Connect with us

Hi, what are you looking for?


Malware & Threats

Magnet Goblin Delivers Linux Malware Using One-Day Vulnerabilities

The financially motivated threat actor Magnet Goblin is targeting one-day vulnerabilities to deploy Nerbian malware on Linux systems.

A financially motivated threat actor has been targeting one-day vulnerabilities in public-facing services to deploy Linux backdoors, Check Point reports.

Tracked as Magnet Goblin, the adversary was seen quickly adopting one-day vulnerabilities, often in edge devices, and relying on the Nerbian custom malware family to perform nefarious activities.

Magnet Goblin was seen targeting publicly disclosed vulnerabilities in Ivanti VPNs (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893), Magento (CVE-2022-24086), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), and possibly Apache ActiveMQ.

As part of an attack exploiting the recent Ivanti flaws, the threat actor was observed deploying a JavaScript credential stealer called Warpwire, a Linux variant of the NerbianRAT backdoor, and the open source tunneling tool Ligolo.

The Warpwire stealer was previously linked to the mass exploitation of Ivanti vulnerabilities, suggesting that multiple threat actors might be using it, Check Point says.

The tool was also seen in a 2022 attack against Magento servers, which were used as command-and-control (C&C) servers for the Windows variant of NerbianRAT and for Warpwire. Magnet Goblin deployed MiniNerbian, a smaller version of the Linux NerbianRAT backdoor, on the compromised Magento instances.

Analysis of Magnet Goblin’s infrastructure also revealed the use of the remote monitoring and management tools (RMM) ScreenConnect and AnyDesk, as well as the targeting of Qlik Sense and Apache ActiveMQ.

The Linux variant of NerbianRAT has been used in attacks since 2022, Check Point says. On the infected machines, the malware collects system information and can run various commands, and communicates with the C&C over raw sockets, relying on AES for encryption.

Advertisement. Scroll to continue reading.

Given “the diverse actions available, the backdoor allows for great flexibility for the threat actor to operate at different times and at different levels of complexity. This enables the malware to remain stealthy yet active on the infected machine,” Check Point notes.

A simplified version of NerbianRAT, MiniNerbian supports command execution, has a small configuration, and uses HTTP for communication with the C&C. The two backdoors share some code, but they appear to be different malware with similar functions.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian. Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected,” Check Point concludes.

Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks

Related: Redis Servers Targeted With New ‘Migo’ Malware

Related: ‘SlashAndGrab’ ScreenConnect Vulnerability Widely Exploited for Malware Delivery

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.