LinkPro: An eBPF-Based Rootkit Hiding Malicious Activity on GNU/Linux

Security researchers from Synacktiv CSIRT have uncovered a sophisticated Linux rootkit dubbed LinkPro that leverages eBPF (extended Berkeley Packet Filter) technology to establish persistent backdoor access while remaining virtually invisible to traditional monitoring tools.

The infection chain originated from a vulnerable Jenkins server exposed to the internet, exploited through CVE-2024-23897.

Threat actors leveraged this initial access point to deploy a malicious Docker image named “kvlnt/vv” across multiple Amazon EKS (Elastic Kubernetes Service) clusters.

The containerized payload consisted of a Kali Linux base image containing three critical components: a bash startup script, a VPN server program called “vnt” for proxy capabilities, and a Rust-based downloader malware dubbed “vGet”.paste.txt​

The malware addressed a significant evolution in Linux-targeted threats, combining advanced stealth capabilities with flexible operational modes to compromise GNU/Linux systems across cloud infrastructure.paste.txt​.

The first piece of malicious code is a dropper embedding ...