Introduction bedevil (bdvl), according to the GitHub page, is an LD_PRELOAD rootkit. Therefore, this rootkit runs in userland. The group Muddled Libra used bedevil to target VMware vCenter servers, according to Palo Alto’s Unit42 Blog, 2024. The rootkit comes with a nifty feature called Dynamic Linker Patching: Upon installation, the rootkit will patch the dynamic linker libraries. Before anything, the rootkit will search for a valid ld.so on the system to patch.
