Actors Target Huawei Cloud Using Upgraded Linux Malware <\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware-.html\"><br \/>\n<meta property=\"og:title\" content=\"Actors Target Huawei Cloud Using Upgraded Linux Malware \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Actors Target Huawei Cloud Using Upgraded Linux Malware \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.783333333333\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1006857377\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7476635514019\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.934579439252\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\"> In this article, we discuss a new Linux malware trend in which malicious actors deploy code that removes applications and services present mainly in Huawei Cloud. <\/p>\n<p class=\"article-details__author-by\">By: Alfredo Oliveira, David Fiser <time class=\"article-details__date\">October 08, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"33.518848167539\">\n<div readability=\"16.529842931937\">\n<p>We have recently noticed another Linux threat evolution that targets relatively new cloud service providers (CSPs) with cryptocurrency-mining malware and cryptojacking attacks. In this article, we discuss a new Linux malware trend in which malicious actors deploy code that removes applications and services present mainly in Huawei Cloud. Specifically, the malicious code disables the <a href=\"https:\/\/support.huaweicloud.com\/intl\/en-us\/hss_faq\/hss_01_0245.html\">hostguard service<\/a>, a Huawei Cloud Linux agent process that \u201cdetects security issues, protects the system, and monitors the agent.\u201d The malicious code also includes <a href=\"https:\/\/github.com\/huaweicloud\/cloudresetpwdagent\">cloudResetPwdUpdateAgent<\/a>, an open-source plugin agent that allows Huawei Cloud users to reset a password to Elastic Cloud Service (ECS) instance, which is <a href=\"https:\/\/support.huaweicloud.com\/intl\/en-us\/usermanual-ecs\/en-us_topic_0068095385.html\">installed by default on public images<\/a>. As threat actors have these two services present in their shell scripts, we can assume that they are specifically targeting vulnerable ECS instances inside Huawei Cloud. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig1.jpg\" alt=\"Malicious code that disables hostguard and resets the password to ECS instance using the includes cloudResetPwdUpdateAgent plugin agent\"><figcaption>Figure 1. Malicious code that disables hostguard and resets the password to ECS instance using the includes cloudResetPwdUpdateAgent plugin agent<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"38.398550724638\">\n<div readability=\"21.942028985507\">\n<p><span class=\"body-subhead-title\">Campaign evolution<\/span><\/p>\n<p>While researching this campaign, we stumbled upon older samples involved in a campaign that was previously discussed in a 2020 Tencent <a href=\"https:\/\/s.tencent.com\/research\/report\/1177.html\">blog<\/a>. The samples from that campaign were targeting container environments. There were two specific routines supporting this finding: the first one was that one of the payloads of this attack dropped a network scanner to map other hosts with ports commonly used as container APIs. The second was a function that created firewall rules to ensure that those container API ports are going to open. On the newer samples we\u2019ve found, the firewall rule creation is still present as a code that\u2019s left behind. However, it\u2019s been commented on, so no rule is created. We\u2019ve observed that the newer samples are only targeting cloud environments. <\/p>\n<p>Another interesting capability that we haven\u2019t seen before is that in this campaign, malicious actors have been searching for specific public keys that would allow them to kill off their competition from the infected system and update their own keys. More than any other samples and campaigns we\u2019ve seen so far, this campaign performs a comprehensive sanitization of the operation system. It looks for both signs of previous infections and for security tools that could stop its malicious routines. Not only that, but it also uses simple but effective commands to clean up after it performs its infection routine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig2.png\" alt=\"Code showing SSH keys sanitization \"><figcaption>Figure 2. Code showing SSH keys sanitization <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38\">\n<div readability=\"21\">\n<p>Most of the sourced samples follow the same routine of declaring several functions in no specific order. At the end of the file calling the functions, it follows a specific order: It performs initial connectivity checking, ensuring that outgoing connections are allowed, and checking if DNS servers are public (8.8.8.8 and 1.1.1.1). Such a routine is commonly done to make sure that when malicious URLs are requested, they will not be detected and that the domain translation denied by a Domain Name System (DNS) Security is implemented. <\/p>\n<p>Following the first connectivity check, the next set of functions are then called to prepare the system. It first removes any traces of infections made by competitors to avoid sharing computational resources. This kind of behavior was previously seen and documented, but this specific campaign goes beyond when it pertains to maintaining access in the infected system.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig3.png\" alt=\"The specific order of function that the campaign\u2019s routine follows in order to avoid detection \"><figcaption>Figure 3. The specific order of function that the campaign\u2019s routine follows in order to avoid detection <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Upon further analysis of this campaign, we came across an interesting observation: the threat actors know their competitors well. They are aware of the users that their competitors use to maintain access. This is why they make sure to check and remove their competitors\u2019 users first before creating their own users. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig4.png\" alt=\"Malicious actors check for and remove their competitors\u2019 users in the system \"><figcaption>Figure 4. Malicious actors check for and remove their competitors\u2019 users in the system <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>After removing unnecessary users from the system, the next step is creating several users of their own. This is another behavior that we have partially seen in other samples targeting cloud environments. The difference of this campaign, however, is that it creates a greater number of users using more generic, inconspicuous names such as \u201csystem\u201d and \u201clogger.\u201d Using usernames such as these can fool an inexperienced Linux analyst into thinking that these are legitimate users. <\/p>\n<p>Another unique behavior is that during the creation of the user, the script adds them to the sudoers list to give them administrative powers over the infected system.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig5.png\" alt=\"The malicious actors create generic users to avoid detection and add them to the sudoers list \"><figcaption>Figure 5. The malicious actors create generic users to avoid detection and add them to the sudoers list <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The hacking team also adds their own ssh-rsa key to enable them to repeatedly log in to the infected system. After conducting system modifications, they add special permissions to prohibit further modifications from being applied to those files. This ensures that the malicious users that they created cannot be removed or modified. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig6.png\" alt=\"The malicious actors add their own ssh-rsa key to enable them to repeatedly log in on the infected system \"><figcaption>Figure 6. The malicious actors add their own ssh-rsa key to enable them to repeatedly log in on the infected system <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Another interesting aspect of this campaign is that it installs The Onion Router (Tor) proxy service. This will be used later by the payloads to anonymize the malicious connections made by the malware. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig7.png\" alt=\"The campaign installs and uses the Tor proxy service to anonymize malicious connections \"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig7b.png\" alt=\"The campaign installs and uses the Tor proxy service to anonymize malicious connections \"><figcaption>Figure 7. The campaign installs and uses the Tor proxy service to anonymize malicious connections <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><span class=\"body-subhead-title\">Campaign payloads and upgraded functionalities<\/span><\/p>\n<p>The script deploys two executable and linkable format (ELF) binaries \u2014 linux64_shell and xlinux.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig8.png\" alt=\"A diagram that shows the malicious script deploying two ELF binaries, linux64_shell and xlinux \"><figcaption>Figure 8. A diagram that shows the malicious script deploying two ELF binaries, linux64_shell and xlinux <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><b>linux64_shell<\/b><\/p>\n<p>The binary itself is packed and obfuscated, the Ultimate Packer for Executables (UPX) packer has been used, but then the binary was tampered with in order to make the analysis harder and fooling some of the automated toolsets.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig9.png\" alt=\"UPX header present in the binary \"><figcaption>Figure 9. UPX header present in the binary <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Upon closer look, we can see that another binary with extra data was appended to the file. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig10.png\" alt=\"Another binary appended to the file \"><figcaption>Figure 10. Another binary appended to the file <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.50622406639\">\n<div readability=\"12.811203319502\">\n<p>The appended binary is a compiled <a href=\"https:\/\/github.com\/gloxec\/CrossC2\/blob\/cs4.1\/protocol_demo\/c2profile.c\">CrossC2<\/a> communication library included to be able to interact directly with CobaltStrike\u2019s module using the following functions:<\/p>\n<ul>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">cc2_rebind_http_get_recv<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">cc2_rebind_http_post_send<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">cc2_rebind_post_protocol<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">cc2_rebind_http_get<\/span>_send<\/li>\n<\/ul>\n<p>After it is successfully unpacked, the executable continues with its control flow, which is designed to not be easily understood by an analyst and is full of conditional jumps. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig11.png\" alt=\"Obfuscated control flow full of (conditional) jumps \"><figcaption>Figure 11. Obfuscated control flow full of (conditional) jumps <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.189407540395\">\n<div readability=\"17.35368043088\">\n<p>At this point, the malware tries to connect to the C&C with an IP address of 45[.]76[.]220[.]46 on port 40443. This provides shell access to the attackers.<\/p>\n<p><b>xlinux<\/b><\/p>\n<p>The second binary is a Go-compiled binary implementing several modules from the <a href=\"https:\/\/github.com\/opensec-cn\/kunpeng\">kunpeng framework<\/a>. It acts as a vulnerability scanner, exploits weaknesses, and deploys the initial malicious script.<\/p>\n<p>1. The binary notifies malicious actors about the infected machine by sending an HTTP POST request to following URL 103[.]209[.]103[.]16:26800\/api\/postip<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig12a.png\" alt=\"The binary notifies malicious actors about the infected machine by sending an HTTP POST request to following URL 103[.]209[.]103[.]16:26800\/api\/postip \"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>2. It copies itself into \/tmp\/iptablesupdate and drops a persistence script<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig12b.png\" alt=\"Dropped script makes the Go binary persistent \"><figcaption>Figure 12. Dropped script makes the Go binary persistent <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>3. The binary begins with a \u201csecurity\u201d scan. Once a weakness is found, it exploits it and deploys its payload<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/Actors%20Target%20Huawei%20Cloud%20Using%20Upgraded%20Linux%20Malware_Fig13.png\" alt=\"An example of an integrated exploit \"><figcaption>Figure 13. An example of an integrated exploit <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"47.68387553041\">\n<div readability=\"42.915487977369\">\n<p>An infected system is scanned for the following vulnerabilities and security weaknesses:<\/p>\n<ul>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">SSH weak passwords<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (CVE-2020-14882)<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">Redis unauthorized access or weak passwords<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">PostgreSQL unauthorized access or weak password<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">SQLServer weak password<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">MongoDB unauthorized access or weak password<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">File transfer protoco<\/span>l (FTP) weak password <\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Cryptocurrency miners are one of the <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations\">most deployed payloads in the Linux threat landscape<\/a>. In recent years, we have observed malicious actors such as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/teamtnt-activities-probed\">TeamTNT<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_gb\/research\/20\/k\/analysis-of-kinsing-malwares-use-of-rootkit.html\">Kinsing<\/a> launch <a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/news\/cybercrime-and-digital-threats\/cryptojacking-gaining-traction-as-starbucks-and-streaming-users-targeted\">cryptojacking<\/a> campaigns and cryptocurrency mining malware that competes for the computing powers of infected resources. <\/p>\n<p>In 2020 and 2021 we have seen how these cybercriminal groups consistently targeted cloud environments and added cloud-centric features to their campaigns, including <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/e\/teamtnt-extended-credential-harvester-targets-cloud-services-other-software.html\">credential harvesting<\/a> and the removal of cloud security services related to <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/20\/k\/analysis-of-kinsing-malwares-use-of-rootkit.html\">Alibaba Cloud and Tencent Cloud<\/a>. <\/p>\n<p>Cloud service misconfigurations can allow cryptocurrency mining and cryptojacking attacks to happen. Most of the attacks that we\u2019ve monitored occurred because the services running on the cloud had an API or an SSH with weak credentials or had very permissive configurations, which attackers can abuse to enable them to infiltrate a system without needing to exploit any vulnerabilities. Misconfigurations are a common point of entry in such scenarios, and cloud users should give the same thought and attention to misconfigurations as they do to vulnerabilities and malware. <\/p>\n<p>Our team published several blogs and a research paper that shows how malicious actors targeted a specific cloud provider. In this blog, we have seen evidence of cybercriminals targeting other relatively newer CSPs like Huawei Cloud. Since attackers are also migrating to the cloud, the availability and scalability of resources are becoming even more precious since most of their attacks routinely deploy cryptojacking malware among other malicious routines.<\/p>\n<p>We have reached out to Huawei Media Team through their email address listed on their Contact Us page with our findings prior to the publication of this blog, and we are currently awaiting their acknowledgment or reply. <\/p>\n<p><span class=\"body-subhead-title\">Cloud security recommendations <\/span><\/p>\n<p>Malicious actors and hacking groups continue to upgrade their malware\u2019s capabilities to make the most of their attacks. To keep cloud environments secure, organizations must not rely solely on malware scanning and vulnerability checking tools. Checking and studying the responsibility model of their CSPs can help them define the best policies to put into place when publishing their cloud services. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><span class=\"body-subhead-title\">MITRE ATT&CK Tactics and Techniques<\/span> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware\/MITRE.png\" alt=\"MITRE ATT&CK Tactics and Techniques \"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<p><span class=\"body-subhead-title\">Indicators of compromise<\/span><\/p>\n<table border=\"1\">\n<tbody readability=\"11\">\n<tr>\n<td width=\"100\">SHA-256<\/td>\n<td>File <\/td>\n<td>Detection Names<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>3e38c51510f95643b04a9ba0f884a445f09372721073601abcbf8f12f663bf90 <\/td>\n<td>fczyo<\/td>\n<td>Coinminer.Linux.XANTHE.B <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>6a5a0bcb60944597d61d5311a4590f1850c2ba7fc44bbcde4a81b2dd1effe57c<\/td>\n<td>fczyo <\/td>\n<td>Coinminer.Linux.XANTHE.A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>71f578d122252c7fa67ca343cd29d65ac42d6f7c45bf91f146a1cd04b0446c23 <\/td>\n<td>fczyo<\/td>\n<td>Coinminer.Linux.XANTHE.B<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>9849c66d8b6c444904259cda7f3e34ac2c60b00a945d3d5b911b5e290eb2888d <\/td>\n<td>fczyo<\/td>\n<td>Coinminer.Linux.XANTHE.B<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>d092b4cbf655d02ad8eae1a66db98e67cf95fa9e0b7c327c4bca33815696bf68 <\/td>\n<td>ff.sh<\/td>\n<td>Trojan.SH.CVE20205902.B <\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>e8503d6697c61c2c51ca90742b0634ce93710d6fdfb0965e35977e6cab4d039b<\/td>\n<td>xlinux <\/td>\n<td>Coinminer.Linux.PROCEAN.A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>f36d3996245dba06af770d1faf3bc0615e1124fa179ecf2429162abd9df8bbf8 <\/td>\n<td>Linux64-shell<\/td>\n<td>Trojan.Linux.COBEACON.A<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474<\/td>\n<td>ff.sh <\/td>\n<td>Trojan.SH.CVE20205902.B<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><b>Keys <\/b><\/p>\n<p>AAAAB3NzaC1yc2EAAAADAQABAAABAQDLVZNrAJ1uzR7d2bm1iUQPAgjuBlyLQQNaEHVmACWtGwwiOKMPiFBfBjuNJIyZFnGkkFgJP5fi8v1eqliaBgqERUDDtW\/RZDDIz8DovDrA4\/MGlxpCHLeViN+F62W\/jgeufiQ7NiPTlPB3Fuh7E7QXXpXqQ6EmVlV0iWdzqRvSiDIB3cIL6E2CrK47pY6Rp6rY2YKYzUhiZRqAMHViMR+2MARL2jERfF3CsG6ZXo\/7UVVx+tqoKQDHPmz21mrulOF6RW5hh04dE2q1+\/w6xmX8AxUSGmPdpwQa8GuV7NHHZmYO26ndTVi2ES472tJdkXVHmLX8B9Un42JLNVXwPU\/H linux@linux.com” >>\/opt\/autoupdater\/.ssh\/authorized_keys<\/p>\n<p><b>C&C Servers<\/b><\/p>\n<ul>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">103[.]209[.]103[.]16<\/span><\/li>\n<li> <\/li>\n<li><span class=\"rte-red-bullet\">45[.]76[.]220[.<\/span>]46<\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware-.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article, we discuss a new Linux malware trend in which malicious actors deploy code that removes applications and services present mainly in Huawei Cloud. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":43293,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9513,9509],"class_list":["post-43292","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-08T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/10\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"904\" \/>\n\t<meta property=\"og:image:height\" content=\"488\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher\",\"datePublished\":\"2021-10-08T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/\"},\"wordCount\":2381,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/\",\"name\":\"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg\",\"datePublished\":\"2021-10-08T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg\",\"width\":904,\"height\":488},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/","og_locale":"en_US","og_type":"article","og_title":"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-10-08T00:00:00+00:00","og_image":[{"width":904,"height":488,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/10\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher","datePublished":"2021-10-08T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/"},"wordCount":2381,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/10\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/","url":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/","name":"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/10\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg","datePublished":"2021-10-08T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/10\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/10\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher.jpg","width":904,"height":488},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=43292"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43292\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/43293"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=43292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=43292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=43292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":43292,"date":"2021-10-08T00:00:00","date_gmt":"2021-10-08T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware-.html"},"modified":"2021-10-08T00:00:00","modified_gmt":"2021-10-08T00:00:00","slug":"actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/actors-target-huawei-cloud-using-upgraded-linux-malware-sr-security-researcher-threat-researcher\/","title":{"rendered":"Actors Target Huawei Cloud Using Upgraded Linux Malware Sr. Security Researcher Threat Researcher"},"content":{"rendered":"