CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

LinkPro Rootkit Exploits eBPF to Evade Detection on Linux Systems

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new Linux rootkit named LinkPro has been discovered, leveraging eBPF to hide its presence and activate via specific TCP packets. The rootkit was found during an investigation into a compromised AWS-hosted infrastructure. Attackers exploited a vulnerable Jenkins server to deploy the rootkit, which uses a combination of eBPF modules and a shared library to conceal its activities and communicate with a command-and-control (C2) server. The rootkit can operate in both passive and active modes, supporting multiple communication protocols. It achieves persistence through a systemd service and modifies system configurations to hide its presence. The attackers used a malicious Docker image and additional malware to facilitate the infection.

Timeline

  1. 16.10.2025 17:28 1 articles · 11h ago

    LinkPro Rootkit Discovered in Compromised AWS Infrastructure

    A new Linux rootkit named LinkPro was discovered during an investigation into a compromised AWS-hosted infrastructure. The rootkit uses eBPF modules to hide its presence and activate via specific TCP packets. Attackers exploited a vulnerable Jenkins server to deploy the rootkit, which communicates with a C2 server and supports multiple communication protocols. The rootkit achieves persistence through system modifications and uses a magic packet to activate command reception.

    Show sources
    Open in new tab

Information Snippets