DarkSide on Linux: Virtual Machines Targeted<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/darkside-linux-vms-targeted.html\"><br \/>\n<meta property=\"og:title\" content=\"DarkSide on Linux: Virtual Machines Targeted\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-main641.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"DarkSide on Linux: Virtual Machines Targeted\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-main641.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.66821035299\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1254203216\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"11.5\">\n<div class=\"article-details\" role=\"heading\" readability=\"43\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Ransomware<\/p>\n<p class=\"article-details__description\">We focus on the behavior of the DarkSide variant that targets Linux. We discuss how it targets virtual machine-related files on VMware ESXI servers, parses its embedded configuration, kills virtual machines (VMs), encrypts files on the infected machine, collects system information, and sends it to the remote server.<\/p>\n<p class=\"article-details__author-by\">By: Mina Naiim <time class=\"article-details__date\">May 28, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"50.72894521668\">\n<div class=\"responsive-table-wrap\" readability=\"46.750204415372\">\n<p><b><i>Updated June 1, 2021, 12:02 am ET: This article has been updated to remove the Command-and-Control (C&C) URI String field in Table 1. Further study showed that it does not apply consistently to a number of samples.<\/i><\/b><\/p>\n<p>As we discussed in our <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html\">previous blog<\/a>, the DarkSide ransomware is targeting organizations in manufacturing, finance, and critical infrastructures in regions such as the United States, France, Belgium, and Canada. The DarkSide ransomware targets both Windows and Linux platforms. We also noticed that the Linux variant, in particular, targets ESXI servers.<\/p>\n<p>In this blog, we focus on the behavior of the variant that targets Linux. This entry also discusses how this variant targets virtual machine-related files on VMware ESXI servers, parses its embedded configuration, kills virtual machines (VMs), encrypts files on the infected machine, collects system information, and sends it to the remote server.<\/p>\n<p>This table summarizes some of the differences between the behavior of the DarkSide ransomware on Windows and on Linux:<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<caption>Table 1. Comparison of DarkSide variants on Windows and Linux<\/caption>\n<tbody readability=\"12.5\">\n<tr>\n<th scope=\"col\"> <\/th>\n<th scope=\"col\">Windows Variant<\/th>\n<th scope=\"col\">Linux Variant<\/th>\n<\/tr>\n<tr>\n<td><b>Encryption Mechanism <\/b><\/td>\n<td>Salsa20 with RSA-1024<\/td>\n<td>ChaCha20 with RSA-4096<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td><b>Cipher Blocks<\/b><\/td>\n<td>Salsa20 matrix is custom and randomly generated using <b>\u201cRtlRandomExW\u201d<\/b><\/td>\n<td>ChaCha20 initial block is standard, built using <b>\u201cexpand 32-byte k\u201d<\/b> as a constant string<\/td>\n<\/tr>\n<tr>\n<td><b>Configuration<\/b><\/td>\n<td>Encrypted<\/td>\n<td>Not encrypted<\/td>\n<\/tr>\n<tr>\n<td><b>Terminates VMs?<\/b><\/td>\n<td>No<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td><b>Target Files<\/b><\/td>\n<td>All files on the system except the files, folders, and file extensions mentioned in the configuration<\/td>\n<td>VM-related files on VMware ESXI servers, with specific file extensions mentioned in the configuration<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><b>New Extension<\/b><\/td>\n<td>Generated by applying CRC32 several times on the HWID of the victim machine as <b>\u201c.4731c768\u201d<\/b><\/td>\n<td>Hard-coded in the embedded configuration as <b>\u201c.darkside\u201d<\/b> or passed by execution parameters<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td><b>Ransom Note File Name<\/b><\/td>\n<td>Consists of hard-coded part in the configuration as \u201c<b>README.\u201d <\/b>and the generated ID mentioned previously: for example, \u201c<b>README. 4731c768.TXT\u201d<\/b><\/td>\n<td>Hard-coded in the embedded configuration as <b>\u201cdarkside_readme.txt\u201d<\/b> or passed by execution parameters<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"body-subhead-title\">Analysis of the Linux Variant<\/span><\/p>\n<p><i><b>Targets<\/b><\/i><\/p>\n<p>As we noted earlier, DarkSide also has a Linux variant to infect more machines and cause more damage in the victim network. However, this variant is quite specific, as its main configuration targets VM-related files on VMware ESXI servers as seen in the following figure:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig1.png\" alt=\"Target file extensions\"><figcaption>Figure 1. Target file extensions<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p><b><i>Configuration<\/i><\/b><\/p>\n<p>Unlike the Windows variant, the Linux variant\u2019s strings and configuration are not obfuscated. The configuration of the Linux variant specifies features of the sample, such as the extension for encrypted files, C&C URL, number of threads, and a constraint on a minimum size of the target files to be encrypted.<\/p>\n<p>Note that the root path \u2014 the starting point for encryption \u2014 in the following figure is \u201c\/vmfs\/volumes\/\u201d, which is the default location for the VM files on ESXI hosts. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig2.png\" alt=\"Configuration of the Linux variant\"><figcaption>Figure 2. Configuration of the Linux variant<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>In addition to the hard-coded configuration, the ransomware executable can accept parameters to infect more files and change its default settings. Figure 3 shows where the malware parses execution parameters.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig3.png\" alt=\"Linux variant parameter parsing\"><figcaption>Figure 3. Linux variant parameter parsing<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div class=\"responsive-table-wrap\" readability=\"16\">\n<p><b><i>ESXCLI Commands<\/i><\/b><\/p>\n<p>DarkSide runs several ESXCLI commands (such as the command- line interface framework in vSphere) in order to collect information about the infected ESXI host, such as the running virtual machinesVMs, storage- related information, and vSAN- related information.<\/p>\n<p>Table 2 shows a list of ESXCLI commands run by DarkSide on the victim machine.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<caption>Table 2. ESXCLI Commands<\/caption>\n<tbody readability=\"12\">\n<tr>\n<td><b>Commands <\/b><\/td>\n<td><b>Desription<\/b><\/td>\n<\/tr>\n<tr readability=\"5\">\n<td><b>esxcli –formatter=csv –format-param=fields==”Device,DevfsPath\u201d storage core device list <\/b><\/td>\n<td>List the Devfs Path of the devices currently registered with the storage <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><b>esxcli –formatter=csv storage filesystem list <\/b><\/td>\n<td>List the logical sections of storage currently connected to the ESXI host<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td><b>esxcli –format-param=fields==”WorldID,DisplayName\u201d vm process list <\/b><\/td>\n<td>List the running VMs on the ESXI host <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><b>esxcli vsan debug vmdk list <\/b><\/td>\n<td>List the status of VMDKs in vSAN<b><i><\/i><\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td><b>esxcli –format-param=fields==”Type,ObjectUUID,Configuration\u201d vsan debug object list <\/b><\/td>\n<td>List the UUID of the vSAN objects<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Figure 4 shows how the DarkSide ransomware lists the running virtual machines on the ESXI.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig4.png\" alt=\"Listing running VMs\"><figcaption>Figure 4. Listing running VMs<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><i><b>Killing Virtual Machines<\/b><\/i><\/p>\n<p>Before encryption, the Linux variant of the DarkSide ransomware can power off running VMs on the ESXI server using the following ESXI command:<\/p>\n<p><b><span class=\"blockquote\">\u201cesxcli vm process kill –type= force –world-id= <WorldNumber>\u201d<\/span><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig5.png\" alt=\"Terminating running VMs\"><figcaption>Figure 5. Terminating running VMs<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig6.png\" alt=\"Reporting on VM killing status\"><figcaption>Figure 6. Reporting on VM killing status<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.542857142857\">\n<div readability=\"11.657142857143\">\n<p><i><b>Encryption<\/b><\/i><\/p>\n<p>The Linux variant of the DarkSide ransomware uses a <a href=\"https:\/\/cr.yp.to\/chacha.html\" target=\"_blank\" rel=\"noopener\">ChaCha20<\/a> stream cipher with RSA-4096 to encrypt targeted files on the victim machine.<\/p>\n<p>It loops across the files on the root path mentioned in the embedded configuration or in the given parameter, as shown in Figure 7.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig7.png\" alt=\"Linux variant looping across files\/directories\"><figcaption>Figure 7. Linux variant looping across files\/directories<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Before encryption, the ransomware performs a file size check to make sure that this is more than the minimum file size given in the embedded configuration or in the parameters.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig8.png\" alt=\"Linux variant performing a file size check\"><figcaption>Figure 8. Linux variant performing a file size check<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The malware then opens the target file, reads the content based on the part and space size given in the configuration or in the parameters, encrypts them, and writes to the file as shown in the following code:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig9.png\" alt=\"File encryption\"><figcaption>Figure 9. File encryption<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Unlike the Windows variant that randomly generates its custom Salsa20 matrix by calling <b>\u201cRtlRandomExW\u201d <\/b>several times, the malware uses the standard constant <b>“expand 32-byte k<\/b>” in the Chacha20 cipher used to encrypt files on the victim machine, as shown in the next figure.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig10.png\" alt=\"Using "expand 32-byte k\u201d as a constant in the Chacha20 cipher\"><figcaption>Figure 10. Using “expand 32-byte k\u201d as a constant in the Chacha20 cipher<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>After encryption, the malware then adds a header and a cipher at the end of the encrypted files as shown in Figure 11.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig11.jpg\" alt=\"Adding code to header\"><figcaption>Figure 11. Adding code to header<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig12.jpg\" alt=\"Hex view of the encrypted file\"><figcaption>Figure 12. Hex view of the encrypted file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The ransomware output console shows the results of the encryption, the encrypted filenames, the discarded files after size check, the time of encryption, and more. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig13.png\" alt=\"Ransomware output console\"><figcaption>Figure 13. Ransomware output console<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p><i><b>Ransom note and added extensions<\/b><\/i><\/p>\n<p>The Linux variant drops a ransom note on the victim machine and adds a new file extension to the encrypted files.<\/p>\n<p>Unlike the Windows variant, the ransom note file name and the new extension for encrypted files are hard-coded in the malware configuration file or given in a parameter, and the malware does not add any ID at the end of it.<\/p>\n<p>For the analyzed samples, the new extension was <b>\u201c.darkside<\/b>\u201d and<b> <\/b>the hard-coded ransom note file name was <b>\u201cdarkside_readme.txt\u201d<\/b>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig14.png\" alt=\"Encrypted folder with ransom note\"><figcaption>Figure 14. Encrypted folder with ransom note<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><i><b>C&C Beaconing<\/b><\/i><\/p>\n<p>The DarkSide ransomware can send a C&C beaconing message with the collected system information to a remote server hardcoded in the configuration. It collects system information on the victim machine, such as host name, domain, and disk information, as evidenced in Figure 15.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig15.png\" alt=\"System information collection\"><figcaption>Figure 15. System information collection<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The ransomware then puts the collected system information of the victim machine with a hard-coded UID value in the following format:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig16.png\" alt=\"System information format\"><figcaption>Figure 16. System information format<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>It hashes the collected information before sending it to the URL mentioned in the embedded configuration of the sample. DarkSide also uses a random parameter of eight characters in the request body to make its C&C traffic more difficult to detect by IPS\/IDS devices on the victim network. The request body has the following format:<\/p>\n<p><b><span class=\"blockquote\"><Random 8-character variable> = <Encrypted collected information> & <Random 8-character variable> = <hardcoded UID><\/span><\/b><\/p>\n<p>Figure 17 shows the HTTP POST request sent by the malware to the remote server with the collected information.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/e\/darkside-on-linux-vms-targeted\/darkside-linux-fig17.png\" alt=\"C2 beaconing HTTP traffic\"><figcaption>Figure 17. C2 beaconing HTTP traffic<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div class=\"responsive-table-wrap\" readability=\"24\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>The DarkSide ransomware family targets both Windows and Linux platforms. There are similarities between the Linux and Windows variants, but they are different with regard to some features, such as encryption mechanism, target files, ransom note name, extension, C&C URL, and more.<\/p>\n<p>The Linux variant uses a ChaCha20 stream cipher with RSA-4096 in order to encrypt the files on the victim machine. It mainly targets VM-related files on VMWare ESXI servers, such as VMDK files. It can also accept parameters to infect more files on the victim machine. Additionally, the DarkSide ransomware runs ESXCLI commands to get vSAN and storage information on the victim machine. It also lists and kills running VMs on the infected ESXI host before encryption. Lastly, it drops a ransom note on the encrypted directories on the victim machine.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<p><b>C&C servers:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">catsdegree[.]com<\/span><\/li>\n<li><span class=\"rte-red-bullet\">securebestapp20[.]com<\/span><\/li>\n<li><span class=\"rte-red-bullet\">temisleyes[.]com<\/span><\/li>\n<\/ul>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"6\">\n<tr readability=\"2\">\n<td><b>SHA256<\/b><\/td>\n<td><b>Trend Micro Detection Name<\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"667\" valign=\"top\" readability=\"5\">\n<p>984ce69083f2865ce90b48569291982e786980aeef83345953276adfcbbeece8<\/p>\n<\/td>\n<td width=\"667\" valign=\"top\" rowspan=\"4\" readability=\"5\">\n<p>Ransom.Linux.DARKSIDE.THDBGBA<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>9cc3c217e3790f3247a0c0d3d18d6917701571a8526159e942d0fffb848acffb<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>c93e6237abf041bc2530ccb510dd016ef1cc6847d43bf023351dce2a96fdc33b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/darkside-linux-vms-targeted.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We focus on the behavior of the DarkSide variant that targets Linux. We discuss how it targets virtual machine-related files on VMware ESXI servers, parses its embedded configuration, kills virtual machines (VMs), encrypts files on the infected machine, collects system information, and sends it to the remote server. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":42608,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9539,9509],"class_list":["post-42607","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"\n<title>DarkSide on Linux: Virtual Machines Targeted Threats Analyst 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DarkSide on Linux: Virtual Machines Targeted Threats Analyst 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-28T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png\" \/>\n\t<meta property=\"og:image:width\" content=\"857\" \/>\n\t<meta property=\"og:image:height\" content=\"105\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"DarkSide on Linux: Virtual Machines Targeted Threats Analyst\",\"datePublished\":\"2021-05-28T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/\"},\"wordCount\":1526,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/\",\"name\":\"DarkSide on Linux: Virtual Machines Targeted Threats Analyst 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png\",\"datePublished\":\"2021-05-28T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/08\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png\",\"width\":857,\"height\":105},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/darkside-on-linux-virtual-machines-targeted-threats-analyst\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DarkSide on Linux: Virtual Machines Targeted Threats Analyst\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"DarkSide on Linux: Virtual Machines Targeted Threats Analyst 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/","og_locale":"en_US","og_type":"article","og_title":"DarkSide on Linux: Virtual Machines Targeted Threats Analyst 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-05-28T00:00:00+00:00","og_image":[{"width":857,"height":105,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"DarkSide on Linux: Virtual Machines Targeted Threats Analyst","datePublished":"2021-05-28T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/"},"wordCount":1526,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/","url":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/","name":"DarkSide on Linux: Virtual Machines Targeted Threats Analyst 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png","datePublished":"2021-05-28T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/08\/darkside-on-linux-virtual-machines-targeted-threats-analyst.png","width":857,"height":105},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"DarkSide on Linux: Virtual Machines Targeted Threats Analyst"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42607","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=42607"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/42607\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/42608"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=42607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=42607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=42607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":42607,"date":"2021-05-28T00:00:00","date_gmt":"2021-05-28T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/darkside-linux-vms-targeted.html"},"modified":"2021-05-28T00:00:00","modified_gmt":"2021-05-28T00:00:00","slug":"darkside-on-linux-virtual-machines-targeted-threats-analyst","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/darkside-on-linux-virtual-machines-targeted-threats-analyst\/","title":{"rendered":"DarkSide on Linux: Virtual Machines Targeted Threats Analyst"},"content":{"rendered":"