Columbus | Medina | Painesville | Akron | Cleveland
 GET A CUSTOMIZED PROPOSAL

Technology Tips

  • HOME
  • BLOG
  • New Malware Can Infect Linux, Mac, Or Windows Users
January 31, 2022

New Malware Can Infect Linux, Mac, Or Windows Users

Written By Randy Hall

There's a new strain of malware called SysJoker to be mindful of. It's especially dangerous because it can target Windows, Mac or Linux systems.  That makes it an equal opportunity strain.

Researchers at Intezer are credited with discovering the malware in the wild in December of 2021 during an investigation of an attack on a Linux server.  The group was able to obtain samples of the virus for analysis and have concluded that SysJoker is a nasty piece of work indeed.

Written in C++, the malware strain is cunningly constructed to evade detection on all three Operating Systems.  In fact, it's so good at evading detection that none of the 57 antivirus programs the Intezer researchers tested were able to detect the presence of the malware.

SysJoker is harmless by itself but that is by design.  It is a first-stage dropper and its only job is to gain a foothold in a target network.

Once there it will sleep for two minutes before creating a new directory and then copy itself to that directory all while disguised as an Intel Graphics Common User Interface Service ("igfxCUIService.exe").

According to the Intezer report, this is what happens next:

"...SysJoker will gather information about the machine using Living off the Land (LOtL) commands. SysJoker uses different temporary text files to log the results of the commands," explains Intezer's report.

These text files are deleted immediately, stored in a JSON object and then encoded and written to a file named "microsoft_Windows.dll"."

When that is done, the malware creates persistence by adding a new registry key (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun). Random sleep times are interposed between all functions leading to this point.

Finally, it will reach out to the actor-controlled command and control server using a hardcoded Google Drive link.  Once that connection has been established, the hackers can install whatever payload they wish onto the infected system.

None of the major AV programs can detect SysJoker at present. Given that it can infect Windows, Mac and Linux systems, this is one to keep a watchful eye out for.
Picture of Randy Hall
About The Author
Randy Hall, CEO & Founder of Securafy, is a seasoned IT leader specializing in cybersecurity, compliance, and business resilience for SMBs. With deep technical expertise and decades of experience, he shares strategic insights on cybersecurity risks, AI in cybersecurity, emerging technology, and the economic challenges shaping the IT landscape. His content provides practical guidance for business owners looking to navigate evolving cyber threats and leverage technology for long-term growth.

Join the Conversation

Subscribe to our newsletter

Sign up for our FREE "Cyber Security Tip of the Week!" and always stay one step ahead of hackers and cyber-attacks.

Securafy Inc.
5900 SOM Center Rd. #12-142 Willoughby, OH 44094
(330) 906-8888
Info@Securafy.com 
Company
Resources
Free Cybersecurity Tips

By subscribing, you agree to our privacy policy and will receive occasional promotional emails.
© 2025 Securafy, Inc.