VERY IMPORTANT

This is a technical analysis of a previously undocumented and undetected Linux threat called the Lightning Framework. It is rare to see such an intricate framework developed for targeting Linux systems. Lightning is a modular framework we discovered that has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins. The framework has both passive and active capabilities for communication with the threat actor, including opening up SSH on an infected machine, and a polymorphic malleable command and control configuration.