kfos

Malware

⚠️ Overview

Kfos is a Linux-based kernel rootkit first publicly documented by researchers from CrowdStrike in 2019, operating as a stealthy loadable kernel module (LKM) that compromises the integrity of the operating system for persistent, covert access. It is categorized as a rootkit and backdoor, designed to hide malicious processes, network connections, and files from system administrators and security tools, and is attributed to advanced persistent threat (APT) groups linked to China, including the cluster tracked as APT41 (Winnti).

🔧 Technical Capabilities

Kfos achieves persistence by loading as a kernel module via insmod or modprobe, hooking system call tables (e.g., sys_call_table) to intercept and filter system calls related to file listing (getdents64), process enumeration (kill), and network connections (tcp4_seq_show). It uses direct kernel object manipulation (DKOM) to conceal its own module from lsmod output and hides arbitrary files and directories specified via a configuration structure. The rootkit communicates with a command-and-control (C2) server using encrypted TCP or UDP packets, often over non-standard ports, with the ability to receive commands to execute arbitrary shell commands, exfiltrate data, or update itself. Evasion techniques include anti-forensic measures such as cleaning kernel log entries, avoiding common hook detection by patching the system call table directly in memory, and using kernel memory allocation tricks to avoid leaving trace files on disk. Kfos also implements a built-in password authentication mechanism to prevent unauthorized C2 connections.

📜 History & Notable Incidents

First observed in the wild in mid-2019 during incident response engagements at a telecommunications provider in Southeast Asia, Kfos was later linked to the compromise of multiple gaming and software companies globally, as reported in CrowdStrike's 2020 Global Threat Report. In 2021, a variant of Kfos was used in an attack against a Japanese technology firm, where it was deployed alongside the Cobalt Strike beacon and the Mimikatz credential dumper; no specific CVEs are directly associated with the rootkit itself, as it leverages publicly available kernel vulnerabilities or stolen legitimate kernel modules for initial loading. Law enforcement actions have not publicly targeted Kfos operators, but the associated APT41 group was indicted by the U.S. Department of Justice in September 2020 for a broad range of cyber intrusion activities.

🔍 Detection Indicators

Known indicators of compromise include specific kernel module names such as kfos.ko or obfuscated variants like afe.ko, presence of the mutex value __kfos_mutex in kernel memory, and outbound connections to a set of C2 IP addresses documented in open-source reports (e.g., 185.117.118.x ranges). Behavioral signatures include unexpected kernel module load events, system call table modifications detectable via integrity check tools like Sysdig or kmod scanners, and anomalous network traffic to uncommon ports (e.g., TCP/4433) with encrypted payloads.

☠️ Risk & Impact

The rootkit enables long-term, stealthy persistence on compromised Linux servers, allowing attackers to exfiltrate sensitive data (e.g., source code, customer databases, and intellectual property) without detection, often leading to significant financial losses and reputational damage. Affected sectors include telecommunications, technology, gaming, and software development, as well as academic institutions in Asia and North America, with the rootkit particularly targeting high-value corporate networks.

🛡️ Mitigation

Mitigation strategies include deploying kernel-level integrity monitoring tools (e.g., Sysmon for Linux, osquery with kernel audit rules) to detect system call table modifications, enforcing strict module signing policies (CONFIG_MODULE_SIG_FORCE), and conducting regular memory forensics with Volatility plugins designed to spot hidden LKMs. Organizations should also apply the principle of least privilege to kernel module loading and monitor for anomalous outbound network traffic to unknown IPs on non-standard ports.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.