Malware

Perfctl

First seen: 2024 • Status: active

Currently Active Threat

Perfctl is sneaky Linux malware that secretly mines cryptocurrency while hiding so well that security tools cannot find it.

Overview

Perfctl is a stealthy Linux malware discovered in 2024 that may have compromised millions of servers. It uses rootkit techniques to hide cryptomining activity.

Also Known As

PerfControl

How It Spreads

  • Web application vulnerabilities
  • Polkit exploitation
  • SSH brute force

What It Does

  • Cryptocurrency mining
  • Rootkit hiding
  • Proxy jacking
  • Persistent backdoor

Is your business exposed?

Target Platforms

Linux

Detection Tips

  • Check for perfctl processes
  • Monitor CPU usage when idle
  • Analyze /tmp and /dev/shm
  • Review process hiding indicators

MITRE ATT&CK Techniques

T1496, T1014, T1090, T1068

If You're Infected

  1. 1.

    Terminate perfctl processes

  2. 2.

    Remove rootkit components

  3. 3.

    Patch Polkit vulnerabilities

  4. 4.

    Rebuild affected systems

Related Malware

Xmrig, Skidmap, Kinsing

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices