Rethinking Security: The Impact of Linux Malware on Cloud Services

Explore a Linux malware campaign exploiting cloud server misconfigurations targeting Docker, Apache Hadoop, Redis, and Confluence, including defense strategies.

A sophisticated Linux malware campaign has been observed, exploiting misconfigurations in cloud servers. Targeting Apache Hadoop, Confluence, Docker, and Redis instances, this operation leverages unique malicious payloads for cryptojacking and establishes a firm presence on compromised systems.

The Campaign Overview

Targeted Services

This campaign specifically targets cloud-based services that are commonly misconfigured: Apache Hadoop, Confluence, Docker, and Redis. These services are critical for various organizational functions, from data processing and web conferencing to container management and database services, making them attractive targets for cyber attackers.

Attack Vector

The attackers have launched a cryptojacking campaign using Linux malware to target these services. One key component of their strategy involves exploiting CVE-2022-26134, a critical vulnerability in Confluence. This campaign utilizes four new Golang payloads designed to automate the process of discovering and exploiting vulnerable hosts.

Uncover risky misconfigurations  and stay one step ahead

Deep Dive into the Attack Mechanics

Discovery and Exploitation

The Golang payloads facilitate automated discovery of misconfigured or vulnerable instances of the targeted services. Once a vulnerable host is identified, these payloads exploit the system to gain unauthorized access. The payloads are designed for precision and efficiency, significantly reducing the time required to compromise a system.

Foothold and Concealment

Upon gaining access, the attackers employ reverse shells and user-mode rootkits, such as 'libprocesshider' and 'diamorphine,' to maintain control over the compromised systems and conceal their presence. This allows the attackers to operate undetected for extended periods.

Deployment and Persistence

The malware campaign is not only about initial compromise but also about sustaining control. Attackers deploy additional payloads, including cryptocurrency miners, and utilize techniques like inserting attacker-controlled SSH keys and registering systemd services to ensure persistence.

Defensive Measures

Detection and Mitigation

Detecting and mitigating such attacks requires vigilance and a proactive approach. Regularly scanning for misconfigurations, monitoring for unusual system behavior, and applying timely patches are critical steps in defense.

Hardening Cloud Configurations

Securing the targeted services involves more than just patching vulnerabilities. Organizations must enforce strict configuration management, employ container security practices for Docker, and ensure database services like Redis are not exposed to the internet.


The rise of sophisticated Linux malware campaigns targeting cloud services underscores the continuous need for rigorous security measures. Organizations must remain vigilant, understanding that it's not a matter of if they will be targeted, but when.

Take Action Against Hidden Threats: Get Your Free Security Risk Assessment Today!


Q: What services are targeted by this Linux malware campaign?

A: Apache Hadoop, Confluence, Docker, and Redis.

Q: How do the attackers maintain access and hide their activities?

A: Through the use of reverse shells and user-mode rootkits like 'libprocessoff' and 'diamorphine'.

Q: What can organizations do to protect against such attacks?

A: Regular patching, monitoring for unusual behavior, securing configurations, and employing container security best practices are essential.

Q: Are there any tools or practices recommended for detecting misconfigurations?

A: Absolutely. Utilizing infrastructure as code (IaC) scanners and configuration management tools is key. For a streamlined solution, ThreatKey's platform can pinpoint and help rectify misconfigurations, safeguarding your infrastructure. 

Q: How does CVE-2022-26134 relate to this campaign?

A: It is a critical vulnerability in Confluence that the attackers exploit for remote code execution as part of their initial access strategy.

Never miss an update.

Subscribe for spam-free updates and articles.
Thanks for subscribing!
Oops! Something went wrong while submitting the form.