Suspicious presence of a Java dump thread tool detected as “EquationGroup Toolset” in *-demo-debug packets in 8.10 repo

Security
1

Hello,

By analyzing several AlmaLinux *-demo-debug packages, including:

java-1.8.0-openjdk-demo-slowdebug-1.8.0.462.b08-2.el8.x86_64.rpm

java-1.8.0-openjdk-demo-fastdebug-1.8.0.462.b08-2.el8.x86_64.rpm

…I noticed that extracting these files triggered an alert via a YARA rule named EquationGroup_Toolset_Apr17_FullThreadDump, which I’ve attached.

This rule comes from Florian Roth’s signature-base and is designed to detect components potentially related to the Equation Group’s (NSA) internal debugging tools, made public during the Shadow Brokers leak in 2017.

The detected files contain the following Java classes:

FullThreadDump.class

ThreadMonitor.class

Deadlock$DeadlockThread.class

The decompiled code appears to show that this is a classic JMX debugging tool, designed to perform a remote threadDump() via RMI/JMX, which is common in demo tools. This could therefore be a false positive due to an overly broad signature.

However, given the sensitivity of the terms used in the rule and the exact match with the filenames reported in APT toolsets, I prefer to:

Check whether these classes are intentional and legitimate in these .rpm files.

Confirm that the content comes from OpenJDK without any undocumented modifications or additions.

Possibly clarify this publicly to reassure users who scan packages with YARA tools.

Thank you in advance for your feedback.

Sincerely,

Bread

Capture d’écran 2025-07-31 102500
Capture d’écran 2025-07-31 102500868×692 37 KB

2

Subject: Recommendation to Report Upstream to Red Hat

Hello,

This issue should be reported to Red Hat, not AlmaLinux.

The java-1.8.0-openjdk-demo-{fastdebug,slowdebug} packages are rebuilt by AlmaLinux from Red Hat Enterprise Linux (RHEL) sources without any modifications.
As such, the presence and legitimacy of classes like FullThreadDump.class fall under the responsibility of Red Hat as the upstream provider.

Additionally, any clarification regarding whether the YARA rule detection is a false positive or stems from the OpenJDK source code should be addressed by Red Hat, as they maintain the original build process and source packages. Their input would be the most authoritative and reliable in this matter.

We therefore recommend that you report this issue directly to Red Hat via Bugzilla or by contacting them at security@redhat.com, providing all relevant details for proper assessment.

Best regards,
Akiyoshi Kurita (redadmin)

3

Thank you for your feedback.

I will contact Red Hat to verify that this is indeed their action.
I decompiled the code, and it’s not malicious, but it allows:

  • Remote access to JVMs
  • A complete thread dump
  • Deadlock detection

No extraction logic was observed, but perhaps a second JAR allows this. Trust doesn’t preclude verification, even if there’s a very strong chance this is a false positive. :smiley:

Sincerely,

Bread