CRON#TRAP: Leveraging Emulated Linux Environments for Advanced Malware Staging Tactics

Securonix researchers discovered the CRON#TRAP campaign, which delivers a malicious .lnk inside a large ZIP to launch a QEMU-emulated Tiny Core Linux instance on Windows hosts for covert persistence. The emulated environment includes a preconfigured Chisel client that automatically connects to an attacker-controlled C2, enabling stealthy command-and-control and persistent access. #CRONTRAP #QEMU #Chisel #OneAmerica #TinyCoreLinux

Keypoints

CRON#TRAP uses a custom QEMU-emulated Tiny Core Linux instance to persist on compromised Windows endpoints.
Initial delivery was a phishing lure leading to a 285MB ZIP containing OneAmerica Survey.lnk and a hidden QEMU data folder.
The attackers renamed and executed QEMU (fontdiag.exe) with -nographic to keep the VM running silently in the background.
The emulated Linux includes a hard-coded Chisel client (crondx) that connects back to C2 (18.208.230[.]174) via websockets.
Persistence mechanisms include modifying Tiny Core startup scripts (bootlocal.sh), saving changes with filetool.sh, and SSH key generation/upload.
Artifacts and analyzed files/hashes (e.g., OneAmerica Survey.zip, tc.img, crondx) and C2/github URLs were documented for detection and hunting.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Attachment – Initial delivery via a phishing email linking to a ZIP with a malicious shortcut (‘phishing email which contained a link to download a zip file’)
[T1071.001] Application Layer Protocol: Web Protocols – C2 communications using websockets to reach 18.208.230[.]174 (‘connect to a remote Command and Control (C2) server at 18.208.230[.]174 via websockets’)
[T1132] Data Encoding – Use of tunneling/encoded channels by Chisel to transport traffic (‘a fast TCP/UDP tunnel, transported over HTTP, secured via SSH’)
[T1572] Protocol Tunneling – Chisel used to tunnel traffic through HTTP/SSH to bypass network controls (‘Chisel client designed to connect … via websockets’)
[T1027] Obfuscated Files or Information – Large hidden data folder and renamed QEMU binary to evade detection (‘the entirety of the data folder’s contents have the hidden attribute applied’ and ‘qemu.exe was renamed to fontdiag.exe’)
[T1036] Masquerading – Malicious files and QEMU binary disguised as legitimate items (‘qemu.exe was renamed to fontdiag.exe by the attacker prior to delivery’)
[T1218] System Binary Proxy Execution – Using legitimate QEMU binary to execute attacker-controlled environment (‘This QEMU process is the legitimate process and is digitally signed using a valid digital certificate’)
[T1564.006] Hide Artifacts: Run Virtual Instance – Running the emulated Linux to conduct operations outside the host OS visibility (‘-nographic parameter means that the Linux virtual environment will run silently in the background’)
[T1059.001] PowerShell – Shortcut triggers PowerShell to extract the ZIP and run start.bat (‘it links to the system’s PowerShell process and executes a simple command’)
[T1059.003] Windows Command Shell – start.bat executes QEMU and displays the fake server error (‘the script executes the QEMU process and command line to start the emulated Linux environment’)
[T1204.001] User Execution: Malicious Link – User clicks a link in a phishing email to download the ZIP (‘phishing email which contained a link to download a zip file’)
[T1204.002] User Execution: Malicious File – User extracts and opens the shortcut file which triggers execution (‘When executed, this file extracts and initiates a lightweight, custom Linux environment emulated through QEMU’)
[T1072] Software Deployment Tools – Use of QEMU and Tiny Core tooling to deploy the attacker environment (‘the attackers deploy a custom QEMU Linux box for persistence’)
[T1041] Exfiltration Over C2 Channel – Potential exfiltration and command traffic routed through the Chisel tunnel/C2 (‘Chisel’s design makes it particularly effective for creating covert communication channels and tunneling through firewalls’)

Indicators of Compromise

[IP Address] C2 server – 18.208.230[.]174 (Chisel client connects via websockets)
[Domains/URLs] Lure and staging – forum.hestiacp[.]com/uploads/…/9aae76309a614c85f880512d8fe7df158fec52cc.png, github[.]com/yaniraenrica/testing/raw/main/resolvd.zip
[File Names/Paths] Staged QEMU and payloads – OneAmerica Survey.zip, OneAmerica Survey.lnk, %HOME%dataxdatafontdiag.exe, tc.img, crondx
[File Hashes] Sample binaries – CE26AAC9BA7BE60B…CAB676 (OneAmerica Survey.zip), 3E6A47DA0A226A4C…ADA7E9 (crondx), and 10 more hashes

————
The CRON#TRAP campaign starts with a convincing phishing lure: a large ZIP named “OneAmerica Survey.zip” containing a single shortcut that, when executed, extracts a hidden QEMU directory and runs a renamed QEMU binary (fontdiag.exe) to boot a Tiny Core Linux image silently. The attackers use PowerShell and a start.bat to show a fake server error to the user while launching an emulated environment with -nographic so the VM runs invisibly.

Inside that emulated “PivotBox” environment, operators preinstalled tools, edited startup scripts (bootlocal.sh), generated and uploaded SSH keys, and deployed a hard-coded Chisel client (crondx) that connects back to 18.208.230[.]174 over websockets. The QEMU instance includes convenient aliases (get-host-shell, get-host-user) for interacting with the host and retains artifacts like .ash_history, which revealed the attacker’s setup, persistence steps, and repeated payload testing.

This technique leverages legitimate software (QEMU, Chisel) and an isolated VM to evade traditional endpoint detection and create a resilient backdoor that persists across reboots via Tiny Core’s filetool.sh and startup modifications. Defenders should look for large suspicious archives, QEMU or other signed binaries running from user-writable locations, signs of -nographic QEMU launches, outbound connections to the documented C2, and the listed file hashes and filenames to detect and remediate this campaign.