Threat Analysis Unit

VMware Threat Report – Exposing Malware in Linux-Based Multi-Cloud Environments

In the past five years, Linux has become the most common operating system (OS) in multi-cloud environments and powers more than 78 percent of the most popular websites. Malicious actors have taken notice and are increasingly targeting vulnerable Linux-based systems in multi-cloud environments to infiltrate corporate and government networks. These threats take advantage of weak authentication, vulnerabilities and misconfigurations in container-based infrastructures to infiltrate the environment with remote access tools (RATs). Once the attackers have obtained a foothold in their target cloud environment, they often look to perform two types of attacks: execute ransomware or deploy cryptomining components. 

Exposing Malware in Linux-Based Multi-Cloud Environments, a new report conducted by the VMware Threat Analysis Unit, takes a comprehensive look at these types of attacks often leveraged by the adversary once inside: executing ransomware, deploying cryptomining components and RATs.  

Key findings include: 

  • Malware targeting Linux-based systems is fast becoming an attacker’s way into high-value, multi-cloud environments. Linux is the most common operating system across multi-cloud environments, as 78 percent of the most popular websites are powered by Linux, therefore increasing in volume and complexity. 
  • Ransomware targeting Linux-based systems is becoming more sophisticated. The main threats in most multi-cloud environments are ransomware, cryptojacking, and remote access tools. However, ransomware targeting Linux-based systems has recently evolved to target host images and require dynamic analysis and host monitoring. 
  • Monero cryptocurrency (XMR) is the most popular illicitly mined digital coin of rising cryptojacking attacks on Linux-based systems. Cryptojacking attacks focus on monetizing stolen CPU cycles to mine cryptocurrencies and 89 percent of cryptominers used XMRig-related libraries. 
  • Remote access tools (RATs) are an increasing threat. The research team discovered more than 14,000 active Cobalt Strike Team Servers on the Internet since February 2020. The total percentage of cracked or leaked Cobalt Strike customers IDs is 56 percent. This means that more than half of the Cobalt Strike users are using illegitimately obtained versions of the commercial software.  


Ransomware attacks can range from being a headache (restoring data from backups and cleaning up the network), to utterly devastating (having to pay large sums of money to regain key assets). In fact, these attacks have become so increasingly popular that even non-technical cybercriminals are able to execute these attacks successfully.   

Distinct characteristics of large-scale ransomware attacks include targeted cloud deployments and are often paired with data exfiltration, making their assaults double pronged. The data collected is used as leverage to push the victim into paying the ransom. This report analyzes nine ransomware families that target Linux-based systems and characterize their evolution.  


It’s no secret that in recent years, cryptocurrencies have caught the eye of sophisticated cryptominers. These attackers have a distinct advantage as their malicious activities are immediately turned into (cyber) cash without the need to interact with the victims at all.  

Cybercriminals primarily use two approaches here: a wallet-stealing functionality in malware, sometimes posing as crypto-based apps, or monetizing stolen CPU cycles to successfully mine cryptocurrencies, an attack known as cryptojacking. This report analyzes seven cryptominer families. 


One of the most critical aspects of an attacker’s activity is how they compromise systems to gain persistence and establish a staging server. Remote Access Tools (RATs) help attackers establish persistence which allows them to pivot and target additional systems.  

This report analyzes six remote access tools used by threat actors. 

Mitigating Modern Threats 

Organizations need to think of security as an inherent and distributed part of the modern enterprise, which must be incorporated into all aspects of the environment. When it comes to protecting multi-cloud environments, it starts with complete visibility into all workloads with detailed system context that makes it easier to understand and prioritize mitigation efforts. Information from all sources must be combined in an intelligent fashion that adds value, while enabling the sharing of this contextual data across teams to reduce silos. VMware Threat Analysis Unit explains that a solid defense includes fighting back with a combination of approaches, mechanisms, and policies. Endpoint Detection and Response (EDR) solution that monitors the actions performed by process on cloud workloads is one key tool. Another is a Network Detection and Response (NDR), that can recognize network-based evidence of attacks and block the malware before it can take hold of its target. These two solutions coupled together are often referred to as an XDR system. 

VMware can deliver security as a built-in distributed service across your control points of users, devices, workloads and networks. With VMware, you can implement Zero Trust with fewer tools and silos, and scale response with confidence, speed and accuracy. Gain insights on how to reduce your attack surface, mitigate security risk, ensure compliance, and simplify security operations. 

Download the full report – Exposing Malware in Linux-Based Multi-Cloud Environments