I am serious concerned hence I am writing.
Previously 2 year ago I found that scammers intruding in my house when I am out and on my ubuntu I found a hidden rootkit when I deleted php binary. Otherwise that spyware was so concealed that was not visible in process tree and netstat. Specifically because spyware was not using http/ ftp etc but was using https/443 port to a legit looking messanger app. But earlier the messanger app was not visible anywhere in process tree.
So now come to qubes OS. 2 days ago I decided to create a app(beacon_hunter) on openbsd Sys-net to detect critically probable beacon/heartbeat most probably generated by a rootkit or malware. I saw lots of highly malware probable outgoing beacon on port 443. but all ip addresses are belongs to legit big online company.
Initially I agnored these beacons. Bit because of earlier experience I was still suspected. My infrastructure is below:
router >> openbsd router >(usb2ethernet Cable)> Qubes OS laptop.
Today I unplugged router cable from openbsd router and above app(beacon_hunter) was running on openbsd router. After 1 hour i was surprised to see still I can see those beacon packets continuously raining through (usb2ethernet Cable).
To investigate further i swiched off opebsd sys-net on Qubes OS. Now I should not see any packets on openbsd router from qubes OS because the sys-net that have access to hardware ethernet on qubes OS laptop was switched off.
But I was still seeing those beacons on openbsd router from qubes OS I watched for several hours. even after I disconnected router cable from openbsd router.
Are these legit looking beacons sign of Intel ME/ bios level spyware. possibly later that spyware hacked the xen hypervisor or dom0 and installed another spyware on ssd. That new spyware is sending those beacons to big_cloud_enterprise:port 443 to stay stealthy.