Hackers are using BYOF (bring your own filesystem) attacks to abuse the open-source Linux PRoot utility and develop a consistent source of harmful tools compatible with Linux devices.

A BYOF attack involves a threat actor building a malicious file system on their devices that includes a typical set of attack tools. A preset toolkit is then used to infect Linux systems, amounting to a toolkit capable of further compromising the operating system.


“First, threat actors build a malicious filesystem which will be deployed. This malicious filesystem includes everything that the operation needs to succeed”, explains a new report by Sysdig.

This stage of preparation enables the attacker to download, configure and install every program on their own machine, away from the detection tools. The report claims that while more dangerous scenarios are conceivable, the attacks often result in cryptocurrency mining.

PRoot smooths out the challenges frequently associated with executable compatibility, environment setup, and malware execution, according to Sysdig. “Using PRoot, there is little regard or concern for the target’s architecture or distribution.”

The researchers also warn about how easy the technique makes scaling hostile operations against all types of Linux endpoints.

QEMU emulation

PRoot processes are typically restricted to the guest filesystem. However, QEMU emulation can be used to run both host and guest programs concurrently.

Built-in bound/bind methods can be used by programs in the guest filesystem to access files and directories on the host system. These exploits are Linux distribution-agnostic due to hackers’ abuse of PRoot, which increases the likelihood of success.

Preset PRoot filesystems let attackers use their toolkits on a variety of OS configurations without needing to translate their malware to the intended architecture or add dependencies and tools.

Tip: Linus Torvalds announces 8th release candidate of Linux 6.1