CRON#TRAP is a malware campaign identified by Securonix Threat Research in November 2024 that infects Windows systems by deploying a hidden QEMU-based Tiny Core Linux virtual machine containing a preconfigured backdoor for remote access and persistence. The campaign was reportedly delivered via phishing emails, likely survey-themed, that led victims to download a roughly 285 MB ZIP archive containing a malicious .lnk file and a hidden data directory with a full QEMU installation. The shortcut used PowerShell to extract files into %HOMEPATH%\datax and execute start.bat, which displayed a fake server-error image and then silently launched the renamed, legitimately signed QEMU binary (qemu.exe renamed to fontdiag.exe) with the -nographic option so the Linux guest ran in the background.
Inside the guest, the attackers used Tiny Core Linux customized with a PivotBox MOTD and modified shell configuration. The environment included aliases such as get-host-shell and get-host-user intended to interact with the host context, including an SSH-based attempt to spawn an interactive shell on the host using data from /sys/firmware/qemu_fw_cfg/by_name/opt/usercontext/raw and referencing 10.0.2.2 for host-guest communication. Attacker command history preserved in .ash_history showed installation of tools such as vim, file, and openssh; repeated download and execution attempts of a Go-based ELF binary named crondx; persistence changes to /opt/bootlocal.sh; use of filetool.sh -b to preserve Tiny Core changes across reboots; SSH key generation and public-key upload; and handling of additional archives including resolvd.zip and ch.zip.
Securonix assessed /home/tc/crondx, a 64-bit Go ELF, to be a customized Chisel client hard-coded to connect over WebSockets to command-and-control server 18.208.230[.]174. The campaign therefore used protocol tunneling and a Linux guest backdoor to provide stealthy remote access from an infected Windows host. Reported infrastructure and artifacts include 18.208.230[.]174, 192.168.160.143, forum.hestiacp[.]com/uploads/default/original/2X/9/9aae76309a614c85f880512d8fe7df158fec52cc.png, %HOMEPATH%\datax, fontdiag.exe, tc.img, start.bat, and crondx. Securonix stated it could not confidently attribute the campaign to a threat actor, though telemetry suggested activity mainly from the US and Europe, with low-to-medium confidence that North America may have been a primary target. The campaign has been described as a novel persistence and evasion technique using a Linux VM on Windows.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Related Reading Understanding Linux Persistence Mechanisms and Detection Tools [[URL_11aca97a_42]] Linux Attackers Use SSH Legitimate Tools to Evade Detection [[URL_11aca97a_43]] CRON#TRAP Malware: Emulated Linux Attack Techniques Revealed [[URL_11aca97a_44]]
A phishing-delivered malware campaign that deploys a custom QEMU-emulated Tiny Core Linux environment on Windows endpoints to provide stealthy persistence and stage further malicious activity through a preconfigured backdoor.
Malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor for remote access and persistence.
CRON#TRAP is a backdoor targeting Linux virtual machines, allowing persistent unauthorized access.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.