Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

LinkPro Rootkit Attacking GNU/Linux Systems Using eBPF Module to Hide Malicious Activities

Posted on October 17, 2025October 17, 2025 By CWS

A classy rootkit focusing on GNU/Linux techniques has emerged, leveraging superior eBPF (prolonged Berkeley Packet Filter) expertise to hide malicious actions and evade conventional monitoring instruments.

The risk, generally known as LinkPro, was found throughout a digital forensic investigation of a compromised AWS-hosted infrastructure, the place it functioned as a stealthy backdoor with capabilities starting from course of hiding to distant activation by way of magic packets.

The an infection chain started with a susceptible Jenkins server (CVE-2024-23897) uncovered to the web.

Risk actors deployed a malicious Docker picture named kvlnt/vv throughout a number of Amazon EKS Kubernetes clusters, containing a VPN proxy instrument, a downloader malware referred to as vGet, and the LinkPro rootkit.

The Docker configuration allowed full filesystem entry with root privileges, enabling container escape and credential harvesting from different pods.

SynAcktiv researchers recognized LinkPro as an undocumented backdoor developed in Golang. The rootkit operates in two modes: a passive reverse mode listening for instructions after receiving a selected TCP magic packet, and an energetic ahead mode initiating direct command-and-control communication.

Its dual-layer stealth method depends on two eBPF modules for concealment, however mechanically falls again to hijacking the dynamic linker by means of /and many others/ld.so.preload when kernel configurations lack the required CONFIG_BPF_KPROBE_OVERRIDE choice.

Community packet stream within the kernel with XDP (Supply – SynAcktiv)

The rootkit achieves persistence by masquerading because the official system-resolved service, making a misleading system unit file at /and many others/system/system/systemd-resolveld.service.

The malicious binary is copied to /usr/lib/.system/.tmp~information.resolveld, with timestamps modified to match system information.

The Cover eBPF module intercepts essential system calls together with getdents and sys_bpf utilizing tracepoints and kernel return probes, successfully hiding information, processes, and its personal eBPF packages from enumeration instruments.

Superior Community Manipulation By eBPF

The Knock eBPF module demonstrates subtle community manipulation methods. Utilizing XDP (eXpress Knowledge Path) and TC (Visitors Management) packages, LinkPro displays community site visitors for a magic packet—a TCP SYN packet with a window dimension of 54321.

LinkPro passive community stream (Supply – SynAcktiv)

Upon detection, the xdp_ingress program shops the supply IP in a knock_map with a one-hour expiration window and dynamically rewrites incoming packet headers to redirect site visitors from any exterior port to LinkPro’s inner listening port 2233.

if (tcph->syn && tcph->window == bpf_htons(MAGIC_WIN)) {
__u64 exp = bpf_ktime_get_ns() + WIN_NS;
bpf_map_update_elem(&knock_map, &sip_h, &exp, BPF_ANY);
return XDP_DROP;
}

The complementary tc_egress program ensures outgoing responses have their supply ports rewritten again to unique values, making a seamless tunnel that bypasses firewall guidelines.

As soon as operational, LinkPro gives complete distant entry together with interactive shell classes, file administration operations, SOCKS5 proxy tunneling, and file exfiltration by way of Base64-encoded chunks.

The malware helps a number of protocols together with HTTP, WebSocket, TCP, UDP, and DNS tunneling, with exchanges encrypted utilizing XOR operations. Organizations ought to monitor for suspicious systemd service information and weird eBPF program exercise to detect such threats.

Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.

Cyber Security News Tags:Activities, Attacking, eBPF, GNULinux, Hide, LinkPro, Malicious, Module, Rootkit, Systems

Post navigation

Previous Post: ‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability
Next Post: Your First and Last Line of Defense

Related Posts

New Vulnerability Affects All Intel Processors From The Last 6 Years Cyber Security News
Mustang Panda With SnakeDisk USB Worm and Toneshell Backdoor Seeking to Penetrate Air-Gap Systems Cyber Security News
PoC Exploit Released for Critical NVIDIA AI Container Toolkit Vulnerability Cyber Security News
DeerStealer Malware Delivered Via Weaponized .LNK Using LOLBin Tools Cyber Security News
Microsoft Teams RCE Vulnerability Let Attackers Read, Write and Delete Messages Cyber Security News
Threat Actors Abused AV – EDR Evasion Framework In-The-Wild to Deploy Malware Payloads Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets
  • South Korea Seeks to Arrest Dozens of Online Scam Suspects Repatriated From Cambodia
  • Dolby Digital Plus 0-Click Vulnerability Enables RCE Attack via Malicious Audio on Android
  • AWS Outage Impacts Amazon, Snapchat, Prime Video, Canva and More
  • SIM Farm Dismantled in Europe, Seven Arrested

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets
  • South Korea Seeks to Arrest Dozens of Online Scam Suspects Repatriated From Cambodia
  • Dolby Digital Plus 0-Click Vulnerability Enables RCE Attack via Malicious Audio on Android
  • AWS Outage Impacts Amazon, Snapchat, Prime Video, Canva and More
  • SIM Farm Dismantled in Europe, Seven Arrested

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News