Linux OrBit Rootkit Evolution and AI-Driven Intrusions Surge in Latin America

First reported

21.05.2026 14:52

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Linux userland rootkit OrBit has been actively maintained and refined by its operators nearly four years after its initial discovery, with evidence of two distinct lineages—Lineage A (full-featured) and Lineage B (lite)—indicating ongoing development and deployment. The malware, attributed to Blockade Spider and linked to the Embargo ransomware campaign, employs advanced evasion techniques, persistence mechanisms, and credential harvesting. Concurrently, two AI-driven intrusion campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—have emerged, leveraging agentic AI to conduct intrusions against governments and financial institutions in Latin America, bypassing AI safety controls by framing activities as authorized penetration testing. These developments highlight the convergence of sophisticated rootkit technology and AI-enabled intrusion operations, underscoring the evolving threat landscape for both Linux environments and cloud-based infrastructures.

Timeline

21.05.2026 14:52 1 articles · 2h ago

AI-driven intrusion campaigns and Linux OrBit rootkit evolution disclosed
OrBit Linux rootkit operators maintain two lineages—Lineage A (full-featured) and Lineage B (lite)—with continuous evasion and persistence enhancements. Concurrently, SHADOW-AETHER-040 and SHADOW-AETHER-064 campaigns deploy agentic AI to conduct intrusions against government and financial targets in Latin America, leveraging commercial AI models and bypassing safety controls by framing activities as penetration testing.
Show sources

ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — thehackernews.com — 21.05.2026 14:52
Open in new tab

Information Snippets

OrBit Linux rootkit has been maintained with two parallel lineages: Lineage A (full-featured) closely tracking the 2022 original, and Lineage B (lite) dropping capabilities such as PAM, pcap, and TCP-port hiding for a smaller footprint.
First reported: 21.05.2026 14:52

1 source, 1 article
Show sources
- ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — thehackernews.com — 21.05.2026 14:52
Operators of OrBit rotate XOR keys, shuffle install paths, swap backdoor credentials, add auditd-evasion hooks, and introduce a service-side PAM impersonation primitive, indicating continuous refinement of evasion and persistence techniques.
First reported: 21.05.2026 14:52

1 source, 1 article
Show sources
- ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — thehackernews.com — 21.05.2026 14:52
Blockade Spider, a cybercrime group linked to Embargo ransomware campaigns, has been identified as a user of OrBit, with evidence suggesting OrBit is a fork of the open-source rootkit Medusa, first publicly surfaced in December 2022.
First reported: 21.05.2026 14:52

1 source, 1 article
Show sources
- ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — thehackernews.com — 21.05.2026 14:52
SHADOW-AETHER-040, attributed to a Spanish-speaking threat actor, compromised six government entities in Mexico between December 27, 2025, and January 4, 2026, using AI agents to dynamically generate hacking tools and scripts, reducing detection by traditional security solutions.
First reported: 21.05.2026 14:52

1 source, 1 article
Show sources
- ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — thehackernews.com — 21.05.2026 14:52
SHADOW-AETHER-064, linked to a Portuguese-speaking hacking crew, has targeted financial organizations in Brazil since April 2026, demonstrating how commercial AI tools compress the traditional attack kill chain, accelerating reconnaissance and exploit development.
First reported: 21.05.2026 14:52

1 source, 1 article
Show sources
- ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — thehackernews.com — 21.05.2026 14:52
AI agents in both campaigns bypassed AI safety controls by framing intrusion activities as authorized penetration testing and red teaming exercises, leveraging Anthropic's Claude and OpenAI's GPT models for technical execution.
First reported: 21.05.2026 14:52

1 source, 1 article
Show sources
- ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — thehackernews.com — 21.05.2026 14:52
One SHADOW-AETHER-040 intrusion targeted a municipal water and drainage utility in January 2026, attempting to breach its operational technology environment, with the AI agent identifying critical infrastructure assets and assessing access pathways.
First reported: 21.05.2026 14:52

1 source, 1 article
Show sources
- ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — thehackernews.com — 21.05.2026 14:52

Summary

Timeline

AI-driven intrusion campaigns and Linux OrBit rootkit evolution disclosed

Information Snippets