MalwareExploits 1 CVE

mimipenguin

MimiPenguin is an open-source Linux credential-dumping tool described as a Linux adaptation of the Windows tool Mimikatz. The provided content states it is capable of dumping process memory and harvesting passwords and hashes. It is referenced in detection content as a credential-dumping utility associated with ATT&CK-style OS credential access activity on Linux, including rules specifically identifying execution of the Mimipenguin script and credential dumping with Mimipenguin. One mention explicitly references CVE-2018-20781 in connection with Mimipenguin detection rules. High-confidence capabilities from the content are limited to process-memory dumping and credential harvesting on Linux; no specific threat actor, industry targeting, infection vector, or concrete IOC values are provided in the supplied material.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2018-20781Cleartext Password Exposure in GNOME Keyring PAM Module

The tool exploits a known vulnerability CVE-2018-20781.

via elastic security labselastic.co

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

1 technique

T1003OS Credential DumpingEvidence1

These datasets correspond to different Linux Post Exploitation Tools (AutoSUID,LinEnum,LinPEAS,LinuxExploitSuggester,MimiPenguin)

Discovery

2 techniques

T1069Permission Groups DiscoveryEvidence1

These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.

T1082System Information DiscoveryEvidence1

These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

detections digest rulecheckNews

Feb 2, 2026

Detections Digest #20260202 - by RuleCheck.io

Linux credential-dumping tool/script; content ties detections to credential dumping activity and references CVE-2018-20781 in relation to Mimipenguin.

picus security blogNews

Mar 23, 2022

The MITRE ATT&CK T1003 OS Credential Dumping Technique and Its Adversary Use

Linux credential dumping tool that scrapes process memory for passwords/hashes using string/regex matching.

mitre attack websiteNews

Oct 21, 2021

Updates - Updates - October 2021 | MITRE ATT&CK®

Software changes: ... MimiPenguin

picus security blogNews

Jan 23, 2026

Linux credential dumping tool referenced for dumping process memory and harvesting passwords/hashes via string/regex searching.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.