持久性、各种 SSH、Bonadan、Kessel、Chandrila、用途：Perl
• https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/ ( #19 ) - 初始访问、执行、持久化、权限提升、防御规避、凭证访问、发现、横向移动、收集、命令与控制、数据窃取、影响
• https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf ( #101 ) - 防御规避、命令与控制、数据窃取、影响、攻击：T1486：数据加密以造成影响、XMRig、Hello Kitty、#546、REvil、DarkSide、BlackMatter、Defray777、ViceSociety、Erebus、GonnaCry、eChoraix、Sysrv、TeamTNT、Mexalz、Omelette、WatchDog、Kinsing、Cobalt Strike、Vermillion Strike、Merlin、#545、#547、RedXOR、#548、ACBackdoor、#549、ELF_Plead、Linux、VMware、内部企业服务、内部专家服务
• http://s3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf ( #27 )
• https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf ( #417 ) - LootRat、PLEAD、TSCookie、RotaJakiro1、Red Djinn、Red Nue、Scarlet Joke、Ocean Lotus、APT32、Linux
• https://blog.trendmicro.com/trendlabs-security-intelligence/unix-a-game-changer-in-the-ransomware-landscape/ ( #35 )
• https://en.wikipedia.org/wiki/Mirai_(malware) ( #18 ) - 初始访问、持久化、防御规避、凭证访问、发现、横向移动、影响、Mirai
• https://gist.github.com/vlamer/2c2ec2ca80a84ab21a32 ( #26 )
• https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Dumont-H-Porcher-dark_side_of_the_forsshe.pdf ( #24 ) - 各种 SSH、Bonadan、Kessel、Chandrila
• https://spectrum.ieee.org/amp/mirai-botnet-2659993631 ( #676 ) - 初始访问、影响、攻击：T1190：利用面向公众的应用程序、攻击：T1498：网络拒绝服务、攻击：T1499：端点拒绝服务、Mirai、Linux、消费者

在野外

违规报告

• https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ ( #446 ) - 初始访问，Linux
• https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ ( #677 ) - 侦察、初始访问、持久化、防御规避、发现、收集、影响、攻击：T1593：搜索开放网站/域名、攻击：T1190：利用面向公众的应用程序、攻击：T1078.004：云帐户、攻击：T1526：云服务发现、攻击：T1619：云存储对象发现、攻击：T1069：权限组发现、攻击：T1069.003：云组、攻击：T1602：来自配置存储库的数据、攻击：T1213.003：代码存储库、攻击：T1098：帐户操纵、攻击：T1098.003：其他云角色攻击：T1136：创建账户，攻击：T1136.003：云账户，攻击：T1036：伪装，攻击：T1021.004：SSH，攻击：T1578：修改云计算基础设施，攻击：T1578.002：创建云实例，攻击：T1525：植入内部镜像，攻击：T1496：资源劫持，GUI 恶意程序，Linux，托管，云托管服务
• https://www.freedownloadmanager.org/blog/?p=664 ( #765 ) - 初始访问、凭据访问、#766、Free Download Manager、#816、wltm、Linux
• http://securelist.com/backdoored-free-download-manager-linux-malware/110465/ ( #766 ) - 初始访问、凭证访问、收集、命令与控制、#765、Free Download Manager、#816、攻击：T1071.004：DNS、攻击：T1105：入口工具传输、攻击：T1560.001：通过实用程序归档、wltm、Linux
• https://twitter.com/1ZRR4H/status/1560662815400407040 ( #507 ) - 初始访问权限、Peer2Profit、Linux
• https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm ( #42 ) - GoDaddy
• https://bitbucket.org/workspacespain/i-s00n-translated ( #799 ) - 持久化，用途：泄漏，用途：已列入黑名单，Reptile，APT41，Linux，AIX，Solaris，HP-UX

供应链攻击

• https://www.heise.de/security/meldung/Achtung-Anzeigen-Server-OpenX-enthaelt-eine-Hintertuer-1929769.html ( #295 ) - OpenX
• https://arstechnica.com/information-technology/2012/09/questions-abound-as-malicious-phpmyadmin-backdoor-found-on-sourceforge-site/ ( #47 ) - PHPMyAdmin
• https://lists.archlinux.org/pipermail/aur-general/2018-July/034169.html ( #523 ) - #525 , wltm, Linux
• https://lwn.net/Articles/371110/ ( #291 ) - e107 CMS
• https://news.ycombinator.com/item?id=17501379 ( #525 ) - Linux
• https://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 ( #46 ) - 部落网络邮件
• https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos ( #290 ) - Homebrew
• https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/ ( #543 ) - 初始访问、命令与控制、影响、海啸、回转、Linux
• https://github.com/SecurityFail/kompromat ( #813 ) - 凭证访问攻击：T1552.004：私钥，Linux，HP-UX，AIX，Solaris，内部专家服务
• https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/ ( #787 ) - 初始访问、发现、命令与控制，交付方式：NPM，攻击：T1195.001：软件依赖项和开发工具遭到破坏，攻击：T1082：系统信息发现，Linux
• canonical/snapcraft.io#651 ( #296 ) - Snapcraft
• https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor/ ( #45 ) - UnrealIRCd
• https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain/ ( #289 ) - "Octopus Scanner"（Netbeans）攻击
• http://www.h-online.com/open/news/item/MyBB-downloads-were-infected-1366300.html ( #292 ) - MyBB
• https://lirantal.medium.com/a-snyks-post-mortem-of-the-malicious-event-stream-npm-package-backdoor-40be813022bb ( #293 ) - event-stream
• https://blog.sonatype.com/newly-found-npm-malware-mines-cryptocurrency-on-windows-linux-macos-devices ( #294 ) - 影响、传播途径：NPM、用途：JavaScript、攻击：T1195.001：破坏软件依赖项和开发工具、wltm
• https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html ( #49 ) - VsFTPd
• https://arstechnica.com/security/2023/09/password-stealing-linux-malware-served-for-3-years-and-no-one-noticed/ ( #816 ) - 初始访问、持久性、凭据访问、命令与控制、免费下载管理器、#765、#766、攻击：T1053.003：Cron、攻击：T1555.005：密码管理器、用途：非持久存储、wltm、Linux
• https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero ( #495 ) - 影响，传播途径：PyPI，用途：Python，攻击类型：T1620：反射代码加载，攻击类型：T1070.004：文件删除，攻击类型：T1195.001：破坏软件依赖项和开发工具，wltm，Linux
• https://www.aldeid.com/wiki/Exploits/proftpd-1.3.3c-backdoor ( #44 ) - ProFTPd
• https://www.webmin.com/exploit.html ( #43 ) - Webmin
• https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack ( #48 ) - PHP

恶意软件报告

• https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game ( #658 ) - 持久性、防御规避、命令与控制、攻击：T1205.002：套接字过滤器、攻击：T1036：伪装、攻击：T1070：主机上的指示器移除、攻击：T1205：流量信令、攻击：T1573：加密通道、攻击：T1106：原生 API、BPFDoor、/malware/binaries/BPFDoor、Linux
• https://blogs-jpcert-or-jp.translate.goog/ja/2023/07/dangerouspassword_dev.html ( #721 ) - 防御规避、命令与控制，使用：Python、JavaScript，攻击：T1140：文件或信息反混淆/解码、PythonHTTP后门、wltm、DangerousPassword、CryptoMimic、SnatchCrypto、Linux
• https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors ( #305 ) - Tycoon
• https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot ( #744 ) - 侦察、初始访问、防御规避、横向移动、数据窃取、影响、使用语言：Go、攻击：T1133：外部远程服务、攻击：T1021：远程服务、攻击：T1021.004：SSH、攻击：T1078.001：默认账户、攻击：T1110：暴力破解、攻击：T1095：非应用层协议、攻击：T1048：通过替代协议窃取数据、攻击：T1567：通过 Web 服务窃取数据、攻击：T1499：端点拒绝服务、攻击：T1498：网络拒绝服务、攻击：T1480：执行防护、Kmsdbot、Linux、物联网
• https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF ( #67 ) - Drovorub
• https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ ( #643 ) - 持久性、防御规避、命令与控制、攻击：T1205.002：套接字过滤器、攻击：T1036：伪装、攻击：T1070：主机上的指示器移除、攻击：T1205：流量信令、攻击：T1573：加密通道、攻击：T1106：原生 API、攻击：T1059.004：Unix Shell、攻击：T1070.004：文件删除、攻击：T1036.004：伪装任务或服务、攻击：T1070.006：Timestomp、使用：重定向到空、使用：非持久存储、攻击：T1036.005：匹配合法名称或位置、用途：ProcessTreeSpoofing，攻击：T1562.004：禁用或修改系统防火墙，BPFDoor，/malware/binaries/BPFDoor，Unix.Backdoor.RedMenshen，Linux，Solaris
• https://hybrid-analysis.com/sample/eb8826bac873442045a6a05f1fa25b410ca18db6942053f6d146467c00d5338d ( #508 ) - Peer2Profit，Linux
• https://imgur.com/a/4YxuSfV ( #79 ) - Cayosin (来自 malwaremustdie.org)
• https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ ( #325 ) - RedXOR
• https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux ( #510 ) - 执行、持久化、防御规避，攻击：T1036.005：匹配合法名称或位置，攻击：T1059：命令和脚本解释器，攻击：T1569：系统服务，攻击：T1569.002：服务执行，攻击：T1543：创建或修改系统进程，攻击：T1027：混淆文件或信息，用途：非持久存储，攻击：T1057：进程发现，攻击：T1070.004：文件删除，攻击：T1546.004：Unix Shell，漏洞利用：CVE-2021-3493，Shikitega /malware/binaries/Shikitega，Linux
• https://twitter.com/IntezerLabs/status/1288487307369222145 ( #331 ) - TrickBot
• https://ultimacybr.co.uk/2023-10-04-Sysrv/ ( #767 ) - 持久性、防御规避、影响、攻击：T1496：资源劫持、使用：Go、Sysrv、Linux
• https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ ( #601 ) - 持久性、权限提升、OrBit、/malware/binaries/OrBit、Linux
• https://blog.polyswarm.io/lightning-framework ( #506 ) - Lightning、/malware/binaries/Lightning、Linux
• https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass ( #692 ) - 执行、持久化、防御规避、凭证访问、命令与控制、攻击：T1552：不安全的凭证、攻击：T1212：利用凭证访问漏洞、攻击：T1562：削弱防御、攻击：T1580：云基础设施发现、攻击：T1525：植入内部映像、攻击：T1102：Web 服务、UNC3886、Linux、VMware
• https://www.intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ ( #323 ) - EvilGnome
• https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ ( #307 ) - QNAPCrypt，eCh0raix
• https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html ( #501 ) - 初始访问、命令和控制，使用：MiMi、ElectronJS、rshell、wltm、Iron Tiger、Emissary Panda、APT27、Bronze Union、LuckyMouse、Linux、跨企业边界协作、设备应用程序沙箱
• https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/ ( #565 ) - 初始访问、横向移动、影响、#566、Sysrv、wltm、Linux、内部企业服务
• https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware ( #814 ) - 资源开发、初始访问、执行、持久化、防御规避，利用：非持久存储，利用：伪造漏洞利用，攻击：T1588：获取权限，攻击：T1608：部署权限，攻击：T1585：建立账户，攻击：T1583.008：恶意广告，攻击：T1036：伪装，攻击：T1037.004：RC脚本，攻击：T1098.004：SSH授权密钥，漏洞利用：CVE-2023-35829，#710，#711，#724，Linux
• https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/ ( #770 ) - 初始访问、持久性、防御规避、影响、用途：ProcessTreeSpoofing、用途：TamperedPS、用途：Python、攻击：T1140：反混淆/解码文件或信息、攻击：T1496：资源劫持、攻击：T1547.006：内核模块和扩展、攻击：T1574.006：动态链接器劫持、XHide、XMRig、Diamorphine、libprocesshider、Kiss-a-Dog、Linux、云托管服务
• https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html ( #490 ) - 使用：Go、Manjusaka、Linux
• https://imp0rtp3.wordpress.com/2021/11/25/sowat/ ( #400 ) - 指挥与控制，#140，#131，SoWaT，APT31，锆
• https://imgur.com/a/vS7xV ( #75 ) - CarpeDiem (来自 malwaremustdie.org)
• https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ ( #439 ) - 初始访问、凭据访问、影响、攻击：T1078：有效帐户、攻击：T1100：暴力破解、攻击：T1498：网络拒绝服务、攻击：T1053.003：Cron、攻击：T1105：入口工具传输、攻击：T1027：混淆文件或信息、攻击：T1014：Rootkit、攻击：T1082：系统信息发现、攻击：T1003.007：进程文件系统、攻击：T1562.001：禁用或修改工具、攻击：T1037.004：RC脚本攻击：T1070.004：文件删除，攻击：T1036.005：匹配合法名称或位置，使用：非持久存储，使用：ioctl，使用：端口隐藏，#129，使用：进程树欺骗，XorDDoS，Rooty，Linux
• https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exusing-lemonduck-and-lemoncat-modern-mining-malware-infrastruct/（#56）-LemonDuck​
• https://imgur.com/a/2zRCt ( #318 ) - Gafgyt (来自 malwaremustdie.org)
• https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool ( #405 ) - 攻击：T1205.002：套接字过滤器，ebpfkit
• https://twitter.com/ESETresearch/status/1454100591261667329?s=20 ( #390 ) - Hive
• https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities/ ( #526 ) - Metador、wltm、Linux
• https://blog.polyswarm.io/darkangels-linux-ransomware ( #666 ) - Impact，攻击：T1486：数据加密用于 Impact，DarkAngels，wltm，Linux
• https://haxrob.net/fastcash-for-linux/ ( #815 ) - 持久性、权限提升、防御规避、影响、攻击：T1565.002：传输数据操纵、攻击：T1055：进程注入、攻击：T1055.009：进程内存、攻击：T1564.001：隐藏文件和目录、攻击：T1574：劫持执行流程、攻击：T1567：金融盗窃、攻击：T1027.002：软件打包、用途：非持久存储、攻击：T1027.013：加密/编码文件、FastCash、#407、#312、#135、wltm、Linux、银行、内部专家服务
• https://cert.gov.ua/article/4501891 ( #651 ) - 影响、攻击：T1485：数据破坏、沙虫、Linux、工业
• https://twitter.com/ankit_anubhav/s​​tatus /1490574137370103808 ( #483 ) - 权限提升、防御规避、持久化、命令与控制、Log4J、攻击：T1548：滥用权限提升控制机制、#482、Linux
• https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html ( #698 ) - 影响、BlackSuit、Linux
• https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html ( #58 ) - Mirai（来自 malwaremustdie.org）
• https://vms.drweb.com/virus/?i=21004786 ( #433 ) - 持久性、防御规避、攻击：T1205.002：套接字过滤器、攻击：T1036：伪装、BPFDoor、Tricephalic Hellkeeper、Unix.Backdoor.RedMenshen、JustForFun、DecisiveArchitect、Linux
• https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/kessel-dns-exfiltration-2/ ( #372 ) - Kessel
• https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/ ( #444 ) - EnemyBot，Linux
• https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/ ( #566 ) - Impact、XMRig、Sysrv、wltm、Linux
• https://blog.trendmicro.com/trendlabs-security-intelligence/expose-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/（#344）-NGrok​
• https://twitter.com/malwaremustd1e/status/1264417940742389762 ( #316 ) - Gafgyt (来自 malwaremustdie.org)
• https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf ( #99 ) - 持久性、命令与控制、攻击：T1205：流量信令、攻击：T1205.002：套接字过滤器、攻击：T1573.002：对称加密、攻击：T1573.002：非对称加密、攻击：T1082：系统信息发现、攻击：T1547.006：内核模块和扩展、Bvp47、dewdrop、tipoff、StoicSurgeon、Incision、Equation Group、Linux、Solaris、FreeBSD
• https://csirt.egi.eu/attacks-on-multiple-hpc-sites/ ( #376 ) - 高性能计算
• https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ ( #360 ) - Rhombus（由 malwaremustdie.org 提供）
• https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/ ( #716 ) - 防御规避、凭证访问、发现、命令与控制、攻击：T1110.003：密码喷洒、攻击：T1057：进程发现、攻击：T1082：系统信息发现、攻击：T1480.001：环境密钥、攻击：T1573：加密通道、AVrecon、#717、Linux、物联网
• https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack ( #715 ) - 侦察、初始访问、执行、持久化、防御规避、凭证访问、发现、命令与控制、影响、攻击：T1525：植入内部镜像、攻击：T1595：主动扫描、攻击：T1496：资源劫持、攻击：T1613：容器和资源发现、攻击：T1190：利用面向公众的应用程序、攻击：T1059：命令和脚本解释器、攻击：T1610：部署容器、攻击：T1222：文件和目录权限修改、攻击：T1036：伪装、攻击：T1132：数据编码、攻击：T1552.005：云实例元数据 API攻击：T1082：系统信息发现，攻击：T1071.001：Web 协议，攻击：T1090.003：多跳代理，Tsunami，TeamTNT，Linux
• https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html ( #366 ) - AirDropBot（由 malwaremustdie.org 提供）
• https://securelist.com/the-penquin-turla-2/67962/ ( #593 ) - 持久化、防御规避、命令与控制、Penquin、Turla、Linux
• https://www.signalblur.io/through-the-looking-glass ( #756 ) - Impact，攻击：T1486：Impact 数据加密，wltm、RedAlert、Conti、BlackBasta、Sodinokibi、REvil、BlackMatter、DarkSide、Defray777、RansomEXX、HelloKitty、ViceSociety、Royal、BlackSuit、RTM Locker、Hive、GonnaCry、Erebus、eChOraix、QNAPCrypt、Cylance、Polaris、Linux、VMware、内部企业服务、内部专家服务
• https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ( #636 ) - 初始访问，Linux
• https://github.com/akamai/akamai-security-research/tree/main/malware/panchan ( #477 ) - Pan-chan，/malware/binaries/pan-chan，Linux
• https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors ( #729 ) - 持久性、命令与控制、SEASPY、#730、潜艇、#731、Linux
• https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/ ( #381 ) - FontOnLake
• https://netadr.github.io/blog/a-quick-glimpse-sbz/ ( #596 ) - 持久化、防御规避、攻击：T1027：混淆文件或信息、SBZ、wltm、Equation Group、Solaris
• https://twitter.com/ESETresearch/status/1410864752948043778 ( #104 ) - Specter、SideWalk、StageClient
• https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ ( #371 ) - Ebury
• https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf ( #338 ) - 持久性、防御规避、命令与控制、Penguin、Penquin_x64、Turla、Linux
• https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/ ( #299 ) - IPStorm，/malware/binaries/Unix.Trojan.Ipstorm
• https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github ( #97 ) - Botenago
• https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/ ( #678 ) - 侦察、初始访问、持久化、权限提升、防御规避、攻击：T1594：搜索受害者拥有的网站、攻击：T1589：收集受害者身份信息、攻击：T1589.001：凭据、攻击：T1133：外部远程服务、攻击：T1078：有效帐户、Legion、wltm、Linux、云托管服务
• https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version ( #309 ) - REvil
• https://www.bitdefender.com/files/News/CaseStudies/study/319/Bitdefender-PR-Whitepaper-DarkNexus-creat4349-en-EN-interactive.pdf ( #518 ) - DarkNexus，Linux
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/ ( #750 ) - 初始访问、持久化、防御规避、命令与控制、影响、攻击：T1547.006：内核模块和扩展、SkidMap、Linux
• https://www.mandiant.com/resources/unc2891-overview ( #112 ) - 横向移动、凭证访问、执行、防御规避、持久化，攻击：T1021.004：SSH，攻击：T1003.008：/etc/passwd 和 /etc/shadow，攻击：T1552.003：Bash 历史记录，攻击：T1552.004：私钥，攻击：T1556.003：可插拔身份验证模块，攻击：T1053.001：AT（Linux），攻击：T1059.004：Unix Shell，攻击：T1014：Rootkit，攻击：T1070.002：清除 Linux 或 Mac 系统日志，攻击：T1548.001：Setuid 和 Setgid，攻击：T1543.002：Systemd服务，攻击：T1547.006：内核模块和扩展，#134，TINYSHELL，SLAPSTICK，CAKETAP，WIPERIGHT，MIG Logcleaner，#154，BINBASH，UNC2891，UNC1945，LightBasin，Linux，Solaris，银行
• https://int0x33.medium.com/day-27-tiny-shell-48df6abb0d5d ( #616 ) - 命令与控制、TSH、TINYSHELL、#481
• https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/ ( #395 ) - 使用：Go、Chaos (sebd)、/malware/binaries/Chaos
• https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/（#348）-Rakos​
• https://sysdig.com/blog/muhstik-malware-botnet-analysis/ ( #90 ) - 影响，用途：k8s，用途：非持久存储，攻击：T1190：利用面向公众的应用程序，攻击：T1505.003：Web Shell，攻击：T1105：入口工具传输，攻击：T1053.003：Cron，攻击：T1037.004：RC脚本，Muhstik，wltm
• https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/ ( #479 ) - Rekoobe、APT31、Linux
• https://old.reddit.com/r/LinuxMalware/comments/f26amt/new_systemten_botnet_miner_threat_now_wother/ ( #357 ) - SystemTen (由 malwaremustdie.org 提供)
• https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet ( #623 ) - 初始访问、防御规避、命令与控制、影响、攻击：T1105：入口工具传输、攻击：T1071.001：Web 协议、攻击：T1071.002：文件传输协议、攻击：T1499：端点拒绝服务、攻击：T1480：执行防护、HinataBot、Linux、消费者
• https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ ( #65 ) - Qemu, #134 , LightBasin, UNC1945
• https://sansec.io/research/cronrat ( #399 ) - 防御规避、命令与控制，用途：非持久存储，攻击：T1053.003：Cron，攻击：T1027：混淆文件或信息，攻击：T1001.003：协议冒充，攻击：T1036.005：匹配合法名称或位置，垂直领域：零售，CronRAT，wltm，Linux
• https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ ( #434 ) - 持久性、防御规避、命令与控制、攻击：T1205.002：套接字过滤器、攻击：T1036：伪装、攻击：T1070：主机上的指示器移除、攻击：T1205：流量信号、#420、#418、BPFDoor、Tricephalic Hellkeeper、Unix.Backdoor.RedMenshen、JustForFun、DecisiveArchitect、Linux
• https://raw.githubusercontent.com/bg6cq/ITTS/master/security/mine/README.md ( #352 ) - ITTS
• http://it.rising.com.cn/fanglesuo/19851.html ( #96 ) - SFile
• https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads ( #723 ) - 防御规避、命令与控制、影响、使用语言：Python、攻击类型：T1496：资源劫持、T1620：反射代码加载、T1102：Web 服务、T1190：利用面向公众的应用程序、T1105：入口工具传输、T1140：文件或信息反混淆/解码、T1027.002：软件打包、使用语言：非持久存储、PyLoose、XMRig、Linux
• https://asec.ahnlab.com/en/54647/ ( #707 ) - 防御规避、凭证访问、命令与控制、影响、攻击：T1110：暴力破解、攻击：T1070.002：清除 Linux 或 Mac 系统日志、攻击：T1496：资源劫持、攻击：T1498：网络拒绝服务、使用工具：IRC、XMRig、ShellBot、MIG Logcleaner、#154、Tsunami、Kaiten、0x333shadow Log Cleaner、#706、ChinaZ、Linux
• https://imgur.com/a/a6RaZMP ( #87 ) - 来自中国的 Honda 汽车面板 Rootkit #Android (由 malwaremustdie.org 提供)
• https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html ( #336 ) - PLEAD
• https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf ( #493 ) - 持久化、命令与控制，使用：Go、IPStorm、/malware/binaries/Unix.Trojan.Ipstorm、Linux
• https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor ( #547 ) - 命令与控制、数据泄露、使用：LD_PRELOAD、wltm、Linux
• https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered ( #693 ) - 持久性、防御规避、发现、命令与控制，攻击：T1037.004：RC脚本，攻击：T1543.002：Systemd服务，攻击：T1036：伪装：匹配合法名称或位置，攻击：T1070.004：文件删除，攻击：T1222：文件和目录权限修改，攻击：T1564.001：隐藏文件和目录，攻击：T1082：系统信息发现，攻击：T1057：进程发现，攻击：T1071.004：DNS、Sotdas、Linux
• https://blog.talosintelligence.com/lazarus-collectionrat/ ( #752 ) - 命令与控制攻击，攻击：T1573：加密通道，攻击：T1071：应用层协议，DeimosC2，#751，HiddenCobra，Lazarus，APT38，Linux
• https://securelist.com/a-bad-luck-blackcat/106254/?_sp=3b4159db-9e20-4bfa-a47f-f8671b594d75.1649770307513 ( #118 ) - Impact, BlackCat, #512
• https://imgur.com/a/53f29O9 ( #61 ) - Mirai (来自 malwaremustdie.org)
• https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138 ( #362 ) - 初始访问、命令与控制、影响、海啸、回转（由 malwaremustdie.org 提供）、Linux
• https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt ( #320 ) - Gafgyt
• https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces ( #115 ) - Impact, KinSing
• https://twitter.com/malwrhunterteam/status/1422972905541996546 ( #374 ) - Impact，攻击：T1486：数据加密攻击 Impact，加密器，Linux，VMware
• https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ ( #105 ) - Specter、SideWalk、StageClient
• https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html ( #321 ) - 执行、持久化、权限提升、命令与控制、数据窃取、影响、攻击：T1048：通过替代协议窃取数据、攻击：T1567：通过 Web 服务窃取数据、攻击：T1573：加密通道、攻击：T1071.001：Web 协议、攻击：T1053.003：Cron、攻击：T1486：加密数据以造成影响、DarkSide、UNC2628、UNC2659、UNC2465、Linux
• https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis ( #393 ) - Conti
• https://www.cisa.gov/news-events/analysis-reports/ar23-209a ( #731 ) - 持久性，#729，潜艇，wltm，Linux
• https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf ( #100 ) - Cyclops Blink
• https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/ ( #432 ) - 持久性、防御规避、命令与控制、攻击：T1205.002：套接字过滤器、攻击：T1036：伪装、攻击：T1070：主机上的指示器移除、攻击：T1205：流量信号、#420、#418、BPFDoor、Tricephalic Hellkeeper、Unix.Backdoor.RedMenshen、JustForFun、DecisiveArchitect、Linux
• https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ ( #655 ) - 初始访问、持久化、权限提升，攻击类型：T1566.001：鱼叉式网络钓鱼附件，攻击类型：T1546.004：Unix Shell 配置修改，使用：重定向到空，使用：Go、wltm、OdicLoader、SimplexTea、Lazarus、Linux
• https://cujo.com/the-sysrv-botnet-and-how-it-evolved/ ( #640 ) - 初始访问、命令与控制、影响、Sysrv、Linux
• https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/ ( #64 ) - 防御规避、发现、横向移动、收集、指挥与控制、影响、攻击：T1602.001：SNMP（MIB 转储）、攻击：T1070.002：清除 Linux 或 Mac 系统日志、攻击：T1046：网络服务发现、攻击：T1018：远程系统发现、攻击：T1110.002：密码破解、攻击：T1110.003：密码喷洒、攻击：T1555：从密码存储中获取凭据、攻击：T1040：数据包捕获、攻击：T1071.001：Web 协议、攻击：T1071.002：文件传输协议、攻击：T1071.004：DNS、攻击：T1021.002：SMB/Windows 管理共享，攻击：T1021.004：SSH，攻击：T1021.005：VNC，攻击：T1590：收集受害者网络信息，攻击：T1590.002：DNS，攻击：T1027.002：软件打包，攻击：T1001：数据混淆，攻击：T1070.004：文件删除，#134，STEELCORGI，netcat，unixcat，netcat-ssl，telnet，traceroute，traceroute-tcp，traceroute-tcpfin，traceroute-udp，traceroute-icmp，traceroute-all，tftpd，HEAD，GET，sniff，nfsshell，ssh，ricochet，axfr，whois，scanip，sctpscan，sdporn rmiexec、arpmap、whois、who、ahost、resolv、adig、axfr、asrv、aspf、periscope、scanip.sh、aliveips.sh、brutus.pl、enum4linux.pl、mikro、ss、sshu、onesixtyone、snmpgrab、snmpcheck、ciscopush、mikrotik-client、bleach、clean、ssleak、decrypt-vpn、pogo、pogo2、sid-force、sshock、decrypt-cisco、decrypt-vnc、decrypt-cvs、LightBasin、UNC1945、Linux
• https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ( #496 ) - 影响，攻击：T1486：数据加密造成影响，地区：韩国，垂直行业：制药，Gwisin，wltm，Linux，VMware，工业，内部专家服务
• https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ ( #714 ) - 初始访问、防御规避、攻击：T1190：利用面向公众的应用程序、攻击：T1480.001：环境密钥、Mirai、Linux、物联网
• https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages ( #542 ) - 防御规避、发现、收集、数据窃取，垂直领域：电信，攻击：T1040：网络嗅探，用途：非持久存储，攻击：T1070.004：文件删除，MESSAGETAP，/malware/binaries/MESSAGETAP，APT41，Linux，电信，内部专家服务
• https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ ( #410 ) - 初始访问、持久化、防御规避、横向移动、影响、LemonDuck、Linux、云托管服务、设备应用程序沙箱
• https://sysdig.com/blog/ssh-snake/ ( #801 ) - 防御规避、发现、横向移动，攻击：T1021.004：SSH，攻击：T1078：有效帐户，攻击：T1552.004：私钥，攻击：T1027：混淆的文件或信息，#791，SSH-Snake，Linux，AIX，Solaris，HP-UX，内部企业服务
• https://sansec.io/research/nginrat ( #94 ) - 防御规避，利用：非持久存储，攻击：T1036.005：匹配合法名称或位置，攻击：T1574.006：动态链接器劫持，攻击：T1027：混淆文件或信息，利用：进程树欺骗，NginRAT，wltm
• https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html ( #383 )
• https://unit42.paloaltonetworks.com/alloy-taurus/ ( #646 ) - 命令与控制，攻击：T1071：应用层协议，攻击：T1071.001：Web 协议，攻击：T1132：数据编码，攻击：T1132.001：标准编码，攻击：T1573：加密通道，攻击：T1573.001：对称加密，Sword2033，PingBull，wltm，Alloy Taurus，GALLIUM，Soft Cell，Linux
• https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf ( #370 ) - Kobalos、#bsd、#solaris、#aix
• https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ ( #298 ) - RandomEXX
• https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery ( #488 ) - 初始访问、横向移动、影响、RapperBot、/malware/binaries/RapperBot、Linux
• https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/ ( #114 ) - HabitsRAT
• https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware ( #821 ) - 持久性、防御规避、攻击：T1547.006：内核模块和扩展、攻击：T1205.002：套接字过滤器、wltm、Linux、内部企业服务
• https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ ( #329 ) - 锆，APT31
• https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ ( #459 ) - 持久性、防御规避、Linux
• https://twitter.com/malwaremustd1e/status/1235595880041873408 ( #358 ) - Hajimi（由 Malwaremustdie.org 提供）
• https://twitter.com/CraigHRowland/status/1422267857988063232 ( #354 )-ITTS
• https://id-ransomware.blogspot.com/2021/11/polaris-ransomware.html ( #398 ) - Polaris
• https://twitter.com/malwaremustd1e/status/1251758225919115264 ( #361 ) - 持久性、影响、海啸、回转（来自 malwaremustdie.org）、Linux
• https://blogs.jpcert.or.jp/en/2023/05/gobrat.html ( #682 ) - 命令与控制，用途：Go、GobRAT、Linux、电信
• https://twitter.com/IntezerLabs/status/1272915284148531200 ( #341 ) - 拉撒路
• https://twitter.com/ESETresearch/status/1382054011264700416 ( #335 ) - TSCookie，#freebsd
• https://twitter.com/CraigHRowland/status/1628883826738077696/photo/1 ( #612 ) - 防御规避、持久化、攻击:T1547.006:内核模块和扩展
• https://asec.ahnlab.com/en/55785/ ( #733 ) - 持久化、权限提升、防御规避、命令与控制、攻击：T1547.006：内核模块和扩展、攻击：T1205.001：端口敲门、Reptile、TINYSHELL、Rekoobe、Linux
• https://mp-weixin-qq-com.translate.goog/s/pd6fUs5TLdBtwUHauclDOQ?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp ( #588 ) - 持久化、防御规避、命令与控制、攻击：T1027：混淆文件或信息、caja、wltm、Linux
• https://asec.ahnlab.com/en/51908/ ( #650 ) - 影响、防御规避、使用：ProcessTreeSpoofingBindMountProc、#550、KONO DIO DA、XMRig、Linux
• https://lab52.io/blog/looking-for-penquins-in-the-wild/ ( #594 ) - 持久化、防御规避、命令与控制、Penquin、Turla、Linux
• https://daniele.bearblog.dev/cve-2023-35829-fake-poc-en/ ( #724 ) - 资源开发、初始访问、执行、持久化、防御规避，用途：伪造漏洞利用，攻击：T1588：获取权限，攻击：T1608：部署权限，攻击：T1585：建立账户，攻击：T1583.008：恶意广告，攻击：T1036：伪装，漏洞利用：CVE-2023-35829，#710，#711，#814，Linux
• https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites ( #598 ) - 初始访问、命令与控制，使用语言：Go、GoTrim、Linux，面向公共/客户服务的企业级服务
• https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar ( #375 ) - PRISM
• https://asec.ahnlab.com/en/50316/ ( #621 ) - 防御规避、发现、命令与控制、影响、攻击：T1036.005：匹配合法名称或位置、攻击：T1499：端点拒绝服务、攻击：T1082：系统信息发现、攻击：T1095：非应用层协议、使用：进程树欺骗、使用：非持久存储、使用：重定向到空、DDoS客户端、ChinaZ、Linux
• https://www.akamai.com/blog/security/new-p2p-botnet-panchan ( #476 ) - Pan-chan，#477，Linux
• https://old.reddit.com/r/LinuxMalware/comments/gdte0m/linuxkaiji/ ( #340 ) - Kaiji （由 Malwaremustdie.org 提供）
• https://cujo.com/iot-malware-journals-prometei-linux/（#300）-Promotei​
• https://vblocalhost.com/conference/presentations/shades-of-red-redxor-linux-backdoor-and-its-chinese-origins/ ( #408 ) - Linux
• https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/ ( #700 ) - 持久性、防御规避、凭据访问、发现、影响、攻击：T1110：暴力破解、使用：SHC、攻击：T1057：进程发现、攻击：T1003.008：/etc/passwd 和 /etc/shadow、攻击：T1098.004：SSH 授权密钥、攻击：T1556：修改身份验证过程、Reptile、#171、Diamorphine、#217、ZiggyStarTux、#701、Linux、物联网、消费者
• https://vulncheck.com/blog/fake-repos-deliver-malicious-implant ( #686 ) - 资源开发、初始访问、执行、持久化、防御规避，用途：伪造漏洞利用，攻击：T1588：获取权限，攻击：T1608：部署权限，攻击：T1585：建立账户，攻击：T1583.008：恶意广告，攻击：T1036：伪装，Linux
• https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials ( #50 ) - TeamTNT
• https://www.trendmicro.com/en_gb/research/19/f/cryptocurrency-mining-botnet-arrives-through-adb-and-spreads-through-ssh.html ( #55 ) - CoinMiner
• https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server ( #784 ) - 命令与控制、数据窃取、使用：PHP、攻击：T1090：代理、攻击：T1071.001：Web 协议、SystemBC、Linux
• https://imgur.com/a/LpTN7 ( #85 ) - Elknot (来自 malwaremustdie.org)
• https://threatfabric.com/blogs/vultur-v-for-vnc.html ( #379 ) - Vultur、Brunhilda、#Android
• https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/（#314）-Gafgyt​
• https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies ( #758 ) - 持久性、防御规避、影响、攻击：T1486：数据加密以造成影响、Gwisin、Spirit、Linux、VMware
• https://cybersec84.wordpress.com/2023/08/15/monti-ransomware-operators-resurface-with-new-linux-variant-improved-evasion-tactics/ ( #753 ) - 防御规避、影响、攻击：T1486：数据加密以造成影响、攻击：T1480：执行防护、wltm、Monti、Linux、VMware
• https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html ( #332 ) - NOTROBIN
• https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ ( #306 ) - QNAPCrypt, eCh0raix
• https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks ( #8 ) - 凭证访问、防御规避、发现、横向移动、收集、命令与控制、影响、垂直领域：电信、攻击：T1573.001：对称加密、攻击：T1590：收集受害者网络信息、攻击：T1562.004：禁用或修改系统防火墙、攻击：T1048.001：通过未加密的非C2协议进行数据泄露、攻击：T1021.004：SSH、攻击：T1037.004：RC脚本、攻击：T1090.001：内部代理、攻击：T1090.002：外部代理、攻击：T1110.003：密码喷洒、#134、SLAPSTICK STEELCORGI、PingPong、TINYSHELL、CordScan、SIGTRANslator、快速反向代理、Microsocks 代理、ProxyChains、LightBasin、UNC1945、Solaris、Linux、电信、内部专家服务、安全区部署
• https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability ( #337 ) - 影响、持久性、影响、KinSing
• https://imgur.com/a/Ak9zICq ( #367 ) - Neko（由 Malwaremustdie.org 提供）
• https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ ( #373 ) - 初始访问、持久性、影响、攻击：T1190：利用面向公众的应用程序、攻击：T1505.003：Web Shell、Prophet Spider、Linux
• https://twitter.com/IntezerLabs/status/1326880812344676352 ( #330 ) - AgeLocker
• https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html ( #304 ) - DarkRadation
• https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ ( #516 ) - 资源开发、发现、命令与控制、攻击：T1587.001：恶意软件、攻击：T1016：系统网络配置发现、攻击：T1071.001：Web 协议、攻击：T1573.001：对称加密、SideWalk、wltm、SparklingGoblin、Linux
• https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ ( #513 ) - 收集、影响、Linux
• https://permiso.io/blog/s/legion-mass-spam-attacks-in-aws/ ( #681 ) - 持久性、影响、军团攻击、wltm、Linux、云托管服务
• https://twitter.com/malwrhunterteam/status/1415403132230803460 ( #310 )-HelloKitty
• https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan ( #732 ) - 持久化、防御规避、命令与控制、Linux、托管
• https://twitter.com/IntezerLabs/status/1338480158249013250（#301）-Promotei​
• https://tolisec.com/ssh-backdoor-botnet-with-research-infection-technique/ ( #92 )
• http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf ( #349 ) - Moose
• https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ ( #339 ) - Kaiji
• https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html ( #725 ) - 防御规避，攻击：T1205.002：套接字过滤器，攻击：T1205：流量信令，使用：BPF、BPFDoor、/malware/binaries/BPFDoor、Unix.Backdoor.RedMenshen、DecisiveArchitect、Linux、Solaris
• https://imgur.com/a/DWKK5 ( #84 ) - 持久化、命令与控制、Tsunami、Kaiten（来自 malwaremustdie.org）、Linux
• https://darrenmartyn.ie/2021/11/29/analysis-of-the-lib__mdma-so-1-userland-rootkit/ ( #401 ) - 持久性、防御规避、#530、lib__mdma
• https://honeynet.onofri.org/scans/scan13/som/som5.txt ( #389 ) - Luckscan，UNC1945
• https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers ( #382 ) - Mayhem
• https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ ( #809 ) - 初始访问、执行、持久化、权限提升、凭证访问、发现、命令与控制、AIX、内部企业服务
• https://imgur.com/a/57uOiTu ( #80 ) - DDoSMan (由 malwaremustdie.org 提供)
• https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/ ( #690 ) - 命令与控制，攻击：T1572：协议隧道，ChamelDoh，wltm，ChamelGang，Linux
• https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ ( #297 ) - FreakOut
• https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html ( #789 ) - 防御规避、发现、命令与控制，攻击：T1090：代理，使用：进程树欺骗，攻击：T1027：混淆文件或信息，攻击：T1082：系统信息发现，SprySOCKS，Mandibule，#170，Earth Lusca，Linux
• https://twitter.com/sethkinghi/status/1397814848549900288 ( #717 ) - 防御规避，攻击：T1480.001：环境密钥，AVrecon，Linux，物联网
• https://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-service/（#343）-NGrok​
• https://twitter.com/billyleonard/status/1458531997576572929 ( #480 ) - Rekoobe、TSH、TINYSHELL、#481、APT31、Linux
• https://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/ ( #68 ) - Mumblehard
• https://old.reddit.com/r/LinuxMalware/comments/a66dsz/ddostf_still_lurking_arm_boxes/ ( #72 ) - DDoSTF (由 malwaremustdie.org 发布)
• https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ ( #503 )
• https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ ( #470 ) - Lightning、/malware/binaries/Lightning、Linux
• https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/ ( #351 ) - PGMiner
• https://twitter.com/bkMSFT/status/1417823714922610689 ( #328 ) - #329 , Zirconium, APT31
• https://zhuanlan.zhihu.com/p/348960748 ( #403 ) - 冲击、指挥与控制、横向移动、持久性、云铲
• https://vms.drweb.com/virus/?i=15389228 ( #326 ) - ?
• https://twitter.com/IntezerLabs/status/1291355808811409408（#346）-Carbanak​
• https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-system-wipes-of-over-100-organisations-eaf249b042dc ( #786 ) - 数据泄露，影响，地点：以色列，攻击：T1561.001：磁盘内容擦除，攻击：T1485：数据销毁，攻击：T1048.003：通过未加密的非C2协议进行数据泄露，Cyber Toufan，Linux
• https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/ ( #308 ) - KillDisk
• https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html ( #442 ) - Impact, attack:T1486:Data Encrypted for Impact, Cheerscrypt, #544 , Linux, VMware, Internal enterprise services, Internal specialist services
• https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ ( #327 ) - TeamTNT, Mimipenguin