Connect with us

Hi, what are you looking for?


Endpoint Security

Ezuri Memory Loader Abused in Linux Attacks

Security researchers at AT&T’s Alien Labs have identified multiple malware attacks leveraging the Ezuri memory loader to execute payloads without writing them to disk. 

Security researchers at AT&T’s Alien Labs have identified multiple malware attacks leveraging the Ezuri memory loader to execute payloads without writing them to disk. 

Executed directly in memory, without leaving traces on disk, fileless malware is commonly used in attacks targeting Windows systems, but isn’t often seen in malware attacks targeting Linux. 

As part of the observed attacks, Ezuri is used to decrypt the malicious payloads and leverage memfd create to execute them, Ofer Caspi and Fernando Martinez of AT&T Alien Labs explain.

Written in Golang, the loader is based on the “Ezuri” code published on GitHub by a user going by the online handler of guitmz. The ELF loader was initially created around March 2019, with the same code posted again in August on a small forum, by a user named ‘TMZ’. 

The tool first requests a path for the payload to be encrypted and a password for the AES encryption (though it can generate one if none is provided). Next, it compiles the loader with the payload encrypted within. The user needs to provide the file to be hidden, as well as a target process name and an AES key for encryption (optional). 

Over the past few months, several malware authors used the Ezuri loader, including TeamTNT, a cybercrime group focused on injecting distributed denial-of-service malware and crypto-miners into victim machines. 

Active since at least April 2020, the group appears to have evolved towards the end of the year, with new crypto-mining malware (named Black-T) designed to install network scanners and retrieve credentials from memory. 

Advertisement. Scroll to continue reading.

One of the samples used by the group, however, is actually an Ezuri loader, based on code similarities with the original tool, AT&T’s researchers say. 

The packer also helps malware authors lower antivirus detection for their payloads, the researchers note. 

Several samples of the distributed denial of service-capable Internet of Things (IoT) bot Gafgyt were also observed using the Ezuri loader and packer. 

Related: Schneider Electric Warns Customers of Drovorub Linux Malware

Related: BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks

Related: Kinsing Linux Malware Deploys Crypto-Miner in Container Environments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.