Linux Fileless Malware in 2024: Syscall(memfd_create) Unlocks New Attack Vectors
Executive Summary
In October 2024, security researchers discovered a new Linux-targeting fileless malware that exploits Python and the direct use of syscalls—specifically 'memfd_create'—to execute payloads entirely in memory, bypassing traditional disk-based detection. The attack begins with a Python dropper embedding a base64-encoded ELF binary, which is loaded directly into memory using syscall(319), then executes file encryption using a simple 1-byte XOR key. While the second stage payload is rudimentary and appears to be a proof-of-concept, the methodology demonstrates how easily threat actors can evade filesystem-based controls and endpoint security tools on Linux systems.
The incident underscores an increasing trend in fileless malware and direct syscall manipulation, especially on Linux servers and cloud workloads. These advanced tactics make traditional detection and prevention approaches less effective, urging organizations to adopt stronger memory and process monitoring, inline threat detection, and zero-trust segmentation to mitigate similar threats.
Why This Matters Now
The use of syscalls and fileless techniques to execute malware in memory highlights an urgent need for organizations to modernize Linux threat detection. As fileless attacks surge and traditional AV solutions lose effectiveness, visibility and control over in-memory operations have become critical for cloud and hybrid environments.
Attack Path Analysis
The attacker achieved initial compromise by delivering a Python dropper script containing an embedded, obfuscated ELF payload to a Linux system, leveraging fileless techniques via direct syscall usage. Privilege escalation may have involved executing the second-stage ELF payload in memory to gain execution rights without touching disk. The attacker could then attempt lateral movement by exploiting internal Linux communication or moving across east-west network segments. For command and control, the threat may have established outbound connections for remote tasking or second-stage delivery. Though primarily destructive, exfiltration of keys or data could have occurred through unmonitored egress channels. Ultimately, the malware encrypted local files using XOR, directly impacting data availability on the affected host.
Kill Chain Progression
Initial Compromise
Description
Attacker delivered a Python dropper with an embedded Base64-encoded ELF payload, exploiting fileless techniques by using direct syscalls to bypass file-based detection.
Related CVEs
CVE-2025-32432
CVSS 9.8A critical vulnerability in Craft CMS allows remote attackers to execute arbitrary code via crafted requests.
Affected Products:
Craft Craft CMS – < 3.7.10
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Proc Memory: Proc Memory (Fileless Execution)
Obfuscated Files or Information
Command and Scripting Interpreter: Python
Native API
Indicator Removal on Host: File Deletion
Data Encrypted for Impact
System Binary Proxy Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Log and Monitor All Access to System Components
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Requirements
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Threat Detection
Control ID: Security Analytics and Threat Detection
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical exposure to fileless malware using syscall obfuscation techniques targeting Linux systems, compromising software development environments and deployment pipelines through memory-resident attacks.
Information Technology/IT
High risk from fileless ransomware leveraging memfd_create syscalls to bypass filesystem detection, threatening IT infrastructure while evading traditional security monitoring and compliance controls.
Financial Services
Severe threat from fileless encryption attacks using syscall obfuscation, potentially compromising sensitive financial data while bypassing HIPAA, PCI, and NIST compliance monitoring frameworks.
Health Care / Life Sciences
Significant vulnerability to memory-resident malware attacks that encrypt critical patient data using fileless techniques, threatening HIPAA compliance and healthcare system operational continuity.
Sources
- Using Syscall() for Obfuscation/Fileless Activity, (Mon, Oct 20th)https://isc.sans.edu/diary/rss/32384Verified
- Mimo Uses PHP FPM and memfd_create to Launch Fileless Intrusionshttps://www.stratosally.com/news/mimo-threat-actor-8026Verified
- Fileless malwarehttps://en.wikipedia.org/wiki/Fileless_malwareVerified
- Introduction of non-executable mfdhttps://www.kernel.org/doc/html/latest/userspace-api/mfd_noexec.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, fileless runtime visibility, and strong egress controls would have significantly limited each stage of this attack—from initial dropper execution to malware impact—by containing spread, detecting anomalous behavior, and enforcing outbound policy.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline detection and blocking of atypical memory execution and obfuscated payload delivery.
Control: Zero Trust Segmentation
Mitigation: Limits scope of what an exploited process can access within the environment.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized internal movement and suspicious service-to-service communications.
Control: Egress Security & Policy Enforcement
Mitigation: Stops unauthorized outbound connections to malicious destinations.
Control: Cloud Firewall (ACF)
Mitigation: Detects and blocks data transfer attempts to unauthorized external locations.
Rapid anomaly detection and automated response to encryption routines.
Impact at a Glance
Affected Business Functions
- Web Services
- E-commerce Transactions
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer personal and payment information due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least privilege across workloads to constrain fileless execution impact.
- • Deploy inline CNSF controls for real-time detection of memory-based code injection and obfuscated dropper activity.
- • Implement strict east-west and egress filtering to block lateral movement and C2/exfiltration attempts.
- • Leverage anomaly detection and behavioral baselining to rapidly identify signs of ransomware or fileless malware.
- • Centralize multicloud visibility to monitor, investigate, and respond to emerging cloud-native threats efficiently.
