Tag: rootkit

22 Attack Reports | 0 Vulnerabilities

Attack reports

Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework

Elastic Security Labs analyzes VoidLink, a sophisticated Linux malware framework combining Loadable Kernel Modules (LKMs) and eBPF for persistence. The rootkit, developed by a Chinese-speaking threat actor, evolved through four generations, targeting kernels from CentOS 7 to Ubuntu 22.04. VoidLink …
rootkit
stealth
ai-assisted
voidlink
2026-03-26
lkm
Published: March 26, 2026
Downloadable IOCs: 2

VoidLink threat analysis: C2-compiled kernel rootkits discovered

The Sysdig Threat Research Team analyzed VoidLink, a sophisticated Linux malware framework targeting cloud environments. Key findings include the first documented Serverside Rootkit Compilation, Chinese development with AI assistance, adaptive detection evasion, and use of the Zig programming langu…
linux
rootkit
evasion
cloud
c2
containers
stealth
kernel
voidlink
2026-01-19
ebpf
zig
Published: January 19, 2026
Downloadable IOCs: 9

The Cloud-Native Malware Framework

VoidLink is an advanced malware framework designed for Linux systems, focusing on cloud and container environments. It includes custom loaders, implants, rootkits, and modular plugins for long-term access. The framework employs a flexible architecture with a Plugin API inspired by Cobalt Strike. Vo…
malware
linux
rootkit
plugins
stealth
cloud-native
2026-01-13
chinese-affiliated
framework
voidlink
Published: January 13, 2026
Downloadable IOCs: 3

The HoneyMyte APT now protects malware with a kernel-mode rootkit

In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated wi…
apt
rootkit
plugx
toneshell
evasion techniques
2025-12-29
tonedisk
Published: December 29, 2025
Downloadable IOCs: 0

IIS servers owned by RudePanda like it's 2003

A new malicious IIS module called 'HijackServer' has been detected compromising IIS servers by exploiting exposed ASP .NET machine keys. The attackers use a customized rootkit and ready-made tools to gain persistent access. While primarily aimed at search engine optimization for cryptocurrency scam…
rootkit
cryptocurrency
iis
seo
2025-10-22
remote command execution
wingtbcli
hijackserver
asp .net
hijackdrivermanager
Published: October 22, 2025
Downloadable IOCs: 36

FlipSwitch: a Novel Syscall Hooking Technique

FlipSwitch introduces a new syscall hooking technique for Linux kernel 6.9+, bypassing traditional methods rendered obsolete by changes in the syscall dispatch mechanism. The technique locates the original syscall function, scans the x64_sys_call function's machine code for a specific call instruct…
rootkit
yara
syscall hooking
2025-09-30
linux kernel
kernel security
flipswitch
x86-64
Published: September 30, 2025
Downloadable IOCs: 1

DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities

DeerStealer is a sophisticated information-stealing malware that targets a wide range of user and system data. It employs deception techniques, persistence mechanisms, and rootkit-like capabilities to evade detection and maintain stealth on compromised systems. The malware uses signed executables, …
rootkit
persistence
information-stealing
deerstealer
data-exfiltration
stealth
uac-bypass
2025-09-20
multi-stage-execution
xfiles spyware
Published: September 20, 2025
Downloadable IOCs: 0

Inside the Kimsuky Leak: How the 'Kim' Dump Exposed North Korea's Credential Theft Playbook

A data breach attributed to a North Korean-affiliated actor known as "Kim" has provided new insights into Kimsuky (APT43) tactics and infrastructure. The actor's operations focus on credential-based intrusions targeting South Korean and Taiwanese networks, utilizing Chinese-language tools and infra…
phishing
north korea
rootkit
south korea
credential theft
taiwan
ocr
2025-09-08
hybrid attribution
vmmisc.ko
gpki
Published: September 8, 2025
Downloadable IOCs: 11

AI-Generated Malware in Panda Image Hides Persistent Linux Threat

A sophisticated Linux malware campaign called Koske has been discovered, showing signs of AI-assisted development. The threat exploits misconfigured servers to install backdoors and download weaponized JPEG images containing malicious payloads. The malware uses polyglot file abuse to hide shellcode…
linux
rootkit
cryptomining
ai-generated
2025-07-24
koske
polyglot-abuse
Published: July 24, 2025
Downloadable IOCs: 2

Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor

A financially-motivated threat actor, UNC6148, is targeting fully patched end-of-life SonicWall SMA 100 series appliances. They are using stolen credentials and OTP seeds from previous intrusions to regain access. The actor has deployed a new persistent backdoor/user-mode rootkit called OVERSTEP, w…
backdoor
rootkit
credential theft
vpn
data exfiltration
sonicwall
CVE-2025-32819
2025-07-18
overstep
CVE-2021-20038
CVE-2024-38475
CVE-2021-20039
CVE-2021-20035
sma
Published: July 18, 2025
Linked vulnerabilities : CVE-2025-32819 (CVSS 8.8), CVE-2021-20039, CVE-2023-44221, CVE-2021-20035, CVE-2024-38475, CVE-2021-20038
Downloadable IOCs: 4

Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

An APT group named Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. The campaign, which dates back to November 2020, employs advanced custom malware, rootkits, and cloud storage ser…
apt
rootkit
data exfiltration
2025-05-01
tesdat
simpoboxspy
moriya
krnrat
Published: May 1, 2025
Downloadable IOCs: 58

Deep Dive Into a Linux Rootkit Malware

This analysis examines a Linux rootkit malware deployed by remote attackers on a compromised CentOS system. The malware consists of a kernel module (sysinitd.ko) and a user-space binary (sysinitd). The kernel module hijacks inbound network traffic using a Netfilter hook, creates procfs entries for …
linux
rootkit
persistence
remote access
2025-01-14
netfilter
sysinitd.ko
sysinitd
procfs
kernel module
command execution
Published: January 14, 2025
Downloadable IOCs: 3

Declawing PUMAKIT

PUMAKIT is a sophisticated multi-stage Linux malware consisting of a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit. It employs advanced stealth techniques to hide its presence and maintain C2 communication. The rootkit hooks 18 syscalls and kernel functions using ftra…
rootkit
privilege escalation
2024-12-16
pumakit
kitsune
syscall hooking
Published: December 16, 2024
Downloadable IOCs: 12

Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead

This analysis delves into a Windows rootkit loader for the FK_Undead malware family, known for intercepting user network traffic through proxy manipulation. The loader, signed with a valid Microsoft certificate, installs itself as a system service and employs various evasion techniques. It download…
rootkit
evasion
windows
proxy
kernel
2024-12-11
vmprotect
driver
deaddrop
fk_undead
Published: December 11, 2024
Downloadable IOCs: 20

Unveiling WolfsBane: Linux counterpart to Gelsevirine

ESET researchers have discovered previously unknown Linux backdoors attributed to the China-aligned Gelsemium APT group. The main backdoor, named WolfsBane, is the Linux equivalent of Gelsemium's Gelsevirine backdoor for Windows. Another backdoor, FireWood, is connected to the group's Project Wood …
linux
backdoor
apt
rootkit
persistence
cyberespionage
2024-11-22
wolfsbane
gelsevirine
project wood
firewood
Published: November 22, 2024
Downloadable IOCs: 41

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
rootkit
powershell
lockbit
attack
service
malicious
web shell
2024-10-15
threat actor
zero-day vulnerability
csa appliance
cve20248190
zero
life
Published: October 15, 2024
Downloadable IOCs: 17

From Perfctl to InfoStealer

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to …
malware
linux
rootkit
cryptominer
data exfiltration
stealth
perfctl
2024-10-09
trufflehog
Published: October 9, 2024
Downloadable IOCs: 3

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

A sophisticated Linux malware named 'perfctl' has been actively targeting millions of servers worldwide for the past 3-4 years. It exploits over 20,000 types of misconfigurations to compromise Linux systems. The malware employs advanced evasion techniques, including rootkits, process masquerading, …
linux
rootkit
evasion
privilege-escalation
persistence
cryptomining
CVE-2023-33246
2024-10-04
tor
CVE-2021-4043
proxy-jacking
perfctl
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-33246, CVE-2021-4034, CVE-2021-4043
Downloadable IOCs: 9

The Return of Ghost Emperor’s Demodex

This document examines a recent infection chain utilized by the sophisticated China-nexus threat group GhostEmperor. It delves into the multi-stage loading process of the Demodex rootkit, which incorporates several obfuscation techniques and loading schemes. The analysis covers various components, …
rootkit
2024-08-08
demodex
ghost emperor
Published: August 8, 2024
Linked vulnerabilities : CVE-2024-20399
Downloadable IOCs: 3

From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer

P2Pinfect is a sophisticated malware that utilizes a peer-to-peer botnet for command and control. Initially appearing dormant, it has evolved to deploy ransomware and cryptominer payloads. The malware spreads via exploiting Redis and limited SSH capabilities. A recent update introduced a new ransom…
ransomware
rootkit
worm
cryptominer
2024-06-27
p2pinfect
rsagen
Published: June 27, 2024
Downloadable IOCs: 15

Uncovering Espionage Operations

This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system acce…
espionage
rootkit
supply chain
zero-day
2024-06-24
CVE-2022-42475
CVE-2023-20867
CVE-2023-34048
CVE-2022-41328
CVE-2022-22948
virtualsphere
Published: June 24, 2024
Linked vulnerabilities : CVE-2023-20867, CVE-2022-41328, CVE-2022-22948, CVE-2023-34048, CVE-2022-42475
Downloadable IOCs: 39

Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers

Amid the rise of bootkits at the time, a dropper was captured in-the-wild and posted on a malware tracker. The malware was called "Guntior", named after the device object its authors had chosen for it (\Device\Guntior). The name also appears in AV detections.
rootkit
windows
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
explorer
dll path
ntfs
payload dll
ime file
ioctl
ata bus
tdl4
rovnix
mebroot
tidserv
findwindow
mbr
guntior
Published: May 8, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports