您的浏览器禁用了JavaScript(一种计算机语言,用以实现您与网页的交互),请解除该禁用,或者联系我们。 [Kroll]:Kroll深入探讨:Kroll对GARUDA C2恶意软件的分析 - 发现报告

Kroll深入探讨:Kroll对GARUDA C2恶意软件的分析

信息技术 2026-05-01 - Kroll Zt
报告封面

Authors:Otavio Passos, Eric StromMay 2026 Table of Contents Key InsightsIntroductionGithub AnalysisWindows ToolchainMacOS ToolchainLinux ToolchainNative CapabilitiesDLL SideloadingStandalone ExecutableConclusionIOCsURLsSHA256Dropped FilesTokens and SecretsObserved MITRE ATT&CK Techniques0304040509101212202020212122 Key Insights Actor profile and development environment:Kroll ThreatIntelligence (TI) uncovered a multi OS malware campaign run viaa GitHub account later wiped, with preserved artifacts showinga Kali Linux setup, Hindi comments, an IPv6 address in Gujarat,India, and evidence of local LLM use, supporting high confidenceattribution to an India based developer. Multi platform infection chain and persistence:The actormaintains a unified framework (“GARUDA C2”) using initialdownloaders that fetch second stage scripts from severalcode hosting platforms. Capabilities and payloads:Second stage componentsperform host reconnaissance, exfiltrate via repositoriesusing embedded API tokens, and pull updates based onversion indicators. You can find the full list of observedMITRE ATT&CKtechniquesat the end of this article. Introduction Kroll TI identified a multi-OS malware campaign operated via a GitHub account that shifted from “mahesh97m” to “hellow2003”and was later wiped at commit 16935c4. Prior to the wipe, the repository contained cross-platform downloaders, victim logs,executables and password-protected archives; Kroll TI preserved the contents before removal. “Test” logs exposed the developer’s environment (Kali Linux host) and a global IPv6 address geolocating to Rajkot in Gujarat, India.Combined with Hindi guidance comments embedded in scripts and the presence of a dedicated ollama user and service, Kroll TIassesses with high confidence that the actor operates from India and likely leverages a local LLM to assist development. Operationally, the actor maintains uniform toolchains for Windows, macOS and Linux, using initial downloaders to pull next-stagescripts from multiple code-hosting platforms (GitHub, GitLab, Codeberg, Gitea, and Bitbucket). On Windows, persistence usesRegistry Run keys and a scheduled task (“SysCache_User_Update”), while macOS relies on a LaunchAgent using a custom plistconfiguration file, and Linux uses systemd for persistence. This command-and-control (C2) framework is being tracked internallyby Kroll TI as “GARUDA C2”. Across OSes, second-stage components conduct reconnaissance on the host and exfiltrate results to actor-controlled repositoriesusing embedded API tokens, then poll a lightweight “version” indicator (e.g., 1.1/“garuda1”) to fetch and execute updatedcommands via a Base64-encoded command runner. Native payloads include Rust-based binaries and a VLC DLL sideloading technique (abusing libvlc.dll/libvlccore.dll DLL load order)to deploy a local command-execution stack that drops components (e.g., sys_base2.exe, sys_helper.exe) under%LOCALAPPDATA%\Syscore1 and establishes persistence, while also attempting to open a lure PDF. Functionally, these binariesreplicate the script-based model: retrieve tasks from code-hosting repos, diff versions, execute and persist. This white paper maps out Kroll’s full analysis of the malware, including various toolchains and IOCs. Github Analysis The threat actor’sgithub(previously “mahesh97m”, now “hellow2003”), waswipedin commit 16935c4. Before that, therepository was filled with multi-architecture shell scripts, victim logs, executables and password-protected ZIPs. Luckily, Kroll TITeam have dumped all of the wiped content beforehand. Amongst the several victim logs files, “tests” logs were included, which unveiled valuable machine information regarding thethreat actor’s development environment. File: axx1ltpmw6az2.0.txt SHA256: CEBCFDC6511A88A6C9BAD2EA2898F81C83308D4E820D7AB093C7A848FA738359 Hostname: kaliUser: kaliUser ID: uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio)30(dip),44(video),46(plugdev),100(users),101(netdev),116(bluetooth),121(wireshark),123(lpadmin),129(scanner),134(kaboxer),984(ollama)OS: Linux kali 6.12.33+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.12.33-1kali1 (2025-06-25)x86_64 GNU/Linux... --- OS RELEASE --- PRETTY_NAME=”Kali GNU/Linux Rolling” ...--- NETWORK ---... 3: wlan0: mtu 1500 qdisc noqueue state UP group default qlen 1000... inet6 2402:3a80:4431:84f5:4603:2cff:fe8a:1420/64 scope global deprecated dynamic mngtmpaddr noprefixroutevalid_lft 4700sec preferred_lft 0sec The first information of note is the threat actor’s IPv6 address, 2402:3a80:4431:84f5:4603:2cff:fe8a:1420/64, pointing toRajkot, Gujarat, India. Secondly, there is a dedicated ollama user, group and systemd service. This would indicate that the threat actor leveraged a locallarge language model (LLM) to develop part of or all of their work. Other indicators of LLM assistance are the various “LLM-ish” comments scattered all across t