Harmless malware for training: macOS/Linux edition

Simulated malware behaviour, detection practice, and how to build it.

This fake malware shell script simulates shady behaviour often detected by security tools on Unix-based systems. It’s safe for learning and won’t damage your system—provided it’s used in a virtual test machine or container.

Warning: Use in test environments only. Never on production systems.

What it simulates

  • Creates a directory in a temp location

  • Writes files with fake data

  • Executes a suspicious curl command

  • Reads pseudo-sensitive files (like /etc/passwd)

  • Leaves log entries for detection

Tools you’ll need

  • Linux/macOS VM or test box

  • Terminal access

  • curl installed (default on most systems)

How to build and run it

  1. Open a terminal

  2. Use a text editor to create a script:

nano fake-malware.sh

  1. Paste the following shell script:

#!/bin/bash

# FAKE MALWARE FOR TRAINING (Linux/macOS)

# Create suspicious directory
mkdir -p /tmp/fakeattack
cd /tmp/fakeattack || exit

# Simulated data exfiltration
echo "FAKE sensitive information" > leaked_data.txt

# Simulated network call
curl http://example.com/fakeendpoint -o netlog.txt

# Access pseudo-sensitive file
cat /etc/passwd >> accesslog.txt 2>/dev/null

# Leave obvious log
echo "[SIMULATED MALWARE] This script watches everything... or pretends to." >> audit.log

  1. Make it executable:

chmod +x fake-malware.sh

  1. Run the script:

./fake-malware.sh

Detection practice

  • Review logs in /tmp/fakeattack for evidence of activity

  • Monitor /var/log/syslog, auditd logs, or endpoint telemetry

  • Use ps, lsof, or strace to inspect script runtime

  • Create detection rules for outbound curl calls or /etc/passwd reads

  • Simulate alerting in tools like:

    • Wazuh

    • OSSEC

    • ELK stack (Filebeat + Logstash + Kibana)

Facilitator notes

  • Always run these exercises in virtual machines or isolated lab environments.

  • Don’t simulate malware using real user data or on production networks.

  • Be transparent: this is not a trick, it’s a controlled experience.

  • Let participants feel the tension of detection—then show the relief of clean-up.

Training with fake malware builds muscle memory. Participants learn what to watch for, how to respond, and how to stay calm under pressure. It also reduces the fear factor around real incidents.

Knowledge is power. Even if the malware is fake, the skills it builds are very real.

You’re not hacking—you’re rehearsing. That’s what good defence looks like.

Last update: 2025-06-11 07:09