The Evolution of Linux Binaries in Targeted Cloud Operations

Threat actors are developing Linux Executable and Linkage Format (ELF) files to target cloud infrastructure, including backdoors, droppers, remote access Trojans (RATs), data wipers, and vulnerability-exploiting binaries. Five ELF-based malware families, NoodleRAT, Winnti, SSHdInjector, Pygmy Goat, and AcidPour, are actively updated and used in attacks. Palo Alto Networks Cortex Cloud’s machine learning module successfully detected 92% of these malware samples, highlighting the need for enhanced detection and prevention capabilities in cloud workloads and containers.