Linux Trojans: How Attackers Compromise the OS the World Trusts

When administrators think about malware, Windows is usually the first platform that comes to mind. That instinct is becoming increasingly dangerous. Linux runs an estimated 96.3 percent of the world's top one million web servers, according to W3Techs data updated in early 2026. It powers nearly every public cloud hypervisor. It runs the routers, the IoT devices, the CI/CD pipelines, and the containers that deliver modern software. Attackers know this, and the Linux threat landscape has evolved accordingly.

A Linux trojan is malicious software that masquerades as something legitimate -- a system utility, a package update, a shared library, or a background service. Unlike a virus, it does not replicate by infecting other files. Unlike a worm, it does not self-propagate across networks autonomously. The trojan's power lies in deception: it gets installed because someone or something trusted it, and then it operates from inside that trust boundary.

Assumption check

Before reading the next section: what percentage of the world's top one million web servers do you think run Linux?

96.3 percent. According to W3Techs data from early 2026, Linux runs on more than 96 in every 100 of the world's top-ranked web servers. That is not a plurality — it is near-total dominance of the attack surface that matters most to adversaries. The security implications of that concentration compound with every new containerized workload and cloud deployment that runs on the same kernel.

Why Linux Is Not the Safe Haven It Used to Be

// Why this matters: The "Linux is safe" assumption is the first cognitive vulnerability attackers count on. This section is about dismantling it with evidence.

The old assumption that Linux was inherently secure because of its smaller user base no longer holds. Linux malware submissions to threat intelligence platforms have been rising sharply. In its 2024 annual threat report, CrowdStrike noted a significant increase in Linux-targeted intrusions linked to both financially motivated actors and nation-state groups. Trend Micro's research documented that Linux environments now regularly face sophisticated, multi-stage malware campaigns that rival those targeting Windows in technical complexity.

Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, stated in the 2024 Global Threat Report that the prevailing assumption of Linux as the safer platform is a misconception -- and that adversaries have fully operationalized Linux exploitation, with the telemetry to prove it.

Several factors have converged to make Linux a more attractive target. First, the attack surface has expanded dramatically: containerized workloads, Kubernetes clusters, and serverless functions all run on Linux, and they often have weaker endpoint detection than traditional servers. Second, Linux systems tend to stay running for long periods without reboots, giving persistent malware a stable environment. Third, root access on a Linux server often means access to everything -- databases, secrets, source code, and lateral movement paths through the network.

A Practical Taxonomy of Linux Trojans

// Why this matters: Every defense decision maps to a trojan category. If you cannot name what you are defending against, you cannot choose the right control.

Linux trojans are not a monolithic category. Understanding what each variant does -- and how it hides -- is the foundation of effective defense. These are the primary families you will encounter in the wild.

Backdoor Trojans

The backdoor is the most common objective. After initial compromise, the attacker drops a trojan that opens a persistent communication channel back to infrastructure they control. This may be a reverse shell, an SSH key implanted in ~/.ssh/authorized_keys, a modified sshd binary that accepts a hardcoded master password, or a lightweight agent that beacons out over HTTPS to blend with normal traffic.

Symbiote, documented jointly by Intezer and BlackBerry Research in June 2022 and first observed targeting Latin American financial sector organizations beginning in November 2021, is an example of a particularly stealthy backdoor. Rather than running as a standalone process, Symbiote injects itself into running processes using LD_PRELOAD, a legitimate Linux dynamic linker feature. It hooks the libc and libpcap functions that network tools and process listing utilities call, hiding its own network connections and its own presence from tools like ps, netstat, and ss. It also uses BPF hooking to filter its traffic out of packet captures, making it invisible even to network analysis tools. It captures credentials from SSH, SCP, and cURL processes that happen to run on the infected machine and exfiltrates them via DNS requests to attacker-controlled domains. The domain names observed in Symbiote's infrastructure were crafted to impersonate major Brazilian banks. According to the joint Intezer and BlackBerry analysis, the malware is designed so that performing live forensics on an infected machine may turn up nothing at all -- all file, process, and network artifacts are hidden by the time the investigation begins.

Joakim Kennedy (Intezer) and the BlackBerry Research & Intelligence Team described Symbiote in their June 2022 analysis as unlike any prior Linux malware they had encountered, noting that all its capabilities rely on hooking libc function calls rather than running as a visible standalone process.

filesystem

Check /etc/ld.so.preload — on a clean system this file is absent or empty. Run ldd /bin/ls and inspect the output; Symbiote hooks execve to hide itself from ldd, but a statically compiled ldd from trusted external media will not be subject to the hook.

network

Symbiote exfiltrates credentials via DNS. Look for anomalous A record requests to domains that impersonate financial institution hostnames. Zeek's DNS log will surface unusual query patterns even when the payload content is hidden from packet capture tools on the infected host.

process

Symbiote is loaded before all other shared objects via LD_PRELOAD. Any EDR or antivirus tool that is dynamically linked may itself be infected. Use statically compiled analysis binaries from trusted external media -- the joint Intezer and BlackBerry report specifically recommends this approach.

Rootkit-Bearing Trojans

Some trojans carry a rootkit payload -- kernel-level code designed to hide the trojan's presence from the operating system itself. User-space rootkits manipulate shared libraries or executables. Kernel-mode rootkits load as Linux Kernel Modules (LKMs), operating at the same privilege level as the kernel and able to intercept any system call.

Diamorphine is an open-source LKM rootkit that has been packaged into several commercial-grade trojan campaigns. It hooks the getdents and getdents64 system calls to hide files and directories, hooks kill to intercept signal-based commands from the operator, and hides processes by manipulating the /proc filesystem. Diamorphine demonstrates a recurring pattern: tools originally released for educational security research get repurposed into operational malware with minimal modification.

Warning

A kernel-mode rootkit running on a compromised system cannot be trusted to report accurate information about that system. ps, ls, netstat, and lsmod can all be hooked to lie. If you suspect a kernel-level compromise, boot from trusted external media or analyze the disk offline. Do not trust the running OS to investigate itself.

Cryptomining Trojans

Cryptomining malware is the most financially motivated and most volumetrically common Linux trojan category. These trojans deploy XMRig or similar Monero miners, consuming CPU and memory resources of compromised cloud instances. The economics are straightforward: compromising thousands of misconfigured cloud VMs and mining Monero at their expense costs the attacker nothing and generates steady revenue.

TeamTNT was a prominent group that targeted Docker APIs, Kubernetes clusters, and exposed Redis instances to deploy miners on cloud infrastructure. AT&T Alien Labs and Trend Micro tracked the group through multiple campaign iterations from 2020 through 2023. TeamTNT's tooling was notable for stealing AWS credentials from instance metadata endpoints and ~/.aws/credentials files -- a detail that illustrates how cryptomining trojans increasingly serve as multi-purpose initial access tools rather than pure miners.

DDoS Bot Trojans

Linux servers and routers, once compromised, become powerful DDoS bots. The Mirai botnet, first observed attacking Krebs on Security and Dyn DNS infrastructure in 2016, demonstrated the scale achievable by compromising embedded Linux devices. Mirai's source code was published shortly after its discovery, and derivatives -- Moobot, Satori, Bashlite, and dozens of others -- have been observed actively recruiting new devices through 2025 and into early 2026. Cloudflare's documentation on Mirai describes the botnet's infection cycle: it scans for devices with default Telnet credentials, installs the bot, then uses the infected device for volumetric UDP and TCP flood attacks.

Remote Access Trojans (RATs)

A Linux RAT gives an attacker a persistent, interactive foothold with capabilities that go beyond a simple backdoor. Modern Linux RATs support file exfiltration, screenshot capture on systems with display servers, keylogging, lateral movement via SSH key harvesting, and proxy functionality that routes attacker traffic through the compromised host. Pupy RAT, an open-source tool with a long history in both red team tooling and nation-state operations, has a fully functional Linux agent and has been attributed to multiple APT groups including APT33 (Elfin) and APT34 (OilRig) in campaigns documented by Palo Alto Unit 42.

Classify the Threat

score: 0 / 0

// observed behavior

How Linux Trojans Get In

// Why this matters: A trojan that cannot achieve initial access cannot execute its payload. Knowing the entry path determines which controls to prioritize first.

Understanding infection vectors is as important as understanding the malware itself. A trojan that cannot achieve initial access cannot execute its payload.

Compromised Supply Chain and Package Repositories

Supply chain attacks against Linux package ecosystems have become a significant concern. In March 2024, a backdoor was discovered in XZ Utils (versions 5.6.0 and 5.6.1), a widely used data compression library present in many Linux distributions. The attacker, operating under the pseudonym "Jia Tan," spent roughly two years building trust as a contributor before inserting malicious code into the liblzma build process. The backdoor targeted OpenSSH on systemd-integrated systems, specifically designed to allow unauthenticated remote code execution. Microsoft engineer and PostgreSQL developer Andres Freund discovered the backdoor almost by accident: he noticed that SSH logins on a Debian testing system were taking around 500ms rather than the normal 100ms, investigated the cause, and traced the slowdown to malicious code embedded in the XZ Utils release tarballs. He reported his findings to the oss-security mailing list on March 29, 2024.

Key finding: XZ Utils supply chain

Andres Freund's March 29, 2024 disclosure to the oss-security mailing list established that the attacker, operating as "Jia Tan," spent roughly two years building credibility as an XZ Utils contributor before inserting the backdoor -- one of the longest-known social engineering timelines in open-source supply chain history. The full disclosure is available at openwall.com/lists/oss-security.

Note

The XZ Utils attack demonstrates a tactic increasingly used by sophisticated actors: exhausting volunteer maintainers through coordinated pressure before offering help. Jia Tan's fake sock-puppet accounts filed complaints about the project's slow pace and demanded a new co-maintainer, creating the opening. The lesson for open-source security is not just about code review -- it is about recognizing social engineering against maintainers as an attack surface in its own right.

Critical

CVE-2024-3094 (XZ Utils backdoor) was caught before widespread deployment in production distributions -- it had reached development and rolling-release variants including Fedora Rawhide, Fedora Linux 40 beta, Debian testing/unstable, Kali Linux, Arch Linux, and openSUSE Tumbleweed, but stable LTS releases such as Debian stable, Ubuntu LTS, and RHEL had not incorporated the compromised versions before discovery. Any system running XZ Utils 5.6.0 or 5.6.1 should be considered compromised and rebuilt from known-good media. The backdoor was assigned a CVSS score of 10.0 -- the maximum.

Exposed Services and Default Credentials

Shodan and Censys continuously index millions of Linux services exposed to the public internet. Attackers use the same data. SSH on port 22 with password authentication enabled, Docker daemon APIs accessible without TLS on port 2375, Redis instances without authentication, and Jupyter notebook servers exposed without tokens are all common entry points. Scanning for these takes seconds; exploitation of default or weak credentials takes only slightly longer.

$ grep -r "PermitRootLogin yes" /etc/ssh/

That single command, run on your own infrastructure, may produce results you do not expect. Root login over SSH is disabled by default in modern distributions, but legacy configurations, automated provisioning scripts, and image templates frequently re-enable it.

Malicious or Typosquatted Packages

The npm, PyPI, RubyGems, and other package ecosystems used heavily on Linux development systems have experienced repeated typosquatting attacks. Packages named to resemble popular libraries -- colourama for colorama, python-dateutil versus dateutils -- contain trojanized code that executes on installation. The Snyk security team has documented thousands of such packages. Because package installation often runs with elevated privileges in CI/CD environments, a single malicious dependency in a build pipeline can compromise the entire build system and potentially inject backdoors into software artifacts.

Web Application Exploitation

Many Linux servers run web applications -- WordPress, Drupal, custom Python and Node.js apps -- that contain vulnerabilities. Remote code execution in a web application gives an attacker a shell as the web server user. From there, privilege escalation using a local kernel exploit, a misconfigured SUID binary, or a sudo misconfiguration often leads to root. Once root is achieved, installing a trojan is trivial.

Persistence: How Trojans Stay Installed

// Why this matters: Initial access and persistence are separate problems. Cleaning a trojan without closing its persistence mechanism means it comes back. Understanding how it stays is how you make sure it doesn't.

Gaining access is only the first step. The trojan needs to survive reboots, admin investigations, and partial cleanup attempts. Linux offers attackers a rich set of persistence mechanisms.

Assumption check

An admin kills a suspicious process and deletes the binary they found. The next morning the same process is running again. Which persistence mechanism is most likely responsible?

Cron re-download. The classic cron persistence trick is specifically designed for this scenario. The attacker adds a cron entry that re-fetches the payload from a remote server at regular intervals. Killing the process and deleting the binary does nothing — the next cron execution reinstalls it. The SSH key and LD_PRELOAD hook would survive the kill but wouldn't re-create a deleted binary. The LKM rootkit would survive too, but the scenario describes a process re-appearing after a binary deletion, which is the telltale signature of a cron re-downloader.

Systemd Service Units

A systemd service is an ideal persistence vehicle. A trojan that installs itself as a service unit in /etc/systemd/system/ will start automatically on boot, restart if killed, and appear in systemctl list-units -- where it may blend in among dozens of legitimate services if given a plausible name like systemd-network-helper.service or polkitd-extended.service.

example malicious unit (illustrative)

[Unit]
Description=Network Diagnostic Helper
After=network.target

[Service]
Type=simple
ExecStart=/usr/lib/systemd/systemd-nethelper
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

The binary at the ExecStart path looks like a legitimate systemd component. The name is designed to be skipped over during a cursory audit. The Restart=always directive means killing the process just causes it to restart after 30 seconds.

Detection Tip

Audit your service units for recently created or modified files. find /etc/systemd/system/ -newer /etc/passwd -type f will show unit files modified more recently than your /etc/passwd -- a useful baseline comparison. Also review /usr/lib/systemd/system/ and ~/.config/systemd/user/ for user-level persistence.

Cron Jobs and At Schedules

Cron is a time-honored persistence mechanism. Attackers add entries to /etc/cron.d/, /var/spool/cron/crontabs/, or /etc/crontab that re-download and execute the trojan payload at regular intervals. This provides resilience: even if the running process is killed and the binary deleted, the next cron execution re-fetches and re-installs it. Checking all cron locations -- including per-user crontabs for every account on the system -- is essential during an incident response.

# for user in $(cut -f1 -d: /etc/passwd); do echo "=== $user ==="; crontab -u $user -l 2>/dev/null; done

LD_PRELOAD and Shared Library Hijacking

The LD_PRELOAD environment variable, and its system-wide counterpart /etc/ld.so.preload, instruct the dynamic linker to load a specified shared library before all others. Malware that adds itself to /etc/ld.so.preload will be loaded into every dynamically linked process on the system. This is how Symbiote achieves its pervasive hooking capability. Inspecting /etc/ld.so.preload for unexpected entries should be a standard part of any Linux security audit.

# cat /etc/ld.so.preload

On a clean system this file is typically empty or absent. Any content warrants immediate investigation.

SSH Authorized Keys and Host Keys

Implanting an SSH public key in ~/.ssh/authorized_keys for root or a privileged account gives the attacker persistent, credential-independent access that survives password changes. More sophisticated attacks replace or supplement /etc/ssh/ssh_host_*_key files, giving the attacker the ability to decrypt previously captured SSH sessions. Monitoring authorized_keys files for unauthorized additions is a basic but often overlooked control.

Kernel Module Persistence

An LKM rootkit that adds itself to /etc/modules or drops a .conf file in /etc/modules-load.d/ will be loaded by the kernel on every boot. At that point the rootkit is operating at ring 0 -- it has higher privilege than any user-space detection tool. The only reliable way to detect an active kernel-mode rootkit is to compare the running system's kernel memory against known-good state, or to boot from trusted external media and examine the filesystem offline.

Notable Linux Trojans in the Wild

// Why this matters: Real trojans reveal attacker logic. Each one below teaches a principle, not just a name. The detection signals are the actionable part.

Several specific trojans merit attention both for their technical sophistication and for what they reveal about attacker methodology.

BPFDoor

BPFDoor is one of the most technically sophisticated Linux backdoors ever analyzed. PwC Threat Intelligence first identified it in 2021 while tracking the Chinese state-sponsored group they designated Red Menshen -- also tracked as Earth Bluecrow by Trend Micro and as DecisiveArchitect and Red Dev 18 by other researchers. PwC published their public analysis in May 2022. It uses the BPF subsystem -- a legitimate kernel feature for high-performance packet processing -- to monitor raw network traffic for a magic packet that activates the backdoor. This allows BPFDoor to receive commands without ever opening a listening port. Standard port scans and network connection audits will not detect it. PwC's analysis noted that BPFDoor had been present in some environments for years before discovery -- in some cases for up to five years.

Earth Bluecrow remains actively operational. Trend Micro's April 2025 report documented ongoing BPFDoor campaigns targeting telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt throughout 2024 -- and added a significant discovery: a previously unseen controller component that allows Earth Bluecrow operators to open encrypted reverse shell sessions, redirect traffic, and perform lateral movement across compromised networks. The controller prompts the operator for a password before sending a magic packet to the infected host; BPFDoor then calculates an MD5 hash of the password against hardcoded values to authenticate before complying. Trend Micro attributes the controller and associated campaign to Earth Bluecrow with medium confidence, noting that since BPFDoor's source code leaked in 2022, no other threat groups have been conclusively linked to using it. A December 2025 Ericsson technical analysis documented a BPFDoor intrusion at a Southeast Asian mobile operator where multiple BPFDoor variants were used to establish backdoors inside the carrier's 4G core network -- including the Home Subscriber Server (HSS) -- exposing millions of subscribers' USIM data and remaining undetected for an extended period.

PwC Threat Intelligence, in their May 2022 BPFDoor analysis, noted that the backdoor opens no ports, uses no reverse shell, and can disguise itself as any Linux process -- making it effectively undetectable by conventional network monitoring tools.

kernel

Look for processes with an attached BPF_PROG_TYPE_SOCKET_FILTER socket. Run ss -eopn and inspect for raw socket file descriptors on processes with innocuous names. BPFDoor masquerades as udevd, auditd, or similar system processes.

filesystem

Known BPFDoor variants write to /var/run/ or /dev/shm/ using filenames that mimic system lock files (e.g., .lock suffixes). Check for executable files in /dev/shm — legitimate processes rarely write executables there.

process

BPFDoor deletes its own binary after launch. Look for /proc/[pid]/exe entries pointing to (deleted) on processes that have been running since boot. EDR telemetry flagging prctl(PR_SET_NAME) calls is another indicator — BPFDoor uses this to rename itself to mimic system processes.

Warning

BPFDoor's 2024-2025 campaigns show it hiding under process names like /tmp/zabbix_agent.log, /bin/vmtoolsdsrv, and /etc/sysconfig/rhn/rhnsd.conf -- paths crafted to look like legitimate Zabbix monitoring agent logs, VMware tools, and Red Hat Network subscription manager files. If your environment uses any of these tools, the camouflage is deliberate. Verify those paths are actual files of the correct type, not executable ELF binaries.

OrBit

OrBit, documented by Intezer in July 2022, represents a further evolution of the LD_PRELOAD hooking technique. It intercepts and hijacks functions from three major shared libraries -- libc, libpthread, and libcap -- allowing it to evade detection by tools that rely on those libraries for process enumeration, network connection reporting, and privilege inspection. OrBit persists either via /etc/ld.so.preload or by patching the ELF interpreter directly in targeted binaries, a technique that survives even if /etc/ld.so.preload is cleaned.

filesystem

Check /etc/ld.so.preload for any entries — on a clean system this file is typically absent or empty. OrBit drops a shared object (observed as .so files in /lib/ or /usr/lib/) with a name designed to blend in among legitimate libraries.

filesystem

Use readelf -l /usr/bin/sshd (or any targeted binary) and inspect the INTERP segment. It should point to /lib64/ld-linux-x86-64.so.2 or equivalent. Any deviation indicates ELF interpreter patching.

network

OrBit captures SSH credentials and exfiltrates them. Look for outbound connections from sshd itself (not from client sessions) — the SSH daemon should not be initiating outbound connections under normal operation.

XorDDoS

XorDDoS is a trojan with a long operational history, first documented in 2014 by the white-hat research group MalwareMustDie and still actively deployed. It targets Linux x86, x64, and ARM systems -- including Raspberry Pi devices and similar ARM-based servers -- and assembles them into a DDoS botnet. Its name comes from its use of XOR encryption for C2 communications (the XOR key BB2FA36AAA9541F0 is embedded in its binary), and it employs a rootkit component to hide its files and processes. In May 2022, Microsoft's 365 Defender Research Team published an analysis documenting a 254 percent increase in XorDDoS activity over the preceding six months, with the United States as the primary target. Microsoft also found that devices first infected with XorDDoS were subsequently infected with the Tsunami backdoor, which in turn deployed the XMRig Monero miner -- illustrating XorDDoS's role as an initial access broker for further payloads.

XorDDoS has not slowed down. Cisco Talos research published in April 2025 documented that 71.3 percent of XorDDoS infection attempts between November 2023 and February 2025 targeted the United States, making it the single most targeted nation. Talos also identified in 2024 a new "VIP" version of the XorDDoS sub-controller and a corresponding central controller with a builder, indicating the malware is being sold as a product to multiple operators. Critically, XorDDoS has expanded beyond traditional Linux server environments to actively target Docker containers and IoT devices. The language settings of the controller tools strongly suggest Chinese-speaking operators. Recent variants persist via init.d, cron, and systemd.

network

XorDDoS beacons to C2 using XOR-obfuscated TCP. Look for high-frequency low-payload outbound TCP connections to single IP addresses, especially on non-standard ports. Zeek will flag the unusual session length and regularity pattern even if it cannot decrypt the payload.

process

The rootkit hides the miner/bot process, but file integrity monitoring will catch the /etc/init.d/ or /etc/rc.local modifications it makes for persistence. Run find /etc/init.d/ -newer /etc/passwd -type f as a quick check.

kernel

XorDDoS loads a kernel module to hide itself. Use cat /proc/modules and cross-reference against a known-clean module list from the same kernel version and distro. Any unrecognized module signed with an unknown or missing key warrants investigation.

Syslogk

Syslogk, analyzed by Avast in June 2022, uses a kernel rootkit approach to hide an embedded backdoor called Rekoobe. It patches the kernel's module list to hide itself from lsmod, hides its associated files from the filesystem, and wakes up Rekoobe only when it receives a specially crafted TCP packet -- similar in concept to BPFDoor's magic packet activation. Syslogk demonstrates the pattern of combining a kernel rootkit for stealth with a backdoor for functionality, each component protecting the other.

kernel

Syslogk patches the kernel module list to remove itself from lsmod. Compare /proc/modules output directly against /sys/module/ directory entries — discrepancies indicate a module hiding itself by manipulating kernel data structures.

network

Rekoobe is activated by a magic packet. Capture and inspect raw traffic for unexpected TCP packets on port 80 or 443 that do not conform to HTTP/TLS protocol structure — the magic packet trigger is designed to look innocuous at a glance but will fail deep packet inspection.

filesystem

Boot from external trusted media and mount the disk. Syslogk hides its files from the running OS, but offline analysis of the raw filesystem will reveal the hidden files in /etc/ or /usr/lib/ that are invisible during live examination.

Detection: Finding What Is Hiding

// Why this matters: No single tool catches a well-implemented rootkit. Detection requires layers because each layer has a specific blind spot that the next one compensates for.

Detecting Linux trojans requires layering multiple approaches, because no single tool is sufficient against a well-implemented rootkit.

File Integrity Monitoring

Tools like AIDE (Advanced Intrusion Detection Environment) and Tripwire maintain cryptographic hashes of critical system files. Any modification to files in /bin/, /sbin/, /usr/bin/, /lib/, or /etc/ triggers an alert. The critical caveat is that the baseline must be established on a known-clean system, and the AIDE database must be stored somewhere the attacker cannot modify it -- typically read-only external storage or a remote integrity monitoring service.

quick file integrity checks

# Check for recently modified files in system directories
# find /bin /sbin /usr/bin /usr/sbin /lib /lib64 -newer /etc/passwd -type f 2>/dev/null

# Check for SUID/SGID binaries -- compare to known baseline
# find / -perm /6000 -type f 2>/dev/null | sort

# Verify RPM package integrity (RHEL/CentOS/Fedora)
# rpm -Va 2>/dev/null | grep "^..5"

# Verify dpkg package integrity (Debian/Ubuntu)
# dpkg --verify 2>/dev/null | grep "!!"

Network Traffic Analysis

Many trojans require outbound network communication -- for C2 beaconing, data exfiltration, or receiving commands. Establishing a baseline of normal outbound connections and alerting on deviations is a high-value detection strategy. Tools like Zeek (formerly Bro) provide deep network protocol analysis. Unexplained DNS queries to recently registered domains, TLS connections to IP addresses that do not correspond to known business services, and high-volume ICMP or UDP traffic to single destinations are all worth investigating.

Process and Memory Inspection

User-space rootkits hook the system calls that ps uses, but they cannot hide from direct inspection of /proc if done carefully, and they cannot hide from kernel-level tools that bypass the hooked library functions.

process inspection

# Compare processes visible to ps against /proc entries
# Discrepancy indicates userspace hooking
# ls /proc | grep -E '^[0-9]+$' | sort -n > /tmp/proc_pids.txt
# ps -eo pid --no-headers | sort -n > /tmp/ps_pids.txt
# diff /tmp/proc_pids.txt /tmp/ps_pids.txt

# Check for deleted binaries with active file descriptors
# A running trojan that deleted its own binary shows up here
# ls -la /proc/*/exe 2>/dev/null | grep deleted

# Check loaded kernel modules against expected list
# lsmod | awk '{print $1}' | sort > /tmp/current_modules.txt

Note

The "deleted binary" technique -- where malware launches itself and then deletes its own file from disk -- is extremely common. The process stays running, but there is no file to recover from the filesystem. The binary can still be extracted from /proc/[pid]/exe or /proc/[pid]/mem if caught while running.

Endpoint Detection and Response (EDR)

Modern EDR solutions with Linux support -- including CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint -- use kernel-level sensors that hook system calls at a level below where user-space rootkits operate. They record process creation, network connections, file operations, and memory allocation events into a telemetry stream that is difficult for user-space malware to tamper with. For high-value Linux systems, deploying an EDR sensor is the single highest-impact defensive investment available.

Defense: Reducing Attack Surface

// Why this matters: Prevention is cheaper than detection. These controls map directly to specific attack surfaces — the matrix below shows which control neutralizes which threat.

Detection matters, but prevention is cheaper. Several controls meaningfully reduce the probability of a successful Linux trojan deployment.

Control vs. Threat Coverage hover cells for detail

Threat Vector	FIM (AIDE)	EDR Sensor	auditd Rules	Kernel Hardening	Immutable Infra	SSH Key Auth
LD_PRELOAD hijack	✓ FIM: Full coverageWrites to /etc/ld.so.preload modify a monitored file. AIDE baseline triggers immediately on any change to this path.	✓ EDR: Full coverageKernel-level sensors record every process launch environment. LD_PRELOAD in any process environment is logged as a telemetry event.	✓ auditd: Full coverageA watch rule on /etc/ld.so.preload (-w /etc/ld.so.preload -p wa) fires on any write or attribute change.	— Kernel hardening: No direct coverageKernel hardening (module signing, lockdown LSM) operates at the module level and does not restrict userspace dynamic linker abuse.	✓ Immutable infra: Full coverageContainers replaced on a cycle give a persistence window too short for LD_PRELOAD hijacks to operate meaningfully.	— SSH key auth: No direct coverageSSH authentication controls affect initial access, not what happens after a process is running on the system.
LKM rootkit (kernel module)	~ FIM: Partial coverageFIM catches the rootkit's on-disk module file if it lands in a monitored directory. It cannot detect a module already loaded into kernel memory from a path outside the baseline.	✓ EDR: Full coverageEDR sensors operating at the kernel syscall level log init_module and finit_module calls. Any module load event is recorded, even if the module subsequently hides itself from lsmod.	✓ auditd: Full coverageThe rule "-a always,exit -F arch=b64 -S init_module,finit_module -k lkm_load" records every module load syscall before the module has a chance to hide itself.	✓ Kernel hardening: Full coverageCONFIG_MODULE_SIG_FORCE requires all loaded modules to carry a valid signature from a trusted key. An unsigned rootkit module simply fails to load.	~ Immutable infra: Partial coverageShort-lived containers limit persistence window but do not prevent a rootkit from loading during its operational window. If the container runs long enough, the rootkit still executes.	— SSH key auth: No coverageSSH authentication controls initial access. Once an attacker has a shell, SSH auth no longer constrains what they can load.
Systemd persistence unit	✓ FIM: Full coverageAny new or modified .service file in /etc/systemd/system/ is caught immediately if that path is in the AIDE baseline. This is one of FIM's highest-yield monitoring paths.	✓ EDR: Full coverageEDR records the file creation event, the systemctl enable call, and the subsequent process spawn at boot. The full chain is visible in telemetry.	✓ auditd: Full coverageA watch on /etc/systemd/system/ (-w /etc/systemd/system/ -p wa) catches any new unit file dropped by an attacker.	— Kernel hardening: No coverageKernel hardening does not restrict what systemd units are created or enabled. This is a userspace persistence mechanism.	✓ Immutable infra: Full coverageContainers that are replaced rather than patched in place eliminate systemd persistence entirely — there is no persistent state for a unit file to survive in.	— SSH key auth: No coverageSystemd persistence is established after initial access. SSH authentication does not affect it.
Cron re-downloader	~ FIM: Partial coverageFIM catches modifications to /etc/cron.d/ and /etc/crontab but may miss user crontabs in /var/spool/cron/ if those paths are not explicitly in the baseline.	✓ EDR: Full coverageEDR records every crontab modification and every process spawned by cron, including the curl/wget re-download and the subsequent execution of the dropped payload.	✓ auditd: Full coverageWatch rules on /etc/cron.d/, /var/spool/cron/, and /etc/crontab catch all cron-based persistence additions.	— Kernel hardening: No coverageCron persistence is entirely in userspace. Kernel hardening does not apply.	✓ Immutable infra: Full coverageContainers replaced on schedule have no persistent cron state. The re-downloader has nowhere to plant its entry.	— SSH key auth: No coverageCron persistence is a post-access technique. SSH auth does not affect it.
Exposed services / default creds	— FIM: No coverageFile integrity monitoring does not address network-exposed services or authentication configuration. It monitors what exists on disk, not what is accessible from the network.	~ EDR: Partial coverageEDR will record the process execution that follows a successful exploitation, but it does not prevent the initial authentication or the service exposure itself.	~ auditd: Partial coverageauditd can log failed and successful authentication attempts, providing forensic value after the fact. It does not block access or reduce the exposed attack surface.	— Kernel hardening: No coverageKernel hardening addresses code execution paths, not network service exposure or authentication policy.	~ Immutable infra: Partial coverageImmutable containers are typically provisioned without unnecessary services by design, reducing exposure. But they do not inherently prevent misconfigured services from being exposed.	✓ SSH key auth: Full coverageDisabling password authentication eliminates brute-force and credential-stuffing attacks against SSH entirely. This is the highest-impact single control for this threat vector.
Supply chain / malicious pkg	~ FIM: Partial coverageFIM will catch new files written to system binary directories during package installation. It will not catch a malicious pre-install or post-install script that executes and then cleans up after itself.	✓ EDR: Full coverageEDR records every process spawned during package installation, including any post-install scripts. A script that calls out to a remote server or drops a binary will be captured in the execution chain.	~ auditd: Partial coverageauditd records file writes and process executions, providing a forensic trail. It cannot block a supply chain compromise before it occurs.	— Kernel hardening: No coverageKernel hardening does not affect package installation or third-party dependency resolution. A malicious package runs as userspace code.	✓ Immutable infra: Full coverageBuild pipelines that pin dependency versions and verify checksums, combined with container image scanning before deployment, are the primary supply chain controls. Immutable infra enforces that no unverified code runs in production.	— SSH key auth: No coverageSupply chain attacks occur through the package ecosystem, not through SSH. SSH authentication is irrelevant to this vector.

direct coverage

partial / forensic only

no coverage

Disable unnecessary services. Every service that is not needed is a potential entry point. Use systemctl disable --now on anything not required for the system's function. On a web server, the Bluetooth service, the printer spooler, and the NFS client have no business running.

Enforce SSH key authentication. Password authentication over SSH is brute-forceable at scale. Disable it in /etc/ssh/sshd_config with PasswordAuthentication no and PermitRootLogin no. Use short-lived certificates where possible, managed through a tool like HashiCorp Vault's SSH secrets engine or Teleport, rather than long-lived authorized keys files.

Apply kernel hardening. Enable CONFIG_MODULE_SIG_FORCE to require that all kernel modules be signed with a trusted key, preventing unsigned rootkit modules from loading. Set kernel.modules_disabled=1 in /etc/sysctl.d/ after boot to prevent any further module loading. Enable CONFIG_LOCKDOWN_LSM (available since kernel 5.4) for additional restrictions on kernel modification.

Use immutable infrastructure. Container-based deployments that replace instances rather than patching them in place dramatically limit the persistence horizon for any malware. A trojan that installs itself on a container that is replaced every 24 hours has a very short operational window.

Monitor /etc/ld.so.preload and LD_PRELOAD. Use auditd to log any writes to /etc/ld.so.preload and any process launch that includes LD_PRELOAD in its environment. These are not common events in normal operations.

/etc/audit/rules.d/trojan-indicators.rules

# Alert on writes to ld.so.preload
-w /etc/ld.so.preload -p wa -k ld_preload_modification

# Alert on new files in systemd system unit directory
-w /etc/systemd/system/ -p wa -k systemd_unit_modification

# Alert on changes to cron directories
-w /etc/cron.d/ -p wa -k cron_modification
-w /var/spool/cron/ -p wa -k cron_modification

# Alert on changes to SSH authorized_keys for root
-w /root/.ssh/authorized_keys -p wa -k ssh_key_modification

# Alert on insmod / modprobe execution
-a always,exit -F arch=b64 -S init_module,finit_module -k lkm_load

Incident Response on a Compromised Linux System

// Why this matters: The order of your actions during IR determines what evidence you preserve. Doing things in the wrong sequence can destroy the forensic record before you know what happened.

If you suspect a Linux trojan is present, the response approach depends on whether preserving forensic evidence is a priority and whether the system can be taken offline.

The first decision is whether to contain and analyze, or to contain and rebuild. For systems with a kernel-level rootkit, the analysis must be done offline -- the running OS cannot be trusted. Shut down the system, take a disk image using trusted hardware, and analyze the image in a clean environment. For suspected user-space trojans without kernel modification, live analysis of the running system is feasible but should use statically compiled binaries brought from a known-clean source to avoid using any hooked library functions.

Collect volatile evidence first -- network connections, running processes, loaded modules, open file descriptors -- before shutting the system down, as this information is lost at power-off. Tools like LiME (Linux Memory Extractor) can capture a full memory dump as a kernel module from trusted external media, preserving process memory, kernel structures, and potentially the trojan binary itself.

Richard Bejtlich, in The Practice of Network Security Monitoring (No Starch Press), makes clear that when a Linux rootkit is suspected, imaging the disk from outside the running OS is the only forensic action that can be trusted -- everything else risks being compromised by the very system under investigation.

After analysis and recovery, the root cause of the initial compromise must be identified and addressed before bringing a rebuilt system back online. Rebuilding without closing the initial access vector simply invites re-compromise.

The Takeaway

Linux trojans are not a theoretical concern or a secondary consideration behind Windows threats. They target the infrastructure that runs the internet, and they do so with increasing sophistication -- exploiting legitimate kernel features, hijacking the dynamic linker, persisting through supply chain compromises, and evading standard detection tools by operating below the level at which those tools function.

The defenders who fare best are those who treat their Linux systems with the same rigor they apply to Windows: file integrity monitoring, endpoint detection, network traffic baselining, audit logging, and a clear incident response plan. The assumption that Linux is safe by default, or that attackers prefer other targets, is a position the threat landscape no longer supports.

Sources referenced in this article: CrowdStrike 2024 Global Threat Report (crowdstrike.com); Trend Micro Linux Threat Analysis H1 2023; Intezer and BlackBerry Research: Symbiote Deep-Dive, June 2022 (intezer.com); Intezer OrBit analysis, July 2022 (intezer.com); PwC BPFDoor Threat Intelligence analysis, May 2022 (pwc.com); Trend Micro BPFDoor Hidden Controller analysis, April 2025 (trendmicro.com); Ericsson BPFDoor telecom operator analysis, December 2025 (ericsson.com); Avast Syslogk analysis, June 2022 (avast.io); Microsoft XorDDoS activity report, May 2022 (microsoft.com); Cisco Talos XorDDoS controller and Docker expansion analysis, April 2025 (thehackernews.com/Talos); Andres Freund CVE-2024-3094 disclosure, oss-security mailing list, March 29, 2024 (openwall.com); NVD CVE-2024-3094 advisory (nvd.nist.gov); Red Hat and CISA CVE-2024-3094 XZ Utils advisories; Palo Alto Unit 42 Pupy RAT attribution reporting (unit42.paloaltonetworks.com); Cloudflare Mirai botnet documentation (cloudflare.com); W3Techs web server market share data, 2026 (w3techs.com); Snyk malicious npm package research (snyk.io); Richard Bejtlich, The Practice of Network Security Monitoring, No Starch Press.

How to Defend Against Linux Trojans

Step 1: Establish file integrity monitoring and audit logging

Deploy AIDE or a comparable file integrity monitoring tool with a baseline covering /usr/bin/, /usr/sbin/, /lib/, /etc/ld.so.preload, /etc/systemd/system/, and cron directories. Configure auditd with rules that alert on writes to ld.so.preload, new systemd unit files, cron modifications, SSH authorized_keys changes, and kernel module load syscalls.

Step 2: Detect active trojans using process and network inspection

Compare process IDs visible to ps against /proc entries to identify discrepancies caused by userspace hooking. Check for running processes whose binary has been deleted using ls -la /proc/*/exe | grep deleted. Baseline normal outbound network connections with a tool like Zeek and alert on unexplained DNS queries, TLS connections to unrecognized IPs, or regular small-packet beaconing to external hosts.

Step 3: Respond to a suspected Linux trojan compromise

Collect volatile evidence first — network connections, running processes, loaded kernel modules, and open file descriptors — before taking the system offline. For suspected kernel-level rootkits, shut down the system, take a forensic disk image from trusted external hardware, and analyze offline. For userspace trojans, live analysis using statically compiled binaries from a known-clean source is feasible. Identify and close the initial access vector before rebuilding to prevent re-compromise.

Frequently Asked Questions

What is a Linux trojan and how does it differ from a virus or worm?

A Linux trojan is malicious software that masquerades as something legitimate — a system utility, a package update, a shared library, or a background service. Unlike a virus, it does not replicate by infecting other files. Unlike a worm, it does not self-propagate across networks autonomously. The trojan's power lies in deception: it gets installed because someone or something trusted it, and then it operates from inside that trust boundary.

Why is BPFDoor so difficult to detect with a port scan?

BPFDoor does not open any listening port. It attaches a BPF socket directly to the network interface and inspects raw traffic, waiting for a magic packet that contains a specific value. Because no port is opened, a port scan will always come back clean — there is nothing for the scanner to find. Detection requires looking for raw socket file descriptors on running processes, anomalous BPF program attachments, and correlating with threat intelligence feeds.

How do you recover a Linux trojan binary that deleted itself from disk?

When a process deletes its own binary, the kernel keeps the file's inode and content alive in memory as long as the process has an open file descriptor to it. The binary is still accessible at /proc/[pid]/exe and can be copied to a safe location before the process is killed. The full process memory space is also available via /proc/[pid]/mem. This makes self-deleting trojans more recoverable than they appear — as long as the process is still running when discovered.

^ back to top