perfctl: A Stealthy Malware Targeting Millions of Linux Servers

Perfctl is a long-running Linux malware campaign that leverages exposed services and misconfigurations (including RocketMQ CVE-2023-33246 and attempts to exploit Polkit CVE-2021-4034) to deliver a packed ELF dropper that installs a rootkit, trojanized userland utilities, a Monero cryptominer, and proxy-jacking components; it uses process masquerading, LD_PRELOAD hooks, Unix sockets for local coordination, and TOR for external C2, and the report includes IOCs, detailed TTPs, detection guidance, and mitigation steps.