An investigation reveals a sophisticated Linux rootkit named LinkPro, utilized in targeted AWS infrastructure exploitation involving Docker and Kubernetes. The malware employs eBPF modules for stealth and communication via a “magic packet” to activate remote commands, highlighting advanced persistence and concealment techniques. #LinkPro #eBPF
Keypoints
- LinkPro is a Linux rootkit that uses eBPF modules for hiding processes and network activity.
- The attack began with exploitation of a vulnerable Jenkins server to deploy malicious Docker images on Kubernetes clusters.
- The malware communicates through a “magic packet” with a specific TCP window size to activate command execution.
- It achieves persistence by setting up a systemd service and manipulating the /etc/ld.so.preload configuration.
- The rootkit supports various command functions, including file operations, downloading files, and establishing SOCKS5 proxies.
Read More: https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.html