Wednesday, May 7, 2025
HomeCyber AttackCRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Published on

SIEM as a Service

Follow Us on Google News

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as “penetration testing” or “exploiting vulnerabilities.”

These setups often use the tools and frameworks that are designed for ethical hacking.

Securonix researchers recently detected CRON#TRAP campaign that has been attacking Windows machines with weaponized Linux virtual machines.

- Advertisement - Google News

Technical analysis

CRON#TRAP is a sophisticated cyber attack campaign that begins with a “phishing email” containing a malicious shortcut (‘.lnk’) file disguised as “OneAmerica Survey.”

OneAmerica Survey.zip (Source - Securonix)
OneAmerica Survey.zip (Source – Securonix)

When executed, this file launches a “hidden 285MB package” that deploys a legitimate virtualization tool, QEMU (Quick Emulator), which is renamed “fontdiag.exe” to avoid detection. 

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

The attack creates a hidden Linux environment running “Tiny Core Linux,” complete with a pre-configured backdoor that automatically establishes a connection to a “C2” server. 

This environment is dubbed “PivotBox” and contains custom commands like “get-host-shell” and “get-host-user” for host-system interaction by using “SSH keys” for persistent access. 

PivotBox (Source - Securonix)
PivotBox (Source – Securonix)

The threat actors employed several tools, including vim, openssh, and 7zip, to manipulate the system while maintaining persistence via modified “boot local.sh” scripts and backed-up configurations via “file tool. sh. “

This campaign’s primary targets are “North America” and “Europe.” This is concerning as it uses QEMU and operates within a hidden virtual environment, which makes it extremely difficult for traditional AV solutions to detect. 

While the sophisticated infrastructure of the malware contains:- 

  • Network testing capabilities.
  • Payload manipulation through a file called ‘crondx.’
  • Data exfiltration channels using free file-sharing services. 

This highlights a well-planned multi-stage attack methodology designed for “long-term stealth” and “system compromise.”

The analysis of “crondx” (Chisel) reveals a sophisticated cyber attack component found within the “CRON#TRAP campaign,” where a pre-configured “64-bit ELF” executable serves as a critical backdoor mechanism.

crondx (Source - Securonix)
crondx (Source – Securonix)

This ELF executable is located at “/home/tc/crondx” in a Linux “QEMU” instance.

While this Golang-compiled binary is mainly engineered to establish “covert communication channels” with a C2 server at IP address “18.208.230[.]174” by using “websocket protocols” for data transmission. 

The attack sequence initiates via a phishing email containing a malicious “ZIP” file with a “.lnk” shortcut that triggers a “PowerShell script” to launch an emulated Linux environment via ‘QEMU.’ 

This effectively helps to evade traditional Windows-based AV detection systems. The threat actors modified the open-source “Chisel tunneling” tool for legitimate “TCP/UDP” tunneling over HTTP with SSH security. 

It’s done by hardcoding connection parameters directly into the binary instead of requiring command-line configurations, which helps enhance its “stealth capabilities.” 

This customized implementation enables persistent remote access via “encrypted channels,” that allow threat actors to deploy additional payloads to execute commands and exfiltrate data while remaining undetected. 

Various persistence mechanisms, such as “modified startup scripts” and “SSH key implementations,” further support the system’s compromise. 

Here, custom command aliases like ‘get-host-shell’ and ‘get-host-user’ facilitate direct interaction with the host machine within the isolated QEMU environment. 

.ash_history file (Source - Securonix)
.ash_history file (Source – Securonix)

The “.ash_history” file documents the threat actor’s activities, such as “tool installation,” “system reconnaissance,” and “payload deployment.” 

It shows a modular approach to system infiltration that uses legitimate software tools (‘QEMU’ and ‘Chisel’) to maintain persistent access while evading security controls.

Recommendations

Here below we have mentioned all the recommendations:-

  • Avoid downloading unsolicited files or attachments.
  • Treat external download links as potential threats.
  • Monitor common malware staging directories, especially for scripts.
  • Watch for legitimate software running from unusual locations.
  • Enable robust endpoint logging for better detection.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...