Blog
/
Cloud
/
April 17, 2024

Cerber Ransomware: Dissecting the three heads

Cerber ransomware's Linux variant is actively exploiting CVE-2023-22518 in Confluence servers. It uses three UPX-packed C++ payloads: a primary stager, a log checker for environment assessment, and an encryptor that renames files with a .L0CK3D extension.
Written by
Nate Bill
Threat Researcher
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nate Bill
Threat Researcher
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
17
Apr 2024

Introduction: Cerber ransomware

Researchers at Cado Security Labs (now part of Darktrace) received reports of the Cerber ransomware being deployed onto servers running the Confluence application via the CVE-2023-22518 exploit. [1] There is a large amount of coverage on the Windows variant, however there is very little about the Linux variant. This blog will discuss an analysis of the Linux variant. 

Cerber emerged and was at the peak of its activity around 2016, and has since only occasional campaigns, most recently targeting the aforementioned Confluence vulnerability. It consists of three highly obfuscated C++ payloads, compiled as a 64-bit Executable and Linkable Format (ELF, the format for executable binary files on Linux) and packed with UPX. UPX is a very common packer used by many threat actors. It allows the actual program code to be stored encoded in the binary, and at runtime extracted into memory and executed (“unpacked”). This is done to prevent software from scanning the payload and detecting the malware.

Pure C++ payloads are becoming less common on Linux, with many threat actors now employing newer programming languages such as Rust or Go. [2] This is likely due to the Cerber payload first being released almost 8 years ago. While it will have certainly received updates, the language and tooling choices are likely to have stuck around for the lifetime of the payload.

Initial access

Cado researchers observed instances of the Cerber ransomware being deployed after a threat actor leveraged CVE-2023-22518 in order to gain access to vulnerable instances of Confluence [3]. It is an improper authorization vulnerability that allows an attacker to reset the Confluence application and create a new administrator account using an unprotected configuration restore endpoint used by the setup wizard. 

[19/Mar/2024:15:57:24 +0000] - http-nio-8090-exec-10 13.40.171.234 POST /json/setup-restore.action?synchronous=true HTTP/1.1 302 81796ms - - python-requests/2.31.0 
[19/Mar/2024:15:57:24 +0000] - http-nio-8090-exec-3 13.40.171.234 GET /json/setup-restore-progress.action?taskId= HTTP/1.1 200 108ms 283 - python-requests/2.31.0

Once an administrator account is created, it can be used to gain code execution by uploading & installing a malicious module via the admin panel. In this case, the Effluence web shell plugin is directly uploaded and installed, which provides a web UI for executing arbitrary commands on the host.

Web Shell recreation
Figure 1: Recreation of installing a web shell on a Confluence instance

The threat actor uses this web shell to download and run the primary Cerber payload. In a default install, the Confluence application is executed as the “confluence” user, a low privilege user. As such, the data the ransomware is able to encrypt is limited to files owned by the confluence user. It will of course succeed in encrypting the datastore for the Confluence application, which can store important information. If it was running as a higher privilege user, it would be able to encrypt more files, as it will attempt to encrypt all files on the system.

Primary payload

Summary of payload:

  • Written in C++, highly obfuscated, and packed with UPX
  • Serves as a stager for further payloads
  • Uses a C2 server at 45[.]145[.]6[.]112 to download and unpack further payloads
  • Deletes itself off disk upon execution

The primary payload is packed with UPX, just like the other payloads. Its main purpose is to set up the environment and grab further payloads in order to run.

Upon execution it unpacks itself and tries to create a file at /var/lock/0init-ld.lo. It is speculated that this was meant to serve as a lock file and prevent duplicate execution of the ransomware, however if the lock file already exists the result is discarded, and execution continues as normal anyway. 

It then connects to the (now defunct) C2 server at 45[.]145[.]6[.]112 and pulls down the secondary payload, a log checker, known internally as agttydck. It does this by doing a simple GET /agttydcki64 request to the server using HTTP and writing the payload body out to /tmp/agttydck.bat. It then executes it with /tmp and ck.log passed as arguments. The execution of the payload is detailed in the next section.

Once the secondary payload has finished executing, the primary payload checks if the log file at /tmp/ck.log it wrote exists. If it does, it then proceeds to delete itself and agttydcki64 from the disk. As it is still running in memory, it then downloads the encryptor payload, known internally as agttydcb, and drops it at /tmp/agttydcb.bat. The packing on this payload is more complex. The file command reports it as a DOS executable and the bat extension would imply this as well. However, it does not have the correct magic bytes, and the high entropy of the file suggests that it is potentially encoded or encrypted. Indeed, the primary payload reads it in and then writes out a decoded ELF file back using the same stream, overwriting the content. It is unclear the exact mechanism used to decode agttydcb. The primary payload then executes the decoded agttydcb, the behavior of which is documented in a later section. 

2283  openat(AT_FDCWD, "/tmp/agttydcb.bat", O_RDWR) = 4 
2283  read(4, "\353[\254R\333\372\22,\1\251\f\235 'A>\234\33\25E3g\335\0252\344vBg\177\356\321"..., 450560) = 450560 
2283  lseek(4, 0, SEEK_SET)             = 0 
2283  write(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\2\0>\0\1\0\0\0X\334F\0\0\0\0\0"..., 450560) = 450560 
2283  close(4)                          = 0

Truncated strace output for the decoding process

Log check payload - agttydck

Summary of payload:

  • Written in C++, highly obfuscated, and packed with UPX
  • Tries to write the phrase “success” to a given file passed in arguments
  • Likely a check for sandboxing, or to check the permission level of the malware on the system

The log checker payload, agttydck, likely serves as a permission checker. It is a very simple payload and was easy to analyze statically despite the obfuscation. Like the other payloads, it is UPX packed.

When run, it concatenates each argument passed to it and delimits with forward slashes in order to obtain a full path. In this case, it is passed /tmp and ck.log, which becomes /tmp/ck.log. It then tries to open this file in write mode, and if it succeeds writes the word “success” and returns 0. If it does not succeed, it returns 1.

cleaned-up routine
Figure 2: Cleaned-up routine that writes out the success phrase

The purpose of this check isn’t exactly clear. It could be to check if the tmp directory is writable and that it can write, which may be a check for if the system is too locked down for the encryptor to work. Given the check is run in a process separate to the primary payload, it could also be an attempt to detect sandboxes that may not handle files correctly, resulting in the primary payload not being told about the file created by the child.

Encryptor - agttydck

Summary of payload:

  • Written in C++, highly obfuscated, and packed with UPX
  • Writes log file /tmp/log.0 on start and /tmp/log.1 on completion, likely for debugging
  • Walks the root directory looking for directories it can encrypt
  • Writes a ransom note to each directory
  • Overwrites all files in directory with their encrypted content and adds a .L0CK3D extension

The encryptor, agttydcb, achieves the goal of the ransomware, which is to encrypt files on the filesystem. Like the other payloads, it is UPX packed and written with heavily obfuscated C++. Upon launch, it deletes itself off disk so as to not leave any artefacts. It then creates a file at /tmp/log.0, but with no content. As it creates a second file at /tmp/log.1 (also with no content) after encryption finishes, it is possible these were debug markers that the attacker mistakenly left in.

The encryptor then spawns a new thread to do the actual encryption. The payload attempts to write a ransom note at /<directory>/read-me3.txt. If it succeeds, it will walk all files in the directory and attempt to encrypt them. If it fails, it moves on to the next directory. The encryptor chooses to pick which directories to encrypt by walking the root file system. For example, it will try to encrypt /usr, and then /var, etc.

Cerber ransom note
Figure 3: Ransom note left by Cerber

When it has identified a file to encrypt, it opens a read-write file stream to the file and reads in the entire file. It is then encrypted in memory before it seeks to the start of the stream and writes the encrypted data, overwriting the file content, and rendering the file fully encrypted. It then renames the file to have the .L0CK3D extension. Rewriting the same file instead of making a new file and deleting the old one is useful on Linux as directories may be set to append only, preventing the outright deletion of files. Rewriting the file may also rewrite the data on the underlying storage, making recovery with advanced forensics also impossible.

2290  openat(AT_FDCWD, "/home/ubuntu/example", O_RDWR) = 6 
2290  read(6, "file content"..., 3691) = 3691 
2290  write(6, "\241\253\270'\10\365?\2\300\304\275=\30B\34\230\254\357\317\242\337UD\266\362\\\210\215\245!\255f"
..., 3691) = 3691 
2290  close(6)                          = 0 
2290  rename("/home/ubuntu/example", "/home/ubuntu/example.L0CK3D") = 0

Truncated strace of the encryption process

Once this finishes, it tries to delete itself again (which fails as it already deleted itself) and creates /tmp/log.1. It then gracefully exits. Despite the ransom note claiming the files were exfiltrated, Cado researchers did not observe any behavior that showed this.

Conclusion

Cerber is a relatively sophisticated, albeit aging, ransomware payload. While the use of the Confluence vulnerability allows it to compromise a large amount of likely high value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up. This greatly limits the efficacy of the ransomware in extracting money from victims, as there is much less incentive to pay up.

IoCs

The payloads are packed with UPX so will match against existing UPX Yara rules.

Hashes (sha256)

cerber_primary 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

agttydcb 1849bc76e4f9f09fc6c88d5de1a7cb304f9bc9d338f5a823b7431694457345bd

agttydck ce51278578b1a24c0fc5f8a739265e88f6f8b32632cf31bf7c142571eb22e243

IPs

C2 (Defunct) 45[.]145[.]6[.]112

References

  1. https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
  1. https://www.proofpoint.com/uk/threat-reference/cerber-ransomware  
  1. https://nvd.nist.gov/vuln/detail/CVE-2023-22518

Written by
Nate Bill
Threat Researcher
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nate Bill
Threat Researcher

Phantom Footprints: Tracking GhostSocks Malware

Network
March 26, 2026
Isabel Evans
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents
Mar 26, 2026
4
Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace
Dec 15, 2025
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Cloud
March 4, 2026

Inside Cloud Compromise: Investigating Attacker Activity with Darktrace / Forensic Acquisition & Investigation

Darktrace / Forensic Acquisition & Investigation automates cloud forensic analysis, enabling rapid investigation of compromised servers via Cloudypots honeypot data. It reveals attacker activity, highlights key events, decodes malicious payloads, and identifies malware campaigns like perfctl, helping defenders accelerate triage and understand cloud-based intrusion techniques.
Nathaniel Bill
Malware Research Engineer
Read more
Cloud
January 14, 2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

This blog breaks down how attackers rapidly weaponized the React2Shell vulnerability, with a particular focus on cloud‑native financial environments. Drawing on Darktrace’s honeypot research, it explores emerging threat actor tooling, exploitation timelines, and why behavioral‑anomaly‑led security is critical in today’s cloud landscape.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Cloud
January 13, 2026

Runtime Is Where Cloud Security Really Counts: The Importance of Detection, Forensics and Real-Time Architecture Awareness

Cloud security has focused heavily on prevention, posture, and configuration. Real attacks don’t happen there. They unfold at runtime, across live workloads and identities, where visibility is limited and evidence disappears fast. This blog covers why runtime is the most critical layer to secure, how attackers exploit dynamic cloud behavior, and why posture-based tools alone.
Adam Stevens
Senior Director of Product, Cloud | Darktrace
Read more

Blog

/

Network

/

April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Chinese-Nexus Cyber OperationsDefault blog imageDefault blog image

Cybersecurity has traditionally organized risk around incidents, breaches, campaigns, and threat groups. Those elements still matter—but if we fixate on individual incidents, we risk missing the shaping of the entire ecosystem. Nation‑state–aligned operators are increasingly using cyber operations to establish long-term strategic leverage, not just to execute isolated attacks or short‑term objectives.  

Our latest research, Crimson Echo, shifts the lens accordingly. Instead of dissecting campaigns, malware families, or actor labels as discrete events, the threat research team analyzed Chinese‑nexus activity as a continuum of behaviors over time. That broader view reveals how these operators position themselves within environments: quietly, patiently, and persistently—often preparing the ground long before any recognizable “incident” occurs.  

How Chinese-nexus cyber threats have changed over time

Chinese-nexus cyber activity has evolved in four phases over the past two decades. This ranges from early, high-volume operations in the 1990s and early 2000s to more structured, strategically-aligned activity in the 2010s, and now toward highly adaptive, identity-centric intrusions.  

Today’s phase is defined by scale, operational restraint, and persistence. Attackers are establishing access, evaluating its strategic value, and maintaining it over time. This reflects a broader shift: cyber operations are increasingly integrated into long-term economic and geopolitical strategies. Access to digital environments, specifically those tied to critical national infrastructure, supply chains, and advanced technology, has become a form of strategic leverage for the long-term.  

How Darktrace analysts took a behavioral approach to a complex problem

One of the challenges in analyzing nation-state cyber activity is attribution. Traditional approaches often rely on tracking specific threat groups, malware families, or infrastructure. But these change constantly, and in the case of Chinese-nexus operations, they often overlap.

Crimson Echo is the result of a retrospective analysis of three years of anomalous activity observed across the Darktrace fleet between July 2022 and September 2025. Using behavioral detection, threat hunting, open-source intelligence, and a structured attribution framework (the Darktrace Cybersecurity Attribution Framework), the team identified dozens of medium- to high-confidence cases and analyzed them for recurring operational patterns.  

This long-horizon, behavior-centric approach allows Darktrace to identify consistent patterns in how intrusions unfold, reinforcing that behavioral patterns that matter.  

What the data shows

Several clear trends emerged from the analysis:

  • Targeting is concentrated in strategically important sectors. Across the dataset, 88% of intrusions occurred in organizations classified as critical infrastructure, including transportation, critical manufacturing, telecommunications, government, healthcare, and Information Technology (IT) services.  
  • Strategically important Western economies are a primary focus. The US alone accounted for 22.5% of observed cases, and when combined with major European economies including Germany, Italy, Spain and the UK, over half of all intrusions (55%) were concentrated in these regions.  
  • Nearly 63% of intrusions of intrusions began with the exploitation of internet-facing systems, reinforcing the continued risk posed by externally exposed infrastructure.  

Two models of cyber operations

Across the dataset, Chinese-nexus activity followed two operational models.  

The first is best described as “smash and grab.” These are short-horizon intrusions optimized for speed. Attackers move quickly – often exfiltrating data within 48 hours – and prioritize scale over stealth. The median duration of these compromises is around 10 days. It’s clear they are willing to risk detection for short-term gain.  

The second is “low and slow.” These operations were less prevalent in the dataset, but potentially more consequential. Here, attackers prioritize persistence, establishing durable access through identity systems and legitimate administrative tools, so they can maintain access undetected for months or even years. In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after. The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent. This suggests that cyber access is a strategic asset to preserve and leverage over time, and we observed these attacks most often inin sectors of the high strategic importance.  

It’s important to note that the same operational ecosystem can employ both models concurrently, selecting the appropriate model based on target value, urgency, intended access. The observation of a “smash and grab” model should not be solely interpreted as a failure of tradecraft, but instead an operational choice likely aligned with objectives. Where “low and slow” operations are optimized for patience, smash and grab is optimized for speed; both seemingly are deliberate operational choices, not necessarily indicators of capability.  

Rethinking cyber risk

For many organizations, cyber risk is still framed as a series of discrete events. Something happens, it is detected and contained, and the organization moves on. But persistent access, particularly in deeply interconnected environments that span cloud, identity-based SaaS and agentic systems, and complex supply chain networks, creates a major ongoing exposure risk. Even in the absence of disruption or data theft, that access can provide insight into operations, dependencies, and strategic decision-making. Cyber risk increasingly resembles long-term competitive intelligence.  

This has impact beyond the Security Operations Center. Organizations need to shift how they think about governance, visibility, and resilience, and treat cyber exposure as a structural business risk instead of an incident response challenge.  

What comes next

The goal of this research is to provide a clearer understanding of how these operations work, so defenders can recognize them earlier and respond more effectively. That includes shifting from tracking indicators to understanding behaviors, treating identity providers as critical infrastructure risks, expanding supplier oversight, investing in rapid containment capabilities, and more.  

Learn more about the findings of Darktrace’s latest research, Crimson Echo: Understanding Chinese-nexus Cyber Operations Through Behavioral Analysis, by downloading the full report and summaries for business leaders, CISOs, and SOC analysts here.  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Proactive Security

/

April 1, 2026

AI-powered security for a rapidly growing grocery enterprise

Default blog imageDefault blog image

Protecting a complex, fast-growing retail organization

For this multi-banner grocery holding organization, cybersecurity is considered an essential business enabler, protecting operations, growth, and customer trust. The organization’s lean IT team manages a highly distributed environment spanning corporate offices, 100+ stores, distribution centers and  thousands of endpoints, users, and third-party connections.

Mergers and acquisitions fueled rapid growth, but they also introduced escalating complexity that constrained visibility into users, endpoints, and security risks inherited across acquired environments.

Closing critical visibility gaps with limited resources

Enterprise-wide visibility is a top priority for the organization, says the  Vice President of Information Technology. “We needed insights beyond the perimeter into how users and devices were behaving across the organization.”

A security breach that occurred before the current IT leadership joined the company reinforced the urgency and elevated cybersecurity to an executive-level priority with a focus on protecting customer trust. The goal was to build a multi-layered security model that could deliver autonomous, enterprise-wide protection without adding headcount.

Managing cyber risk in M&A

Mergers and acquisitions are central to the grocery holding company’s growth strategy. But each transaction introduces new cyber risk, including inherited network architectures, inconsistent tooling, excessive privileges, and remnants of prior security incidents that were never fully remediated.

“Our M&A targets range from small chains with a single IT person and limited cyber tools to large chains with more developed IT teams, toolsets and instrumentation,” explains the VP of IT. “We needed a fast, repeatable, and reliable way to assess cyber risk before transactions closed.”

AI-driven security built for scale, speed, and resilience

Rather than layering additional point tools onto an already complex environment, the retailer adopted the Darktrace ActiveAI Security Platform™ in 2020 as part of a broader modernization effort to improve resilience, close visibility gaps, and establish a security foundation that could scale with growth.

“Darktrace’s AI-driven approach provided the ideal solution to these challenges,” shares the VP of IT. “It has empowered our organization to maintain a robust security strategy, ensuring the protection of our network and the smooth operation of our business.”

Enterprise-wide visibility into traffic  

By monitoring both north-south and east-west traffic and applying Self-Learning AI, Darktrace develops a dynamic understanding of how users and devices normally behave across locations, roles, and systems.

“Modeling normal behavior across the environment enables us to quickly spot behavior that doesn’t fit. Even subtle changes that could signal a threat but appear legitimate at first glance,” explains the VP of IT.

Real-time threat containment, 24/7

Adopting autonomous response has created operational breathing room for the security team, says the company’s Cybersecurity  Engineer.

“Early on, we enabled full Darktrace autonomous mode and we continue to do so today,” shares the IT Security Architect. “Allowing the technology to act first gives us the time we need to investigate incidents during business hours without putting the business at risk.”

Unified, actionable view of security ecosystem

The grocery retailer integrated Darktrace with its existing security ecosystem of firewalls, vulnerability management tools, and endpoint detection and response, and the VP of IT described the adoption process as “exceptionally smooth.”

The team can correlate enterprise-wide security data for a unified and actionable picture of all activity and risk. Using this “single pane of glass” approach, the retailer trains Level 1 and Level 2 operations staff to assist with investigations and user follow-ups, effectively extending the reach of the security function without expanding headcount.

From reactive defense to security at scale

With Darktrace delivering continuous visibility, autonomous containment, and integrated security workflows, the organization has strengthened its cybersecurity posture while improving operational efficiency. The result is a security model that not only reduces risk, but also supports growth, resilience, and informed decision-making at the business level.

Faster detection, faster resolution

With autonomous detection and response, the retailer can immediately contain risk while analysts investigate and validate activity. With this approach, the company can maintain continuous protection even outside business hours and reduce the chance of lateral spread across systems or locations.

Enterprise-grade protection with a lean team

From cloud environments to clients to SaaS collaboration tools, Darktrace provides holistic autonomous AI defense, processing petabytes of the organization’s network traffic and investigating millions of individual events that could be indicative of a wider incident.

Today, Darktrace autonomously conducts the majority of all investigations on behalf of the IT team, escalating only a tiny fraction for analyst review. The impact has been profound, freeing analysts from endless alerts and hours of triage so they can focus on more valuable, proactive, and gratifying work.

“From an operational perspective, Darktrace gives us time back,” says the Cybersecurity Engineer. More importantly, says the VP of IT, “it gives us peace of mind that we’re protected even if we’re not actively monitoring every alert.”

A strategic input for M&A decision-making

One of the most strategic outcomes has been the role of cybersecurity on M&A. 90 days prior to closing a transaction, the security team uses Darktrace alongside other tools to perform a cyber risk assessment of the potential acquisition. “Our approach with Darktrace has consistently identified gaps and exposed risks,” says the VP of IT, including:

  • Remnants of previous incidents that were never fully remediated
  • Network configurations with direct internet exposure
  • Excessive administrative privileges in Active Directory or on critical hosts

While security findings may not alter deal timelines, the VP of IT says they can have enormous business implications. “With early visibility into these risks, we can reduce exposure to inherited cyber threats, strengthen our position during negotiations, and establish clear remediation requirements.”

A security strategy built to evolve with the business

As the holding group expands its cloud footprint, it will extend Darktrace protections into Azure, applying the same AI-driven visibility and autonomous response to cloud workloads. The VP of IT says Darktrace's evolving capabilities will be instrumental in addressing the organization’s future cybersecurity needs and ability to adapt to the dynamic nature of cloud security.

“With Darktrace’s AI-driven approach, we have moved beyond reactive defense, establishing a resilient security foundation for confident expansion and modernization.”

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI