Connect with us

Hi, what are you looking for?


Malware & Threats

PoC Linux Rootkit Uses GPU to Evade Detection

The source code for a Linux rootkit that leverages the infected device’s graphics processor unit (GPU) for enhanced stealthiness and efficiency has been published on GitHub.

The source code for a Linux rootkit that leverages the infected device’s graphics processor unit (GPU) for enhanced stealthiness and efficiency has been published on GitHub.

Dubbed Jellyfish, the proof-of-concept malware leverages the LD_PRELOAD technique from the Jynx Linux rootkit and OpenCL, a low-level API developed by Khronos for heterogeneous computing.

According to the developers of Jellyfish, who call themselves Team Jellyfish, one of the main advantages of GPU-based malware is that it’s more likely to evade detection due to the lack of malware analysis tools for such threats.

Another advantage is that this type of malware can “snoop” on the CPU host memory via direct memory access (DMA). Additionally, the GPU is fast and the malicious code remains in its memory even after the device is shut down, the developers said.

The experimental Jellyfish malware is currently designed to run on computers with AMD and NVIDIA graphics cards, but Intel products are also supported through the AMD APP Software Development Kit (SDK). OpenCL drivers must be installed on the system for the rootkit to work.

Another PoC malware developed by Team Jellyfish is a keylogger called Demon. The developers say Demon has been built using information from a paper published in 2013 by researchers at Columbia University. The paper describes a stealthy keylogger that runs directly on a graphics processor.

“We are not associated with the creators of this paper. We only PoC’d what was described in it, plus a little more,” the developers of Demon noted.

Advertisement. Scroll to continue reading.

While for the Jellyfish rootkit the developers use the LD_PRELOAD variable to hide malicious components, in the case of Demon they say they are using code injection.

Team Jellyfish claims that their creations are designed for educational purposes, and that their goal is to “make everyone aware that GPU-based malware is real.” They noted that Jellyfish and Demon are currently only in beta version and they still have a lot of bugs.

Malware that uses the GPU is not unheard of. Over the past years, researchers have spotted several threats that leverage an infected device’s GPU to mine Bitcoins. However, Jellyfish and Demon are more interesting because they use the GPU for more than just its processing power.

It remains to be seen if the code published by Team Jellyfish will be used by malicious actors in their operations.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...