Kaiji malware persistence in containers: are your runtime controls ready?

TL;DR: Kaiji has evolved from a straightforward Linux and IoT threat into malware that uses persistence, fileless execution, and system tampering to stay hidden after compromise, according to Aqua Security. That makes runtime enforcement, drift prevention, and tamper-aware detection more important than simple post-infection cleanup.

NHIMG editorial — based on content published by Aqua Security: How to Set Up Runtime Protection Against Malware Like Kaiji

Questions worth separating out

Q: How should teams stop malware that hides itself after initial execution?

A: Teams should combine runtime monitoring with enforcement that can block suspicious execution paths, unexpected persistence entries, and drift from the approved workload state.

Q: Why do containerised workloads need drift prevention for malware defense?

A: Containerised workloads need drift prevention because a workload can be approved at build time and still behave maliciously at runtime.

Q: What do security teams get wrong about persistence in Linux malware cases?

A: They often focus on removing visible processes and overlook the restart mechanism that restores the malware later.

Practitioner guidance

• Block fileless execution at runtime Move from detection-only posture to policy enforcement for execution paths that never write clear artefacts to disk, especially on shared Linux workloads and exposed container nodes.
• Treat startup persistence as an active indicator Alert on unexpected startup entries, scheduled tasks, and service registrations that can relaunch a payload after reboot, then validate whether the process tree matches the approved workload.
• Use drift prevention to compare approved and observed state Compare the running workload against its expected baseline and investigate any mismatch in binaries, startup behaviour, or command visibility as a potential compromise path.

What's in the full article

Aqua Security's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step runtime policy setup in the Aqua console for workload protection
• Specific control selections for blocking fileless execution and drift prevention
• Audit versus enforce mode guidance for runtime policy enforcement decisions
• Support-portal remediation references for teams that want implementation detail

👉 Read Aqua Security's guidance on runtime protection against Kaiji malware →

Kaiji malware persistence in containers: are your runtime controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →