Qubes indicators of compromise

Hi All,

Just wanted to post a quick update after being a Qubes OS user for over a year now. I am an engineer, very technically competent, but not a software specialist. I was hacked two years ago, and after that became obsessed with cybersecurity. So I have about 2 years of intense studying (reading many textbooks, online training courses in pen testing, experimenting on my home network, etc.). After a year or so of struggling (and failing) to secure my devices, I gave up on conventional approaches and dove into Qubes as a daily driver to see if it would improve my situation. Here are some things I have learned along the way:

Qubes appears to be far more secure than anything else I’ve tried, but it can still be hacked. It’s not obvious to me how a non-software-specialist will be able to perform the necessary hardening required to stop intruders, even with extended intense studying and a technical background.

I have seen clear indicators of compromise twice where I am certain beyond a reasonable doubt I was hacked on Qubes. The first time, I was trying to use a regular desktop PC (with USB keyboard and mouse). I saw file structure changes occuring in real time, mouse moving on its own, network connectivity at UEFI with auto-updates turned off and wake on lan disabled. Ultimately, I discovered that my Gigabyte firmware had a poorly designed backdoor and was likely downloading malware directly from the UEFI, LOL… I tried upgrading to a librem 14 to see if that would slow it down. Switching to more secure hardware seemed to dramatically slow down my attackers. But still I have seen conclusive evidence of being compromised and have had to reinstall Qubes multiple times (which thankfully appeared to fix it each time). One example from recently, I started getting http-only warnings when accessing some websites. Did a little poking around and saw that someone had appeared to install 1GB of malware on my sys-net. What really disturbed me regarding qubes security was that a bunch of suspicious VM and dom0 updates occurred. I tried restarting the “disposable” VMs, but it didn’t work, because the update system was compromised. So I had to wipe my Qubes installation again. When I reinstalled, I could clearly see many of the updates were indeed fake because they didn’t come back on the new install. In the fake restarted disposable vm’s the disk storage space showed as mysteriously being 0.0MiB. Now, after the wipe they are back to the normal 100-200MiB range. I’m not sure if I should post this, since it will probably give my attackers good feedback on how to get me better next time, but I also would like to share with the Qubes community since they may also be able to discover how this is happening and stop it.

Stay safe out there folks.

1 Like

Did you keep some proofs or traces of what happened?

If it happens ever again, you could freeze sys-net using the “Emergency pause” feature on the Qube systray icon, and see if it continues.


Hi alatour,

Congratulations on becoming a cybersecurity expert. We would love to hear how you investigated and determined that the 1GB of file or files you found was malware. Please tell us.


Make a copy of your hard drive;
preferably with some type of write blocker.

Use a network tap to produce PCAPs of what data
is being exfiltrated and to where. This will help others
take your case more seriously.

Then, take your computer, remove any FDE password
you have on it. Delete any personal info you’d
rather not have any examiner have access to.
Contact Citizen Lab to see if they
are interested in your case.


Thanks deceiver. This is the type of comment I was hoping for… Helpful information! Much appreciated. Cheers

We have a category for this kind of discussion. Moved the thread there.