Hello, aspiring cyberwarriors!
Let us begin with a simple but uncomfortable truth. The more experienced a hacker becomes, the harder they are to detect. Early-stage hackers are often noisy and careless. They run obvious tools, leave logs everywhere, and make mistakes that defenders can easily spot. But as attackers mature, their behavior changes significantly. They start to think the way defenders think. They understand what logs look like, how SIEM alerts fire, and what it feels like to watch suspicious activity appear on your monitoring screens. Because of this knowledge, advanced hackers increasingly rely on more advanced techniques. It improves their stealth dramatically.
Today, we are going to talk about one such stealth mechanism. This tool is called Zapper. Hackers have been using it quite a lot recently. It has even been observed in real-world operations during the ongoing cyberwar in Ukraine. Zapper can be used in penetration testing, but if you are a defender, this tool should be included in your threat model, and the environment needs to be hardened to prevent attackers from hiding their processes in this way.
What is Zapper?
Zapper is a tool created by the group known as Hacker’s Choice, and it is specifically designed to hide running processes on Linux systems. Unlike many crude hiding methods, Zapper works in a surprisingly elegant and low-impact way.
The developers describe several important characteristics. They explain that Zapper does not require root privileges to run, which already makes it powerful because many attackers do not have root access at the start of an intrusion. They also emphasise that Zapper works even on static binaries such as those compiled with Go. It is also able to hide not only the command line but the environment variables of a process as well, including the contents normally visible in /proc/
Because Zapper uses specific ptrace features and only traces fork and exec events, the performance impact remains almost negligible. The developers also mention a trick involving the -n
Using Zapper
To begin working with Zapper, the first step is to obtain the binary. There are several ways to do this, but the project repository demonstrates an example command that looks like this:
bash$ -fL -o zapper https://github.com/hackerschoice/zapper/releases/latest/download/zapper-linux-$(uname -m) && chmod 755 zapper && ./zapper -h
However, reality is rarely this simple in adversarial environments. Defenders often monitor HTTP traffic. They may trigger alerts on suspicious domain names, unusual downloads, or known hacking tool sources such as “hackerschoice.” Because of this, attackers frequently prefer to host their tools on compromised servers or attacker-controlled infrastructure. They often rename the binary to something that appears completely legitimate, blending into the system so that defenders scrolling through logs or process lists see nothing unusual.
bash$ > mv zapper systemd-control
Here we renamed the binary to systemd-control, which sounds exactly like something belonging to the operating system. On many Linux distributions, actual systemd components live inside /lib/systemd, so placing the renamed file there and modifying timestamps can make it visually indistinguishable from legitimate binaries. This is one of many reasons why blue teams must never rely purely on filename-based detection.
The Zapper help menu includes numerous examples and shows different creative ways to use the tool. To view it, simply execute the renamed binary:
bash$ > ./systemd-control -h
An attacker can hide binaries completely along with their child processes. They can create hidden tmux sessions to maintain persistence on a server without being visible in normal process listings. They can also choose to leave the program name exposed but strip all command-line options, causing the process to look harmless or generic.
For demonstration purposes, imagine that we want to use Zapper with a very common tool called nmap. We will run an nmap scan against a target IP address while hiding the real command details. The execution might look like this:
bash$ > exec ./systemd-control -f -a '[kworker/2:2-events_power_efficient]' nmap IP -Pn -sV -sC > /dev/shm/scan.txt &
In this case, you make the process appear as if it is a kernel worker thread, something most administrators would ignore. During execution, searching for the process using commands like ps or grep will return nothing suspicious. Meanwhile, the scan continues quietly in the background. After a short time, the results appear in the /dev/shm/scan.txt file, showing that the hidden activity has successfully completed.
bash$ > cat scan.txt
This is the kind of stealth technique penetration testers should use to realistically simulate the behavior of real-world attackers.
Summary
Zapper is a Linux process-hiding tool created by Hacker’s Choice that has gained visibility. We looked at how experienced attackers evolve from noisy, obvious behavior into stealthier operations that rely heavily on native system utilities and low-level manipulation techniques. Zapper is a strong example of this. It does not require root, it hides both command-line arguments and environment variables, and it operates using ptrace-based manipulation of the ELF Auxiliary Table with almost no performance impact.
If you like Linux and want to advance your skills, consider joining our training for Subscriber Pro between February 17 and 19.
Source: HackersArise
Source Link: https://hackers-arise.com/linux-zapper-how-hackers-hide-malicious-process/