Hector Martin

“Trivial” heh. See earlier posts about flash controllers. This is how advanced malware spreads. IT guy takes his favourite memory stick with his OS install and puts it a compromised machine to reinstall. Instead now it becomes the way every new computer in the company gets owned.

So... use something else? Dump the filesystem over the network? XMODEM it out the serial port? There are endless ways to gather evidence safely; it's nigh impossible to "cover everything" for the malware. No implant, no matter how sophisticated, magically counters everything.

If there are as many indicators of compromise as you claim (and it's not just you misinterpreting totally normal stuff), then the malware is shoddy and clearly not designed for stealth. So show us some of them.

FWIW: if I were a three-letter agency designing a Raspberry Pi implant, it would live in the VideoCore firmware blob that rules the system from the shadows and be completely invisible to Linux. And I wouldn't be leaving behind "systemd slices that sandbox users".

and yet paradoxically, this attacker seems to have dispensed with stealth altogether here. I have so many IOCs it’s not funny, so I get the impression this is more about stopping extraction of the samples I do have.

If you have so many IOCs, why not show them to us? You might get some people excited and less likely to call BS on you. Take a video of what you see that isn't normal. Even the most advanced NSA implant can't plug the analog hole.