Security firm Synacktiv discovered a new GNU/Linux rootkit, LinkPro, while investigating an AWS-hosted compromise. The attackers began with an exposed Jenkins server vulnerable to CVE-2024-23897. Then they deployed a malicious Docker Hub image named kvlnt/vv to multiple Kubernetes clusters. The image has since been removed from Docker Hub.
How the Attack Chain Worked
First, the adversary used the Jenkins flaw to gain initial access. Next, they pushed a Docker image built on a Kali Linux base. That image contained an app folder with three files:
start.sh— launches SSH and runs the other components.link— an open-source VPN/proxy binary (vnt) that connects tovnt.wherewego[.]top:29872. This lets the attacker access the host remotely.app— a Rust downloader (vGet) that pulls an encrypted vShell payload from an S3 bucket and connects to a C2 server over WebSocket.
Additionally, the attackers dropped a vShell backdoor and LinkPro, a Golang rootkit. LinkPro supports both passive (reverse) and active (forward) modes. In passive mode it waits for a special “magic packet.” In active mode it contacts the C2 directly.
eBPF Modules and Stealth Techniques
LinkPro relies on two eBPF modules:
Hide — tracepoint and kretprobe eBPF programs hide processes and network artifacts.
Knock — an XDP/TC eBPF module that watches for a TCP packet with a window size of 54321. That packet acts as the magic packet and unlocks a one-hour window for operator commands.
If eBPF installation fails, LinkPro falls back to user-space stealth. It installs a malicious libld.so and inserts /etc/libld.so into /etc/ld.so.preload. This forces the library to load before glibc and hook libc functions. As a result, tools like ls and other programs return sanitized output that hides the rootkit’s traces.
Capabilities and Persistence
The rootkit sets up a systemd service to persist across reboots. It can:
Spawn interactive
/bin/bashsessions in a pseudo-terminal.Run shell commands remotely.
Enumerate files and directories.
Perform file operations and downloads.
Create a SOCKS5 proxy tunnel for lateral movement.
LinkPro supports five forward-mode protocols: HTTP, WebSocket, UDP, TCP, and DNS. Reverse mode uses HTTP only. On shutdown signals (SIGHUP, SIGINT, SIGTERM), it removes eBPF modules and restores /etc/ld.so.preload to its original state.
Why This Matters
This campaign mixes common DevOps tools with advanced stealth. Consequently, cloud and Kubernetes environments now face a threat that persists and evades standard detections. Moreover, the magic-packet activation technique lets attackers bypass front-end firewall logs by piggybacking on allowed ports.
Mitigation Steps
Immediately scan for unexpected entries in
/etc/ld.so.preload.Audit running eBPF programs and XDP hooks.
Inspect Docker images for unknown components and remove untrusted images.
Patch exposed Jenkins instances and rotate credentials.
Monitor outbound WebSocket and unusual DNS/UDP traffic.
Consider endpoint detection that looks for libc hooking and abnormal system call behavior.
LinkPro demonstrates how attackers chain a vulnerable CI server, malicious container images, and advanced eBPF techniques to gain stealthy, persistent control. Teams should treat eBPF activity as high-risk and prioritize container and CI security to prevent similar compromises.