Home > Cyber News > Lightning Framework: New Stealthy, Sophisticated Linux Malware on the Rise

Lightning Framework: New Stealthy, Sophisticated Linux Malware on the Rise

Lightning Framework: New Stealthy, Sophisticated Linux Malware on the Rise

Security researchers detailed the discovery of a new, previously undetected malware sample specifically designed to target the Linux environment. The malware showcases sophisticated capabilities and is “an intricate framework developed for targeting Linux systems,” Intezer researchers said in their technical analysis.

Lightning Framework Linux Malware Technical Overview

“Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins,” the report explained. Fortunately, so far there haven’t been any indications that the malware is being used in the wild.

What have the researchers discovered about the structure of Lightning Framework?


The framework consists of a downloader and core module, with a number of plugins, some of which open-source. Lightning.Downloader’s main function is to retrieve the other components and execute the main module.

It is noteworthy that the framework relies heavily on typosquatting (also known as URL highjacking) and masquerading to remain undetected on compromised Linux systems. The downloader is set to fingerprint the host name and network adapters to generate a GUID (globally unique identifier), which will be sent to the command and control server.

The communication with the command-and-control server is done to fetch the following plugins and modules:

  • Linux.Plugin.Lightning.SsHijacker
  • Linux.Plugin.Lightning.Sshd
  • Linux.Plugin.Lightning.Nethogs
  • Linux.Plugin.Lightning.iftop
  • Linux.Plugin.Lightning.iptraf
  • Lightning.Core


The core module, which is the main module of the framework, can receive commands from the command-and-control server to execute the plugin modules listed above. Not surprisingly, the module has multiple capabilities and utilizes numerous techniques to hide artifacts and remain running undetected.

Other Details
Network communication in the Core and Downloader modules take place over TCP sockets. The data is structured in JSON, and the command-and-control server is stored in a polymorphic encoded configuration file unique for every single creation. “This means that configuration files will not be able to be detected through techniques such as hashes. The key is built into the start of the encoded file,” the researchers added.

Another example of a new Linux malware is the Symbiote malware. Discovered by Blackberry researchers, the malware is designed to infect all running processes on infected machines, and is capable of stealing account credentials and providing backdoor access to its operators.

The first detection happened in November 2021, when it was discovered in attacks against financial organizations in Latin America. The malware is capable of hiding itself after the infection, making it very difficult to detect.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree