The Deep Dive: Kroll’s Analysis of the GARUDA C2 Malware

Kroll identified a cross-platform malware framework, dubbed GARUDA C2, that uses public code-hosting platforms like GitHub for staging, redundancy and command distribution across Windows, macOS and Linux.

Analysis links the campaign to an India-based operator supported by Hindi-language development artifacts, build logs, infrastructure indicators and evidence suggesting use of a locally hosted large language model (LLM) to accelerate malware development.

GARUDA C2 reflects a broader trend toward low cost, scalable, cloud abusing, multi-platform malware operations that can enable threat actors to deploy, manage and reconstitute campaigns with minimal friction and reduced operational risk.

What is Covered in the White Paper:

Actor Profile and Development Environment: Description of the multi-OS malware campaign run via a GitHub account later wiped, with preserved artifacts showing a Kali Linux setup, Hindi comments, an IPv6 address in Gujarat, India, and evidence of local LLM use, supporting high confidence attribution to an India based developer.
Multi-Platform Infection Chain and Persistence: Details of the actor and how it maintains a unified framework (“GARUDA C2”) using initial downloaders that fetch second stage scripts from several code hosting platforms.
Capabilities and Payloads: A report of the second stage components which perform host reconnaissance, exfiltrate via repositories using embedded API tokens, and pull updates based on version indicators.
The full list of observed MITRE ATT&CK techniques at the end of this whitepaper.

Connect with Us

Eric Strom

Global Head of Threat IntelligenceCyber and Data ResilienceWashington DC

Eric Strom [email protected]+15716788814

Otavio Passos

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Learn more

Cyber Threat Intelligence

Kroll's cyber threat intelligence services are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats. Our team aligns Kroll’s technical intelligence, analytical research and investigative expertise to improve your visibility and provide expert triage, investigation and remediation services.

Learn more