Exploring Shifting Patterns in Recent IoT Malware





Static Analysis, Dynamic Analysis, Malware IoT, Malware Evolution, Malware lineage


The rise of malware targeting interconnected infrastructures has surged in recent years, driven largely by the widespread presence of vulnerable legacy IoT devices and inadequately secured networks. Despite the strong interest attackers have in targeting this infrastructure, a significant gap remains in understanding how the landscape has recently evolved. Addressing this knowledge gap is essential to thwarting the proliferation of massive botnets, thereby safeguarding end-users and preventing disruptions in critical infrastructures. This work offers a contemporary analysis of Linux-based malware, specifically tailored to IoT malware operating in 2021-2023. Using automated techniques involving both static and dynamic analysis, we classify malware into related threats. By scrutinizing the most recent dataset of Linux-based malware and comparing it to previous studies, we unveil distinctive insights into emerging trends, offering an unparalleled understanding of the evolving landscape. Although Mirai and Gafgyt remain the most prominent families and present a large number of variants, our results show that (i) there is an increase in the sophistication of malware, (ii) malware authors are adding new exploits to their arsenal, and (iii) malware families that originally attacked Windows systems have been adapted to attack Linux-based devices.

Author Biographies

Javier Carrillo-Mondejar, Universidad de Zaragoza, Zaragoza, Spain

Javier Carrillo-Mondéjar received his M.Sc. and Ph.D. degrees in Computer Science from the University of Castilla-La Mancha, Spain, in 2017 and 2022, respectively. He is currently an Assistant Professor at University of Zaragoza, Spain. His research interests include malware detection and classification techniques, with a particular focus on IoT/firmware cybersecurity.

Guillermo Suarez-Tangil, IMDEA Networks Institute, Madrid, Spain

Guillermo Suarez-Tangil is Assistant Professor IMDEA Networks and Ramon y Cajal Fellow. His trajectory is characterized by over 6 years of international research experience in world-leading research centers (University College London,  King's College London, and Royal Holloway). It is also characterized by quality, including pre-doctoral achievements with prestigious awards (FUNCAS). 

Andrei Costin, University of Jyväskylä, Finland

Dr. Andrei Costin received his PhD from EURECOM/TelecomParisTech and is currently a Senior Lecturer/Assistant Professor of Cybersecurity with the University of Jyväskylä (Central Finland), Jyväskylä, Finland, with a particular focus on system security, IoT/firmware cybersecurity, avionics/space/aerospace security, and some aspects of Digital Privacy.

Ricardo J. Rodríguez, Universidad de Zaragoza, Zaragoza, Spain

Ricardo J. Rodríguez received M.S. and Ph.D. degrees in Computer Science from the University of Zaragoza, Spain, in 2010 and 2013, respectively. He is currently an Associate Professor at University of Zaragoza, Spain. His research interests include performance/dependability system analysis, system security, digital forensics, and software analysis.