MYRA

persistStealthCron() writes a wrapper script to /usr/local/lib/.cache-update.sh and installs it as a cron entry... const cronLine = `*/${ interval } * * * * ${ p . wrapperPath } >/dev/null 2>&1` ;

shell-oneshot shell Execute arbitrary commands via child_process.spawn with shell: true ... shell-pty shell_start , shell_input , shell_stop , shell_resize Full interactive PTY shell via node-pty

libcache.so: LD_PRELOAD file hiding ... Once deployed to /etc/ld.so.preload , this library loads into every new process on the system, hiding the RAT’s persistence artifacts from ls , find , stat , and any tool that uses libc directory enumeration.

persistStealthProfile() writes to /etc/profile.d/.sh.local , which executes the wrapper script in the background on every user login: const profileContent = `[ -x "${ p . wrapperPath }" ] && "${ p . wrapperPath }" >/dev/null 2>&1 & \n ` ;

persistStealthCron() writes a wrapper script to /usr/local/lib/.cache-update.sh and installs it as a cron entry... const cronLine = `*/${ interval } * * * * ${ p . wrapperPath } >/dev/null 2>&1` ;

persistStealthProfile() writes to /etc/profile.d/.sh.local , which executes the wrapper script in the background on every user login: const profileContent = `[ -x "${ p . wrapperPath }" ] && "${ p . wrapperPath }" >/dev/null 2>&1 & \n ` ;

persistStealthCron() writes a wrapper script to /usr/local/lib/.cache-update.sh and installs it as a cron entry... const cronLine = `*/${ interval } * * * * ${ p . wrapperPath } >/dev/null 2>&1` ;

injector.c attaches to a target process via ptrace(PTRACE_ATTACH, ...) , locates the first executable memory page from /proc/PID/maps , and patches it with a NOP sled followed by an INT3 breakpoint

memfd_exec.c implements fileless execution using the memfd_create syscall... memfd_loader.c extends this to launch the entire RAT from memory... The result: a Node.js process running the RAT entirely from memory, with /proc/PID/exe pointing to /memfd:.node (deleted) and /proc/PID/cmdline showing systemd-userdbd --user . No files on disk.

proc_hide.c uses prctl(PR_SET_NAME, ...) to change /proc/PID/comm and overwrites argv[0] in place to scrub /proc/PID/cmdline ... The default target name is systemd-userdbd ... agent_launcher.c takes this further: it copies the Node.js binary to /usr/lib/systemd/systemd-userdbd ... so even /proc/PID/exe points to a path that looks legitimate.

injector.c attaches to a target process via ptrace(PTRACE_ATTACH, ...) , locates the first executable memory page from /proc/PID/maps , and patches it with a NOP sled followed by an INT3 breakpoint

libcache.so: LD_PRELOAD file hiding ... Once deployed to /etc/ld.so.preload , this library loads into every new process on the system, hiding the RAT’s persistence artifacts from ls , find , stat , and any tool that uses libc directory enumeration.

network-enum netstat Parse /proc/net/tcp and /proc/net/udp

process-list ps Process enumeration from /proc

sysinfo sysinfo Hostname, arch, CPUs, memory, OS release, user info

filesystem cd , upload , download Directory traversal and base64 file transfer ... file-search find Recursive glob search across the filesystem

screen-live screen_start , screen_stop , screen_status Live screen streaming ... The final implementation auto-detects the active graphical session using loginctl , reads the target user’s DISPLAY and XAUTHORITY from /proc/PID/environ ... The server-side viewer exposes captured frames over HTTP on port 5555.

MYRA uses a plugin architecture with 13 modules. The client connects to the C2 over TCP with length-prefixed JSON framing (4-byte big-endian header followed by a JSON body).

filesystem cd , upload , download Directory traversal and base64 file transfer

filesystem cd , upload , download Directory traversal and base64 file transfer