Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

StripedFly Malware Infects 1M Systems

October 27, 2023
Reading Time: 12 mins read
in Alerts

A sophisticated and covert cross-platform malware framework, known as StripedFly, has managed to infect over a million Windows and Linux systems over a five-year period, evading the scrutiny of cybersecurity researchers. Kaspersky, however, uncovered the true nature of StripedFly in the past year, identifying its activity dating back to 2017.

Initially misclassified as a Monero cryptocurrency miner, this malware is now recognized for its impressive capabilities, including TOR-based traffic concealment, autonomous updates from trusted sources, and a custom EternalBlue SMBv1 exploit developed prior to its public disclosure. Although the malware’s exact purpose remains unclear, its level of sophistication suggests it might be an advanced persistent threat (APT).

The malware’s initial discovery occurred when Kaspersky found its shellcode injected into the WININIT.EXE process, a legitimate Windows OS process. Investigating the injected code revealed that StripedFly downloads and executes additional files from trustworthy hosting services such as Bitbucket, GitHub, and GitLab.

These infected devices were likely first breached through a custom EternalBlue SMBv1 exploit targeting internet-exposed computers. StripedFly also employs a custom TOR network client to protect its communications, allowing it to disable SMBv1 protocol and spread across Windows and Linux devices using SSH and EternalBlue. The command and control (C2) server operates on the TOR network, communicating with victims through frequent beacon messages containing unique IDs.

StripedFly’s persistence on Windows systems adapts to privilege levels and the presence of PowerShell. For Linux systems, it operates under the name ‘sd-pam’ and maintains persistence through systemd services, autostarting .desktop files, or modifications to various profile and startup files. Kaspersky’s analysis suggests that StripedFly has infected at least 220,000 Windows systems since February 2022, and it is estimated to have infected over one million devices in total. This malware operates as a monolithic binary with pluggable modules, providing operational versatility.

These modules include configuration storage, update/uninstall management, reverse proxy, miscellaneous command execution, credential harvesting, repeatable tasks under specific conditions, system reconnaissance, SSH and SMBv1 infection, and Monero mining, used as a diversion tactic while its primary objectives include data theft and system exploitation.

Researchers also found links between StripedFly and the ransomware variant ThunderCrypt, indicating a connection to the same C2 server. The presence of a ‘repeatable tasks module’ suggests potential interest in revenue generation through some victims.

Reference:
  • StripedFly: Perennially flying under the radar
Tags: Cyber AlertCyber Alerts 2023CybersecurityLinuxMalwareOctober 2023Windows
ADVERTISEMENT

Related Posts

Hackers Target Libraesva Email Flaw

Hackers Target Libraesva Email Flaw

September 30, 2025
Hackers Target Libraesva Email Flaw

ShadowV2 Botnet Targets Misconfigured AWS

September 30, 2025
Hackers Target Libraesva Email Flaw

Cisco Warns Of IOS Zero Day Bug

September 30, 2025
Fake Microsoft Teams Installers Spread

Fake Microsoft Teams Installers Spread

September 30, 2025
Fake Microsoft Teams Installers Spread

Cybercriminals Use Facebook Google Ads

September 30, 2025
Fake Microsoft Teams Installers Spread

CISA Warns Of Critical Sudo Flaw

September 30, 2025

Latest Alerts

Hackers Target Libraesva Email Flaw

ShadowV2 Botnet Targets Misconfigured AWS

Cisco Warns Of IOS Zero Day Bug

CISA Warns Of Critical Sudo Flaw

Cybercriminals Use Facebook Google Ads

Fake Microsoft Teams Installers Spread

Subscribe to our newsletter

    Latest Incidents

    Ukrainian Hackers Breach Crimean Servers

    Ransomware Gang Claims Maryland Breach

    Arizona School District Data Breach

    Attackers Take Down Asahi Brewer

    Harrods Alerts Customers To Breach

    Hackers Steal Photos From Kido Nursery

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial