Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

LinkPro rootkit eBPF concealment and magic-packet activation analysis

Technical Analysis
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Synacktiv disclosed LinkPro, a new GNU/Linux rootkit that uses eBPF concealment and magic-packet activation, raising stealth and detection risk in compromised AWS-hosted environments. The malware can hide kernel- and user-space traces while waiting for an operator-defined trigger before accepting commands. Its design shows how post-exploitation tooling can maintain persistence and covert access across Kubernetes-backed infrastructure.

Related Happenings

Quasar Linux (QLNX) Linux RAT targeting developer credentials

Malware Activity
First: 06.05.2026 12:48 Last: 06.05.2026 12:48 Sources 1

About this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...

Open Happening

VoidLink Linux C2 malware activity

Malware Activity
First: 09.02.2026 17:25 Last: 09.02.2026 17:25 Sources 1

About this happening: **VoidLink** is an operational **Linux C2 framework** used by **UAT-9921** as a **post-compromise tool** against **technology and financial services** targets. Cisco Talos says th...

Open Happening

VoidLink AI-generated malware development analysis

Technical Analysis
First: 21.01.2026 14:51 Last: 21.01.2026 14:51 Sources 1

About this happening: **VoidLink** is a **Linux-based C2 framework** with **multi-cloud targeting** and **modular implants** built for **credential theft**, **data exfiltration** and **stealthy persist...

Open Happening

VoidLink analysis reveals Kubernetes/Docker checks and modular anti-analysis behavior

Technical Analysis
First: 14.01.2026 00:12 Last: 14.01.2026 00:12 Sources 1

About this happening: **VoidLink** is a **Linux C2 framework** built for **cloud and container environments**, with **multi-cloud targeting** across **AWS, Google Cloud Platform, Microsoft Azure, Aliba...

Open Happening

EtherRAT remote access trojan with blockchain-based C2

Malware Activity
First: 09.12.2025 19:15 Last: 09.12.2025 19:15 Sources 1

About this happening: **EtherRAT** is now a live **Linux RAT** threat because it combines **Ethereum smart contracts** for C2 with multiple persistence layers, making blocked infrastructure less effect...

Open Happening

Timeline

  1. 16.10.2025 17:28 2 articles · 7mo ago

    Synacktiv discloses LinkPro Linux rootkit with eBPF concealment

    Technical Analysis Update

    Synacktiv disclosed LinkPro, a new GNU/Linux rootkit found in an AWS-hosted infrastructure compromise that began with an exposed Jenkins server vulnerable to CVE-2024–23897 and a malicious Docker Hub image deployed to Kubernetes clusters. The analysis describes kernel-level concealment through two eBPF modules, a magic TCP packet trigger with window size 54321, a one-hour command window after activation, and a /etc/ld.so.preload fallback that loads libld.so to hide user-space artifacts.

    Show sources
    Open in new tab