{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/various-apts/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Various APTs","criminal groups"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["stealth","execution","linux","memory-abuse"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers are increasingly leveraging the Linux shared memory directory, \u003ccode\u003e/dev/shm\u003c/code\u003e, as a stealthy staging ground for malicious executables. This directory functions as a \u003ccode\u003etmpfs\u003c/code\u003e mount, meaning it resides entirely in RAM, preventing files written within it from ever touching physical disk. This characteristic makes it an attractive location for fileless malware, as it can bypass traditional disk-based forensic tools and detection mechanisms. The technique has been observed in campaigns by various advanced persistent threat (APT) groups and criminal organizations, notably linked to implants like BPFDoor, DecisiveArchitect, JustForFun, and Orbit malware, indicating its widespread adoption in Linux-focused attacks. The abuse of \u003ccode\u003e/dev/shm\u003c/code\u003e primarily aims at achieving execution while maintaining a low footprint, making detection challenging for defenders who are not actively monitoring process creation from this specific, often overlooked, directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attackers gain initial access to a Linux system, often via exploiting vulnerable internet-facing services (e.g., SSH, web applications), weak credentials, or phishing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFoothold \u0026amp; Staging:\u003c/strong\u003e Once a foothold is established, the adversary typically downloads or stages malicious payloads, scripts, or binaries onto the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFileless Staging in /dev/shm:\u003c/strong\u003e To evade disk-based detection, the malicious executable is written directly into the \u003ccode\u003e/dev/shm\u003c/code\u003e directory, ensuring it resides only in memory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution from Shared Memory:\u003c/strong\u003e The attacker then initiates the execution of the payload from \u003ccode\u003e/dev/shm/\u003c/code\u003e, masquerading it as a legitimate process or leveraging common execution methods.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplant Deployment/Execution:\u003c/strong\u003e The executed binary establishes persistence, deploys additional implants, or performs initial reconnaissance on the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2):\u003c/strong\u003e A C2 channel is established for remote management, data exfiltration, or further instruction delivery.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Depending on the attacker's objective, this may lead to data theft, cryptomining, resource hijacking, or the establishment of a long-term presence for future operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this technique can lead to significant compromise of Linux systems, ranging from data exfiltration and intellectual property theft to resource hijacking for cryptomining, and the establishment of persistent backdoors. Because malware executed from \u003ccode\u003e/dev/shm\u003c/code\u003e leaves minimal forensic artifacts on disk, incident response and forensic analysis become significantly more challenging, increasing the dwell time of attackers. While no specific victim counts are tied to this generalized technique in the source material, its use by sophisticated APT groups implies targeting of high-value organizations across various sectors, including government, technology, and critical infrastructure. The primary impact is reduced visibility and increased stealth for adversaries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Process Execution From Shared Memory Directory\u0026quot; to your SIEM.\u003c/li\u003e\n\u003cli\u003eEnsure \u003ccode\u003eprocess_creation\u003c/code\u003e logging is enabled for all Linux endpoints to capture \u003ccode\u003eImage\u003c/code\u003e paths required by the rule.\u003c/li\u003e\n\u003cli\u003eReview any legitimate applications or container runtimes that might legitimately execute processes from \u003ccode\u003e/dev/shm\u003c/code\u003e to tune false positives for the \u0026quot;Process Execution From Shared Memory Directory\u0026quot; rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:33:33Z","date_published":"2026-07-03T14:33:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-linux-shm-exec/","summary":"Attackers are abusing the Linux shared memory directory, `/dev/shm`, for fileless malware staging and execution to evade disk-based detection mechanisms, posing a high risk for persistent access and system compromise.","title":"Suspicious Process Execution from Linux Shared Memory (/dev/shm)","url":"https://feed.craftedsignal.io/briefs/2026-07-linux-shm-exec/"}],"language":"en","title":"CraftedSignal Threat Feed - Various APTs","version":"https://jsonfeed.org/version/1.1"}