A new security analysis has unveiled “LOLPROX,” a comprehensive catalog of “Living Off The Land” (LOL) techniques specifically targeting Proxmox Virtual Environment (VE).
The research, detailed by security researcher Andy Gill (ZephrSec), highlights how threat actors can weaponize the popular open-source hypervisor’s native tools to execute stealthy, deep-persistence attacks that bypass traditional network monitoring and endpoint detection systems.
This architecture creates a dual-threat landscape: attackers can leverage standard Linux privilege escalation techniques alongside specialized hypervisor utilities.
The LOLPROX methodology demonstrates that once a threat actor compromises a Proxmox host, they can leverage built-in binaries such as qm (QEMU/KVM manager), pct (LXC container manager), and pvesh (Proxmox API tool) to pivot into guest VMs without generating typical network traffic.
LOLPROX Uncovers Hidden Vulnerabilities
One of the most alarming vectors detailed in the analysis is the abuse of vsock (virtual socket) operations.
Clustered environments mean your access potentially extends to multiple physical hosts, and the cluster filesystem means configuration changes propagate automatically.
Vsock provides a communication channel between the hypervisor and guest VMs that completely bypasses the TCP/IP stack.
Because this traffic travels over a virtual PCI device rather than the network interface, it remains invisible to firewalls, intrusion detection systems (IDS), and standard NetFlow logging.
An attacker with root access to the hypervisor can establish a Command and Control (C2) channel directly into a VM, effectively “reaching into” network-isolated environments without leaving a digital footprint on the wire.
The research also emphasizes the critical risk posed by the QEMU Guest Agent. When enabled, this agent allows the hypervisor to execute arbitrary commands inside the guest VM (e.g., via qm guest exec).
This capability will enable attackers to run commands as SYSTEM (Windows) or root (Linux) inside the guest without authentication, network connectivity, or creating standard login events.
The LOLPROX research notes that these actions are often only logged in local task logs (/var/log/pve/tasks/), which can be easily cleared by savvy intruders.
Beyond execution, the report outlines sophisticated data exfiltration methods involving snapshots and backups.
Mitigations
Attackers can create VM snapshots that include memory states (–vmstate), effectively generating a full memory dump that can be analyzed offline to extract encryption keys and credentials.
Proxmox VE differs from proprietary hypervisors like ESXi by running a full Debian Linux distribution underneath its virtualization management tools.
Similarly, the hypervisor’s native backup tools can be used to export full disk images for offline mounting and analysis, allowing threat actors to harvest sensitive data like the NTDS.dit or shadow files without interacting with the running VM.
For persistence, the analysis warns of kernel-level threats. Attackers can load malicious kernel modules or abuse eBPF (Extended Berkeley Packet Filter) to intercept I/O requests at the block layer.
This allows for the interception of data as it is written to disk, enabling ransomware encryption or data theft that is transparent to the guest operating system.
Security experts advise that defending against LOLPROX requires shifting focus from purely network-based monitoring to rigorous host-based logging.
Defenders are urged to monitor Proxmox task logs for anomalous usage of qm and pct commands, audit kernel modules, and validate the integrity of QEMU binaries to detect unauthorized modifications.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.