S0468: Skidmap

Skidmap matters because it combines Linux cryptocurrency mining with kernel-mode rootkit behavior. For leaders, the risk is not only unauthorized compute consumption; it is loss of trust in host visibility. If a Linux system can hide processes, files, network connections, kernel modules, scheduled jobs, authentication changes, or security tooling state, normal SOC evidence may be incomplete during an incident.

Executive priority

Prioritize Skidmap as a Linux resilience and visibility problem. The ATT&CK relationships point to persistence, privilege escalation, defense impairment, discovery, command-and-control file transfer, and compute hijacking behaviors. Executives should ask whether critical Linux workloads, IaaS-hosted Linux systems, and administrative SSH paths have independent monitoring, configuration integrity evidence, and an incident process for suspected rootkit compromise where rebuild may be safer than cleanup.

Technical view

MITRE provides no dedicated detection text for Skidmap, so SOC and IR validation should be built from the related techniques. Confirm coverage for Linux rootkit indicators, loadable kernel module changes, cron persistence, SSH authorized_keys modification, PAM modification, suspicious Unix shell execution, process/system/file discovery, ingress tool transfer, encoded or decoded payload artifacts, security tool discovery or tampering, and abnormal compute resource use. Because the malware is described as kernel-mode, teams should not rely only on host-reported process lists or file listings; compare endpoint data with external network, workload, hypervisor/cloud, and configuration-management evidence where available.

Likely telemetry

Linux process execution and shell command telemetry
Kernel module load/unload and kernel extension integrity data
Cron and scheduled task configuration changes
SSH authorized_keys file creation or modification events
PAM configuration and authentication library integrity monitoring

Detection direction

Validate that Linux monitoring remains useful when a kernel-mode rootkit may hide local artifacts; compare endpoint results against external logs and configuration baselines.
Tune for combinations of behaviors rather than a single event: cron changes plus tool transfer, SSH key modification plus shell execution, PAM changes plus suspicious authentication, or kernel module activity plus abnormal CPU use.
Review false positives from legitimate administration, patching, performance tooling, security agent updates, and scheduled maintenance, especially on Linux servers managed by automation.
Confirm alerting for security tooling degradation or modification, since related behavior includes disabling or modifying defensive tools.
Add incident triage checks for compute hijacking impact, including resource saturation and service degradation, without assuming cryptocurrency mining is the only possible explanation.

Mitigation priorities

Maintain hardened Linux baselines for kernel module loading, authentication configuration, SSH key management, and scheduled task ownership.
Restrict and audit privileged administration paths, including SSH key changes and PAM-related changes.
Use configuration integrity monitoring for cron, authorized_keys, PAM files, kernel modules, and security tooling configuration.
Ensure Linux workloads have centralized logging and independent telemetry sources so suspected rootkit activity does not depend solely on the compromised host’s view.
Prepare IR playbooks for suspected kernel-mode compromise that include isolation, evidence preservation, credential review, and rebuild/reimage decision points.

Analyst notes and limits

The object is a malware entry for Skidmap, described by MITRE as a Linux kernel-mode rootkit used for cryptocurrency mining. The strongest defensive value comes from its ATT&CK relationships: Rootkit, Kernel Modules and Extensions, Cron, SSH Authorized Keys, PAM, Disable or Modify Tools, Ingress Tool Transfer, discovery techniques, obfuscation/deobfuscation, and Compute Hijacking.

MITRE does not provide official detection guidance, aliases, labels, or malware-level tactics for this object in the supplied fields. This take therefore uses only the official description, external references, platform field, and listed technique relationships. Local validation is required to determine actual exposure, telemetry availability, and control effectiveness.

Official MITRE ATT&CK definition

Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 16 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1496.001	Compute Hijacking Sub-technique	Skidmap is a kernel-mode rootkit used for cryptocurrency mining.CitationTrend Micro Skidmap
Enterprise	T1098.004	SSH Authorized Keys Sub-technique	Skidmap has the ability to add the public key of its handlers to the `authorized_keys` file to maintain persistence on an infected host.CitationTrend Micro Skidmap
Enterprise	T1105	Ingress Tool Transfer	Skidmap has the ability to download files on an infected host.CitationTrend Micro Skidmap
Enterprise	T1027.013	Encrypted/Encoded File Sub-technique	Skidmap has encrypted it's main payload using 3DES.CitationTrend Micro Skidmap
Enterprise	T1036.005	Match Legitimate Resource Name or Location Sub-technique	Skidmap has created a fake `rm` binary to replace the legitimate Linux binary.CitationTrend Micro Skidmap
Enterprise	T1685	Disable or Modify Tools	Skidmap has the ability to set SELinux to permissive mode.CitationTrend Micro Skidmap
Enterprise	T1053.003	Cron Sub-technique	Skidmap has installed itself via crontab.CitationTrend Micro Skidmap
Enterprise	T1083	File and Directory Discovery	Skidmap has checked for the existence of specific files including `/usr/sbin/setenforce` and `/etc/selinux/config`. It also has the ability to monitor the cryptocurrency miner file and process. CitationTrend Micro Skidmap
Enterprise	T1518.001	Security Software Discovery Sub-technique	Skidmap has the ability to check if `/usr/sbin/setenforce` exists. This file controls what mode SELinux is in.CitationTrend Micro Skidmap
Enterprise	T1547.006	Kernel Modules and Extensions Sub-technique	Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines.CitationTrend Micro Skidmap
Enterprise	T1556.003	Pluggable Authentication Modules Sub-technique	Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.CitationTrend Micro Skidmap
Enterprise	T1082	System Information Discovery	Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.CitationTrend Micro Skidmap
Enterprise	T1014	Rootkit	Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.CitationTrend Micro Skidmap
Enterprise	T1057	Process Discovery	Skidmap has monitored critical processes to ensure resiliency.CitationTrend Micro Skidmap
Enterprise	T1140	Deobfuscate/Decode Files or Information	Skidmap has the ability to download, unpack, and decrypt tar.gz files .CitationTrend Micro Skidmap
Enterprise	T1059.004	Unix Shell Sub-technique	Skidmap has used `pm.sh` to download and install its main payload.CitationTrend Micro Skidmap

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Jun 9, 2020, 21:23 UTC (UTC+00:00)
Modified: Apr 11, 2024, 00:06 UTC (UTC+00:00)
Raw hash: a60edf3a7e2af22b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 11, 2024, 00:06 UTC (UTC+00:00)	Current bundle	`a60edf3a7e2a…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Trend Micro Skidmap

Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
Open source URL
[2]
mitre-attack S0468
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams