SkidMap is a highly advanced variant of malware that targets vulnerable Redis services on various Linux distributions [9] [10]. It was first discovered in September 2019 and is known for its ability to adapt to the system it infects. This malware operates as a cryptocurrency mining botnet and has the capability to load malicious kernel modules, obfuscate its activities [2] [3], and monitor the mining process [1] [2] [3] [4]. The operators of SkidMap have taken measures to hide their command-and-control IP address by utilizing the Bitcoin blockchain [10], making it challenging to take down the malware.


SkidMap is highly sophisticated and difficult to detect [10], especially in larger server infrastructures [4] [9]. It disguises its cryptocurrency mining activities by generating fake network traffic and CPU usage [6]. It installs malicious kernel modules to hide its activities and sets up a secret master password on infected systems [6], giving attackers complete access [6]. The malware is difficult to detect and allows attackers to gain unfettered access to affected systems [6]. It installs through crontab and downloads multiple binaries that affect the machine’s security settings [6]. SkidMap creates backdoor access and sets a master password [6], allowing attackers to log in as any user [6]. It drops a cryptocurrency miner and additional components depending on the operating system [6]. The malware includes malicious components to evade detection and employs advanced methods to remain undetected [6].

SkidMap uses rootkits to hide itself on infected systems and mine cryptocurrency [5]. It drops as standalone software or an encrypted .tar.gz file [5], depending on the target machine’s operating system [5]. It installs loadable kernel modules to ensure the infected machine won’t crash when tampered with [5]. SkidMap is equipped with kernel-mode rootkits that provide attackers with unlimited access to system resources and make it difficult to detect infections and mining activity [5]. It also includes modules to monitor cryptocurrency mining processes [5], hide files [4] [5] [6] [7] [8], and set up malicious cron jobs [5]. The use of rootkits in Linux-based cryptocurrency mining is an interesting development [5].

There are potential indicators of SkidMap infection, such as excessive fan operation and increased laptop temperature [1] [3]. To protect against SkidMap [2], it is crucial to secure Redis server instances and regularly install updates and patches. Trend Micro solutions can detect related malicious files and URLs [7]. SkidMap abuses Unix shell commands [8], transfers tools from external systems [8], and modifies authentication modules [8]. It may disable security tools [8], make files difficult to analyze [8], and impact the availability of services on co-opted systems [8]. Mitigation strategies include system and network discovery [8], monitoring for file changes and PAM configuration [8], and restricting scripting for normal users [8]. Rootkit protections and module monitoring can also help detect SkidMap activity [8]. Additionally, file integrity monitoring [8], process monitoring [8], and detecting file obfuscation are recommended to mitigate SkidMap attacks [8].


SkidMap is a dangerous malware that targets vulnerable Redis services on various Linux distributions [1] [3] [4] [9] [10]. It has evolved to include capabilities such as loading malicious kernel modules and hiding its activities [10]. The operators of SkidMap have been found to hide their backup command and control (C2) IP address on the Bitcoin blockchain [10]. The latest attack involves exploiting insecure Redis server instances to deploy a shell dropper script that distributes an ELF binary disguised as a GIF image file [1] [3] [4] [9] [10]. SkidMap is highly advanced and difficult to detect [1] [2] [3] [4] [9] [10], making it a significant threat to large server infrastructures [10]. Mitigation strategies and ongoing monitoring are crucial to protect against SkidMap attacks and future developments in malware.