ALL POSTS

Key Findings Cisco Talos has discovered a new threat actor, UAT-9921, using a modular attack framework called VoidLink to target organizations in the technology and financial services sectors. VoidLink is a Linux-focused, highly capable attack framework that can compile and deploy plugins on-demand, potentially enabling AI-driven tool creation in the future. UAT-9921 is believed to have been active since at least 2019, even before the use of VoidLink, and has been observed in

Key Findings A new Linux botnet called SSHStalker has been discovered, leveraging IRC for command-and-control (C2) purposes The botnet combines old-school 2009-era Linux kernel exploits with automated mass-compromise techniques to infect around 7,000 systems, primarily cloud servers Unlike typical botnets focused on DDoS attacks or cryptocurrency mining, SSHStalker maintains persistent access without immediate follow-on activities, suggesting potential infrastructure staging

Key Findings DKnife is a Linux-based toolkit used since 2019 to hijack router traffic and deliver malware in cyber-espionage attacks The toolkit is designed for deep packet inspection, traffic manipulation, credential harvesting, and malware delivery DKnife has been linked to China-nexus threat actors with high confidence The toolkit targets Chinese-speaking users, stealing credentials from Chinese services and popular Chinese apps DKnife hijacks software downloads and Androi

Key Findings: A critical vulnerability has been discovered in the Linux kernel's x86 page fault handling mechanism, existing since 2020. The flaw was caused by inconsistent disabling of hardware interrupts, leading to potential catastrophic scenarios. The vulnerability was not limited to user-space address errors, but involved a more complex interplay between address ranges and execution context. The remediation required a fundamental shift in approach, moving away from selec

Key Findings VoidLink is a sophisticated Linux malware framework, built largely by a single developer with assistance from an artificial intelligence (AI) model. The malware reached over 88,000 lines of code in a short timeframe, showcasing the efficiency enabled by AI-driven development. Operational security failures by the developer exposed development artifacts, providing clear evidence that VoidLink was produced predominantly through AI-driven processes. VoidLink includes

Key Findings: A use-after-free (UAF) vulnerability in the Linux kernel's io_uring subsystem can be exploited to bypass the BPF verifier and achieve container escape. The flaw, tracked as CVE-2025-40364, allows attackers to manipulate the BPF verifier and gain arbitrary kernel code execution. Proof-of-concept (PoC) exploits have been publicly released, demonstrating the feasibility of the attack. Background The Linux kernel's io_uring subsystem is a high-performance I/O interf

Key Findings North Korea-linked threat actors are exploiting the critical React2Shell vulnerability (CVE-2025-55182) to deploy a previously unknown remote access trojan (RAT) dubbed EtherRAT EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org The activity exhibits significant overlap with a long-running campaign codenamed "Contagious In

Key Findings Trend Micro's AI-driven threat hunting pipeline discovered a previously unknown and undetectable Linux backdoor called "GhostPenguin" GhostPenguin had zero detections on VirusTotal for over four months before being identified The sophisticated, multi-threaded backdoor is written in C++ and uses RC5-encrypted UDP for covert Command and Control (C2) communications Background GhostPenguin was first submitted to VirusTotal on July 7, 2025, but remained completely inv