<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Memory-Abuse - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/memory-abuse/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 14:33:33 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/memory-abuse/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Process Execution from Linux Shared Memory (/dev/shm)</title><link>https://feed.craftedsignal.io/briefs/2026-07-linux-shm-exec/</link><pubDate>Fri, 03 Jul 2026 14:33:33 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-linux-shm-exec/</guid><description>Attackers are abusing the Linux shared memory directory, `/dev/shm`, for fileless malware staging and execution to evade disk-based detection mechanisms, posing a high risk for persistent access and system compromise.</description><content:encoded><![CDATA[<p>Attackers are increasingly leveraging the Linux shared memory directory, <code>/dev/shm</code>, as a stealthy staging ground for malicious executables. This directory functions as a <code>tmpfs</code> mount, meaning it resides entirely in RAM, preventing files written within it from ever touching physical disk. This characteristic makes it an attractive location for fileless malware, as it can bypass traditional disk-based forensic tools and detection mechanisms. The technique has been observed in campaigns by various advanced persistent threat (APT) groups and criminal organizations, notably linked to implants like BPFDoor, DecisiveArchitect, JustForFun, and Orbit malware, indicating its widespread adoption in Linux-focused attacks. The abuse of <code>/dev/shm</code> primarily aims at achieving execution while maintaining a low footprint, making detection challenging for defenders who are not actively monitoring process creation from this specific, often overlooked, directory.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> Attackers gain initial access to a Linux system, often via exploiting vulnerable internet-facing services (e.g., SSH, web applications), weak credentials, or phishing.</li>
<li><strong>Foothold &amp; Staging:</strong> Once a foothold is established, the adversary typically downloads or stages malicious payloads, scripts, or binaries onto the compromised system.</li>
<li><strong>Fileless Staging in /dev/shm:</strong> To evade disk-based detection, the malicious executable is written directly into the <code>/dev/shm</code> directory, ensuring it resides only in memory.</li>
<li><strong>Execution from Shared Memory:</strong> The attacker then initiates the execution of the payload from <code>/dev/shm/</code>, masquerading it as a legitimate process or leveraging common execution methods.</li>
<li><strong>Implant Deployment/Execution:</strong> The executed binary establishes persistence, deploys additional implants, or performs initial reconnaissance on the compromised system.</li>
<li><strong>Command and Control (C2):</strong> A C2 channel is established for remote management, data exfiltration, or further instruction delivery.</li>
<li><strong>Impact:</strong> Depending on the attacker's objective, this may lead to data theft, cryptomining, resource hijacking, or the establishment of a long-term presence for future operations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this technique can lead to significant compromise of Linux systems, ranging from data exfiltration and intellectual property theft to resource hijacking for cryptomining, and the establishment of persistent backdoors. Because malware executed from <code>/dev/shm</code> leaves minimal forensic artifacts on disk, incident response and forensic analysis become significantly more challenging, increasing the dwell time of attackers. While no specific victim counts are tied to this generalized technique in the source material, its use by sophisticated APT groups implies targeting of high-value organizations across various sectors, including government, technology, and critical infrastructure. The primary impact is reduced visibility and increased stealth for adversaries.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule &quot;Process Execution From Shared Memory Directory&quot; to your SIEM.</li>
<li>Ensure <code>process_creation</code> logging is enabled for all Linux endpoints to capture <code>Image</code> paths required by the rule.</li>
<li>Review any legitimate applications or container runtimes that might legitimately execute processes from <code>/dev/shm</code> to tune false positives for the &quot;Process Execution From Shared Memory Directory&quot; rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>stealth</category><category>execution</category><category>linux</category><category>memory-abuse</category></item></channel></rss>