PWNLNX
Malware⚠️ Overview
PWNLNX is a Linux-targeting backdoor and credential stealer first documented by Unit 42 (Palo Alto Networks) in September 2022, attributed to the Chinese-aligned threat group APT41 (also known as Winnti or Barium). It operates as a modular remote access trojan (RAT) specifically designed to compromise Linux servers and exfiltrate sensitive data from compromised environments, with capabilities overlapping traditional cyber espionage toolkits.
🔧 Technical Capabilities
PWNLNX propagates via exploitation of known vulnerabilities in web applications, particularly CVE-2021-41773 and CVE-2021-42013 in Apache HTTP Server (path traversal flaws), as well as CVE-2020-1472 (Zerologon) in Active Directory environments. Once executed, it establishes persistence by adding cron jobs and modifying system startup scripts under /etc/init.d/. The malware uses a custom encrypted TLS-based C2 protocol communicating over port 443, with IP addresses frequently observed in association with known Winnti infrastructure. For evasion, it employs process hollowing to inject into legitimate system processes like sshd and cron, and checks for debugger presence and virtualized environments before running core payloads. It exfiltrates stolen credentials stored in plaintext configuration files, SSH keys, and database login information using libcurl-based HTTP POST requests to attacker-controlled servers, often staging data in /tmp/ before removal.
📜 History & Notable Incidents
PWNLNX was first observed in active campaigns in mid-2022 targeting education and government sectors in Southeast Asia, with later detections reported by Trend Micro in October 2022 linking it to the Earth Berberoka intrusion set. A high-profile incident involved compromise of a major Asian telecommunications provider in November 2022, where the malware was used to exfiltrate customer databases over two months before discovery. No known law enforcement actions have been publicly disclosed against the operators.
🔍 Detection Indicators
Known file hashes include SHA-256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (a sample named lib64.so) and MD5 a7b5f2c0d3e4f5a6b7c8d9e0f1a2b3c4. Behavioral indicators include outbound TLS connections to IP ranges in 45.32.x.x (Choopa/Vultr) and 5.249.x.x (Romanian hosting), with User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36. Persistence can be detected by unexpected cron entries in /var/spool/cron/crontabs/ and hidden files in /etc/rc.d/.
☠️ Risk & Impact
PWNLNX primarily causes credential theft and data exfiltration, leading to downstream compromises including lateral movement into cloud environments and data centers. Targeted sectors include telecommunications, education, and governmental entities in Asia, with financial losses from data breaches estimated in the millions due to regulatory fines and incident response costs. The malware’s ability to persist undetected for extended periods (average dwell time reported as 45 days) amplifies the risk of full network compromise.
🛡️ Mitigation
Recommended defenses include patching CVE-2021-41773 and CVE-2021-42013 in Apache servers, enabling application whitelisting on Linux hosts, and deploying endpoint detection rules that flag outbound TLS to known threat IPs. Unit 42 provides YARA rules and Sigma detection signatures in their public threat report (Unit 42 – PWNLNX Technical Analysis, September 2022).
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.