sandfly-kernel-module-decloak
Contents
Phrack magazine released a data dump of a threat actor purportedly from North Korea.
The data dump contained large amounts of operational data on their activity, along with a Linux Loadable Kernel Module (LKM) rootkit with stealth capabilties and extensive backdoor capabilities.
You can read more about this data leak here:
https://phrack.org/issues/72/7_md#article
This script uses a technique to decloak this style of rookit by showing the hidden kernel module name if found operating. It will not only decloak this rootkit, but variants using this rootkit framework and method of hiding such as Reptile and likely others.
Copy the script onto a host you want to investigate and run it. Any modules being hidden with this method will be shown.
Example:
root@sandlfysecurity-victim:~# ./sandfly-kernel-module-decloak.sh
Linux Loadable Kernel Module (LKM) rootkit check 1.0.
Copyright (c)2025 Sandfly Security - Agentless Linux Security - https://www.sandflysecurity.com
Checking for hidden Linux kernel modules.
*** WARNING ***
Kernel module 'vmwfxs' is active and hiding.
The /proc/vmallocinfo entry showing it is loaded …
The data dump contained large amounts of operational data on their activity, along with a Linux Loadable Kernel Module (LKM) rootkit with stealth capabilties and extensive backdoor capabilities.
You can read more about this data leak here:
https://phrack.org/issues/72/7_md#article
This script uses a technique to decloak this style of rookit by showing the hidden kernel module name if found operating. It will not only decloak this rootkit, but variants using this rootkit framework and method of hiding such as Reptile and likely others.
Copy the script onto a host you want to investigate and run it. Any modules being hidden with this method will be shown.
Example:
root@sandlfysecurity-victim:~# ./sandfly-kernel-module-decloak.sh
Linux Loadable Kernel Module (LKM) rootkit check 1.0.
Copyright (c)2025 Sandfly Security - Agentless Linux Security - https://www.sandflysecurity.com
Checking for hidden Linux kernel modules.
*** WARNING ***
Kernel module 'vmwfxs' is active and hiding.
The /proc/vmallocinfo entry showing it is loaded …