LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets

LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets

An investigation reveals a sophisticated Linux rootkit named LinkPro, utilized in targeted AWS infrastructure exploitation involving Docker and Kubernetes. The malware employs eBPF modules for stealth and communication via a “magic packet” to activate remote commands, highlighting advanced persistence and concealment techniques. #LinkPro #eBPF

Keypoints

  • LinkPro is a Linux rootkit that uses eBPF modules for hiding processes and network activity.
  • The attack began with exploitation of a vulnerable Jenkins server to deploy malicious Docker images on Kubernetes clusters.
  • The malware communicates through a “magic packet” with a specific TCP window size to activate command execution.
  • It achieves persistence by setting up a systemd service and manipulating the /etc/ld.so.preload configuration.
  • The rootkit supports various command functions, including file operations, downloading files, and establishing SOCKS5 proxies.

Read More: https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.html