AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows

Keypoints

• GhostPenguin is a C++ multi-threaded Linux backdoor that implements remote shell functionality and comprehensive file/directory operations over an RC5-encrypted UDP channel, using UDP port 53 for communication.
• The threat was discovered via an AI-augmented hunting pipeline that collected zero-detection VirusTotal samples, extracted artifacts into a structured database, built VirusTotal/YARA hunting queries, decompiled binaries, and applied AI agents (Quick Inspect and Deep Inspector) for scoring and detailed analysis.
• Network comms use a structured session handshake: an initial unencrypted 34-byte request yields a 16-byte session ID from the C2, which becomes the RC5 key for all subsequent encrypted traffic; the malware implements ACKs, retransmit queues, heartbeats, and packet fragmentation to provide reliability over UDP.
• Supported commands include status control, remote shell (fork /bin/sh, send input/output), full filesystem manipulation (list, read, write, create, delete, rename, modify timestamps, search by extension), and directory operations; large transfers are fragmented into multiple UDP packets.
• Analysis indicates active development: leftover debug configuration (unused domain/IP), unused persistence functions, and typos in function/strings (e.g., ImpPresistence, Userame) suggesting immature or evolving code.
• Indicators (hashes, C2 IPs/domains, ports) and hunting queries are provided in the report; Trend Vision One detects and blocks the listed IoCs and offers hunting queries for customer use.