UPX
UPX is a common public executable packer referenced across multiple malware campaigns as a packing/obfuscation layer rather than as a malware family itself. In the provided reporting, it is used to pack diverse malware including Rust-based P2Pinfect samples recovered from compromised Google Kubernetes Engine/Redis environments, GoBruteforcer Golang botnet binaries targeting phpMyAdmin/MySQL/FTP/Postgres services on Unix-like systems, C++ DLL implants used in archive-based intrusion chains targeting Ukraine and Poland, and an AutoIT backdoor associated with the Dropping Elephant/Patchwork espionage actor. The content also notes attackers sometimes use unaltered versions of common public packers such as UPX. High-confidence details from the content indicate packed samples included Linux and Windows payloads, DLL implants, and botnet/backdoor components; however, UPX itself is described only as the packer used to compress or obfuscate those malicious binaries, not as the malware performing the intrusion or post-compromise actions. No standalone infection vector, C2, or IoCs specific to UPX itself are provided beyond its repeated use as the packing method.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
4 techniquesRunning file on it shows something odd: crypt: ELF 64-bit MSB *unknown arch 0x3e00* (SYSV) The ELF header has its endianness byte set to 02 (big-endian) instead of 01 (little-endian) — intentional obfuscation. The hexdump also reveals a UPX signature embedded inside.
T1027.002 – Obfuscated Files or Information: Software Packing. The soc.dll file used by the Threat Actor was packed with UPX/modified UPX, an open-source packer, to conceal the content of the file.
We fix the header and unpack: python3 -c " data = bytearray(open('crypt','rb').read()) data[5] = 0x01 open('crypt_fixed','wb').write(bytes(data)) " # Unpack with UPX upx -d crypt_fixed -o crypt_unpacked
Discovery
2 techniquesPerforms memory scanning of /proc/$pid/exe against signatures for known competing botnets: QBOT/Bashlite variants... UPX-packed binaries... Zollard worm... Remaiten...
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A packer used to compress or obfuscate executables; in this content it is used to pack P2Pinfect client binaries for Linux and Windows.
A common executable packer used here to compress/obfuscate C++ DLL implants (e.g., SDXHelp.dll, DiagnExp.dll) to hinder static analysis and detection.
Public executable packer used to compress/obfuscate some loader and DLL stages (e.g., UPX-packed PE/DLL) to hinder static analysis and signature-based detection.
Executable packer used to compress/obfuscate the GoBruteforcer samples.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.