New GPU-based Linux Rootkit and Keylogger with Excellent Stealth and Computing Power
The world of hacking has become more organized and reliable over recent years and so the techniques of hackers.

Nowadays, attackers use highly sophisticated tactics and often go to extraordinary lengths in order to mount an attack.

And there is something new to the list:

A team of developers has created not one, but two pieces of malware that run on an infected computer's graphics processor unit (GPU) instead of its central processor unit (CPU), in order to enhance their stealthiness and computational efficiency.


The two pieces of malware:

The source code of both the Jellyfish Rootkit and the Demon keylogger, which are described as proof-of-concepts malware, have been published on Github.

Until now, security researchers have discovered nasty malware running on the CPU and exploiting the GPU capabilities in an attempt to mine cryptocurrencies such as Bitcoins.

However, these two malware could operate without exploiting or modifying the processes in the operating system kernel, and this is why they do not trigger any suspicion that a system is infected and remain hidden.


Jellyfish rootkit is a proof-of-concept malware code designed to show that running malware on GPUs is practically possible, as dedicated graphics cards have their processors and memory.

These types of rootkits could snoop on the CPU host memory through DMA (direct memory access), which allows hardware components to read the main system memory without going through the CPU, making such actions harder to detect.

The pseudo-anonymous developers describe their Jellyfish Rootkit as:

"Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well."

Advantages of GPU stored memory:

  • No GPU malware analysis tools are available on the Internet
  • Can snoop on CPU host memory via DMA (direct memory access)
  • GPU can be used for fast/swift mathematical calculations like parsing or XORing
  • Stubs
  • Malicious memory is still inside GPU after device shutdown

Requirements for use:

  • Have OpenCL drivers/icds installed
  • Nvidia or AMD graphics card (Intel supports AMD's SDK)
  • Change line 103 in rootkit/kit.c to server ip you want to monitor GPU client from

Stay tuned for more features:

  • client listener; let buffers stay stored in GPU until you send a magic packet from the server

The anonymous developers of the rootkit warned people that Jellyfish is a proof-of-concept malware and still a work in progress so that it can contain flaws. The code published on Github is intended to be used for educational purposes only.


Moreover, the developers also built a separate, GPU-based keylogger, dubbed Demon though they did not provide any technical details about the tool.

Demon keylogger is also a proof-of-concept that is inspired by the malware described in a 2013 academic research paper [PDF] titled "You Can Type, but You Can't Hide: A Stealthy GPU-based Keylogger," but the developers stressed that they were not working with the researchers.
"We are not associated with the creators of this paper," the Demon developers said. "We only PoC'd what was described in it, plus a little more."
As described in the research paper, GPU-based keystroke logger consists of two main components:
  • A CPU-based component that is executed once, during the bootstrap phase, with the task of locating the address of the keyboard buffer in main memory.
  • A GPU-based component that monitors, via DMA, the keyboard buffer, and records all keystroke events.
However, users may not worry about cyber criminals or hackers using GPU-based malware yet, but proof-of-concepts malware such as Jellyfish Rootkit and Demon keylogger could inspire future developments.

However, if exploited in future, What could be the area of attack vectors? Hit the comments below.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.