AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows

Dec. 21, 2025, 6:49 p.m.

Description

An undocumented Linux backdoor called GhostPenguin was discovered using AI-driven threat hunting. This multi-threaded C++ malware provides remote shell access and file system operations over an encrypted UDP channel. It uses a structured handshake mechanism and synchronizes threads for registration, heartbeat signaling, and command delivery. The discovery involved analyzing zero-detection Linux samples from VirusTotal, extracting artifacts, and using AI for automated profiling. Custom YARA rules and queries helped surface this evasive threat. Analysis revealed GhostPenguin is still in development, with debug artifacts present. The malware's comprehensive capabilities include remote shell access, file manipulation, and directory operations.

External References

https://otx.alienvault.com/pulse/6936fe3d83124133d1acaf79
https://www.trendmicro.com/en_us/research/25/l/ghostpenguin.html
Tags
c++
linux backdoor
remote shell
multi-threaded
2025-12-08
ai threat hunting
ghostpenguin
rc5 encryption
udp communication
zero-detection malware

Date

  • Created: Dec. 8, 2025, 4:35 p.m.
  • Published: Dec. 8, 2025, 4:35 p.m.
  • Modified: Dec. 21, 2025, 6:49 p.m.

Indicators

  • 7b75ce1d60d3c38d7eb63627e4d3a8c7e6a0f8f65c70d0b0cc4756aab98e9ab7
  • http://www.iytest.com:5679
Download all indicators here!

Attack Patterns

  • GhostPenguin