<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Linux Malware &#8211; First Hackers News</title>
	<atom:link href="https://firsthackersnews.com/category/malware/linux-malware/feed/" rel="self" type="application/rss+xml" />
	<link>https://firsthackersnews.com</link>
	<description>Latest cybersecurity news, real attacks, and practical IOCs—made simple and actionable.</description>
	<lastBuildDate>Fri, 10 Jul 2026 18:36:49 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>

<image>
	<url>https://firsthackersnews.com/wp-content/uploads/2026/03/cropped-FHN_512x512-32x32.png</url>
	<title>Linux Malware &#8211; First Hackers News</title>
	<link>https://firsthackersnews.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Linux FUSE Vulnerability Allows Root Access</title>
		<link>https://firsthackersnews.com/linux-fuse-vulnerability-root-access/</link>
					<comments>https://firsthackersnews.com/linux-fuse-vulnerability-root-access/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Fri, 10 Jul 2026 18:36:33 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Tips]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[CVE-2026-31694]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[FUSE]]></category>
		<category><![CDATA[kernel vulnerability]]></category>
		<category><![CDATA[Linux]]></category>
		<category><![CDATA[Linux security]]></category>
		<category><![CDATA[privilege escalation]]></category>
		<category><![CDATA[root access]]></category>
		<category><![CDATA[system security]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=12007</guid>

					<description><![CDATA[<p>newly disclosed Linux kernel vulnerability, tracked as CVE-2026-31694, allows unprivileged local users to gain root privileges on affected</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/linux-fuse-vulnerability-root-access/">Linux FUSE Vulnerability Allows Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>newly disclosed <strong>Linux kernel vulnerability</strong>, tracked as <strong>CVE-2026-31694</strong>, allows unprivileged local users to gain <strong>root privileges</strong> on affected systems. The flaw exists in the Linux <strong>FUSE (Filesystem in Userspace)</strong> subsystem and affects the way directory entries are stored in the kernel page cache.</p>



<p>Researchers demonstrated that the vulnerability can be exploited to modify a <strong>SUID</strong> binary, such as <strong>/usr/bin/su</strong>, allowing attackers to execute code with root privileges. The issue affects <strong>Linux kernel v6.16-rc1 and later</strong> on systems using a <strong>4 KB page size</strong>.</p>



<h2 class="wp-block-heading"><strong>How the Vulnerability Works</strong></h2>



<p>The flaw is caused by improper validation of directory entry sizes before they are copied into the kernel page cache. When an oversized directory entry is processed, it can trigger a small memory overflow beyond the page boundary.</p>



<p>Researchers showed that this overflow can corrupt cached executable files, including <strong>SUID</strong> binaries such as <strong>/usr/bin/su</strong>. When the modified binary is executed, the injected code runs with root privileges before the normal authentication process begins, allowing attackers to gain full control of the system.</p>



<p>To successfully exploit the vulnerability, an attacker must:</p>



<ul class="wp-block-list">
<li>Have local access to the system.</li>



<li>Be able to mount a FUSE filesystem.</li>



<li>Create a specially crafted directory entry.</li>



<li>Trigger the vulnerable code path through FUSE operations.</li>
</ul>



<h2 class="wp-block-heading"><strong>Affected Systems and Mitigation</strong></h2>



<p>The vulnerability becomes practically exploitable on <strong>Linux kernel v6.16-rc1 and later</strong>, after changes that increased the FUSE directory read buffer size. Systems using a <strong>4 KB page size</strong> are affected, while systems with larger page sizes are not vulnerable to this specific overflow.</p>



<p>The Linux kernel developers have released a patch that prevents oversized directory entries from being cached, eliminating the overflow condition.</p>



<p>Organizations should take the following steps to reduce risk:</p>



<ul class="wp-block-list">
<li>Update affected Linux systems with the latest kernel patches.</li>



<li>Restrict or disable unprivileged FUSE mounts where possible.</li>



<li>Disable unprivileged user namespaces if they are not required.</li>



<li>Remove the <strong>setuid</strong> permission from <strong>fusermount3</strong> when it is not needed.</li>



<li>Monitor systems for unauthorized local privilege escalation attempts.</li>



<li>Review systems for unusual activity involving FUSE filesystems and SUID binaries.</li>
</ul>



<p>Although this vulnerability requires local access, it highlights how a small flaw in a kernel subsystem can lead to complete system compromise. Prompt patching, restricting unnecessary FUSE access, and limiting local privileges are the most effective ways to reduce the risk of exploitation.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/linux-fuse-vulnerability-root-access/">Linux FUSE Vulnerability Allows Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/linux-fuse-vulnerability-root-access/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Lazarus Delivers “Mach-O Man” macOS Malware via ClickFix</title>
		<link>https://firsthackersnews.com/lazarus-macos-malware/</link>
					<comments>https://firsthackersnews.com/lazarus-macos-malware/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 30 Apr 2026 07:17:56 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[MacOS]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[#BlueTeam]]></category>
		<category><![CDATA[#ClickFix]]></category>
		<category><![CDATA[#CodesignBypass]]></category>
		<category><![CDATA[#EDR]]></category>
		<category><![CDATA[#Infostealer]]></category>
		<category><![CDATA[#KeychainAttack]]></category>
		<category><![CDATA[#LaunchAgent]]></category>
		<category><![CDATA[#MachOMan]]></category>
		<category><![CDATA[#macOSSecurity]]></category>
		<category><![CDATA[#SOC]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11667</guid>

					<description><![CDATA[<p>The Lazarus Group is actively using ClickFix-style social engineering to deploy a new macOS malware framework called “Mach-O</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/lazarus-macos-malware/">Lazarus Delivers “Mach-O Man” macOS Malware via ClickFix</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The Lazarus Group is actively using ClickFix-style social engineering to deploy a new macOS malware framework called “Mach-O Man.” Instead of exploiting vulnerabilities, the attack relies on user interaction, making it highly effective against modern defenses.</p>



<p>This activity has been closely analyzed by Mauro Eldritch, who has documented how this campaign is impacting high-value macOS users, especially in fintech and crypto sectors.</p>



<h2 class="wp-block-heading"><strong>Initial Access and Social Engineering Flow</strong></h2>



<p>The attack typically begins with targeted outreach on Telegram, where threat actors impersonate trusted contacts such as colleagues or business partners. Victims—often executives or developers—receive urgent meeting requests designed to trigger quick action.</p>



<p>They are then redirected to phishing pages that closely resemble platforms like Zoom, Microsoft Teams, or Google Meet. These pages claim a technical issue and instruct the user to fix it manually.</p>



<p>Instead of a traditional exploit, the victim is guided to copy and execute a Terminal command. Because this action is user-initiated, many security tools interpret it as legitimate behavior.</p>



<h2 class="wp-block-heading"><strong>Execution Chain and Malware Behavior</strong></h2>



<p>Once the command is executed, the infection chain unfolds in multiple stages designed to blend in with normal macOS activity.</p>



<figure class="wp-block-image size-full is-resized"><img fetchpriority="high" decoding="async" width="1024" height="527" src="https://firsthackersnews.com/wp-content/uploads/2026/04/image-4.png" alt="" class="wp-image-11668" style="aspect-ratio:1.943129509320623;width:823px;height:auto" srcset="https://firsthackersnews.com/wp-content/uploads/2026/04/image-4-300x154.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/04/image-4-768x395.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/04/image-4.png 1024w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Complete malware kit showing all components and variants (Source: ANY.RUN).<br></figcaption></figure>



<ul class="wp-block-list">
<li>The first-stage binary (commonly seen as <em>teamsSDK.bin</em>) acts as a downloader that retrieves additional components</li>



<li>Fake macOS applications are dropped, mimicking meeting tools or system prompts to appear legitimate</li>



<li>These apps repeatedly request user passwords, often using poorly written prompts to trick the victim</li>



<li>A secondary module (such as <em>D1YrHRTg.bin</em>) performs deep system profiling using native tools like sysctl</li>
</ul>



<p>The profiling stage gathers extensive system intelligence, including host identifiers, operating system details, running processes, network configuration, and browser-related data from Chrome, Safari, Brave, and similar applications.</p>



<p>Interestingly, researchers observed flaws in parts of the malware. Some profiling components enter continuous loops, repeatedly sending the same data to command-and-control infrastructure, which can cause noticeable performance issues on infected machines.</p>



<p>To avoid execution barriers, the malware leverages macOS utilities like codesign to apply ad-hoc signatures, helping malicious binaries run under standard policies without raising immediate suspicion.</p>



<h2 class="wp-block-heading">Credential Theft and Data Exfiltration</h2>



<p>The final stage of the attack is handled by a stealer component referred to as <em>macrasv2</em>. This module focuses on extracting high-value data from the compromised system.</p>



<p>Targets include:</p>



<ul class="wp-block-list">
<li>Browser-stored credentials and active session cookies</li>



<li>macOS Keychain entries containing saved secrets</li>



<li>Files that can grant access to SaaS platforms, internal systems, or crypto wallets</li>
</ul>



<p>All collected data is compressed into archive files (for example, <em>user_ext.zip</em>) and exfiltrated to attacker-controlled servers.</p>



<h2 class="wp-block-heading">Persistence Mechanism</h2>



<p>To maintain long-term access, additional components like <em>minst2.bin</em> are deployed. These create persistence by placing disguised binaries—often pretending to be legitimate services like OneDrive—inside directories labeled as security-related (such as an “Antivirus Service” folder).</p>



<p>The malware then registers itself as a LaunchAgent, ensuring execution every time the user logs in.</p>



<h2 class="wp-block-heading">Why This Campaign Is Effective</h2>



<p>This attack stands out because it avoids traditional exploitation techniques. By relying on user-executed commands and built-in macOS tools, the activity appears normal to many EDR solutions until after credentials and access tokens are already compromised.</p>



<p>For organizations where macOS devices are widely used—especially among developers and leadership—this creates a serious risk. A single compromised system can lead to broader access across internal infrastructure and financial assets.</p>



<h2 class="wp-block-heading">Detection and Defensive Considerations</h2>



<p>To counter this type of campaign, defenders need to shift focus toward behavior rather than just exploits.</p>



<ul class="wp-block-list">
<li>Monitor unusual Terminal activity and command execution patterns</li>



<li>Identify and block ClickFix-style phishing workflows</li>



<li>Regularly audit LaunchAgents for suspicious or disguised entries</li>



<li>Track outbound connections to uncommon ports or Telegram-related infrastructure</li>



<li>Use sandbox environments like ANY.RUN to safely analyze suspicious files, URLs, and execution chains</li>
</ul>



<p>Interactive sandboxing plays a key role in understanding how these multi-stage attacks operate, allowing defenders to reconstruct the full infection path and extract indicators for detection.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/lazarus-macos-malware/">Lazarus Delivers “Mach-O Man” macOS Malware via ClickFix</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/lazarus-macos-malware/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Hackers Hide GoGra Backdoor in Outlook Mailboxes</title>
		<link>https://firsthackersnews.com/outlook-mailbox-malware/</link>
					<comments>https://firsthackersnews.com/outlook-mailbox-malware/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 23 Apr 2026 20:32:55 +0000</pubDate>
				<category><![CDATA[Backdoor]]></category>
		<category><![CDATA[Email Security]]></category>
		<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[#APT]]></category>
		<category><![CDATA[#Backdoor]]></category>
		<category><![CDATA[#CloudSecurity]]></category>
		<category><![CDATA[#CyberAttack]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#CyberThreats]]></category>
		<category><![CDATA[#datasecurity]]></category>
		<category><![CDATA[#EmailSecurity]]></category>
		<category><![CDATA[#GoGra]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#MalwareAnalysis]]></category>
		<category><![CDATA[#MicrosoftSecurity]]></category>
		<category><![CDATA[#NetworkSecurity]]></category>
		<category><![CDATA[#OutlookMalware]]></category>
		<category><![CDATA[#SecurityResearch]]></category>
		<category><![CDATA[#ThreatIntelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11637</guid>

					<description><![CDATA[<p>A nation-state–linked threat group known as Harvester has developed a more advanced way to hide its malicious activity</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/outlook-mailbox-malware/">Hackers Hide GoGra Backdoor in Outlook Mailboxes</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A nation-state–linked threat group known as Harvester has developed a more advanced way to hide its malicious activity by using Microsoft Outlook as part of its attack infrastructure. Instead of relying on traditional command-and-control servers, the attackers are now sending instructions through real Outlook mailboxes, making the activity appear legitimate and much harder to detect.</p>



<p>This campaign involves a Linux version of the GoGra backdoor, showing that the group is expanding beyond its earlier Windows-based operations. By using trusted cloud services, the malware blends into normal network traffic, allowing it to bypass many standard security tools that typically look for suspicious external connections.</p>



<p>The attack appears to focus on espionage rather than financial gain. Evidence suggests that targets are mainly located in South Asia, with attackers using region-specific document names to make their phishing attempts more convincing. This level of targeting shows a carefully planned and strategic operation.</p>



<h2 class="wp-block-heading">Outlook Mailbox Malware Explained</h2>



<p>The attackers gain access through social engineering, tricking users into opening files that appear harmless. These files are often disguised as official documents, but they actually contain hidden malicious code.</p>



<p>Once the file is opened, the malware quietly installs itself in the background. It avoids drawing attention while setting up persistence, ensuring it can continue running even after the system is restarted.</p>



<p>Some key characteristics of the infection process include:</p>



<ul class="wp-block-list">
<li>Disguised files that look like PDFs or official documents</li>



<li>Malware hidden inside Linux executable files</li>



<li>Silent installation without visible signs</li>



<li>Persistence mechanisms that allow it to survive reboots</li>
</ul>



<p>This approach makes it difficult for users to realize they have been infected until much later.</p>



<h2 class="wp-block-heading">How the Backdoor Uses Microsoft Infrastructure</h2>



<p>What makes this attack particularly sophisticated is how it uses Microsoft’s own services as a communication channel. Instead of connecting to suspicious servers, the malware interacts with legitimate cloud infrastructure, which helps it stay hidden.</p>



<p>After installation, the backdoor uses Microsoft APIs to communicate with a real Outlook mailbox. It regularly checks for new messages that contain instructions from the attacker. These commands are processed on the infected system, and the results are sent back through email responses.</p>



<p>The malware is designed to clean up after itself, deleting messages once they are used. This reduces traces of the attack and makes forensic investigation more difficult.</p>



<p>The main capabilities of the backdoor include:</p>



<ul class="wp-block-list">
<li>Receiving commands through Outlook mailbox messages</li>



<li>Executing those commands on the infected machine</li>



<li>Sending results back via email</li>



<li>Removing evidence after communication</li>
</ul>



<p>Because all of this happens through trusted services, the activity can easily go unnoticed in normal network monitoring.</p>



<h2 class="wp-block-heading">Why This Attack Is Concerning</h2>



<p>This campaign highlights a growing trend where attackers abuse legitimate platforms to hide their operations. By using trusted services like Microsoft’s cloud, they can bypass many traditional defenses that rely on detecting suspicious traffic.</p>



<p>The impact of such an attack can be serious. Attackers may gain long-term access to systems, collect sensitive data, and monitor user activity without being detected. Since the malware operates quietly and removes traces of its actions, it can remain active for extended periods.</p>



<p>This also shows how threat actors are evolving their techniques, moving toward more stealthy and persistent methods. Organizations can no longer rely only on basic perimeter defenses and must adopt more advanced monitoring strategies.</p>



<p>To reduce risk, security teams should pay close attention to unusual system behavior, unexpected background services, and abnormal use of cloud APIs. Monitoring activity from endpoints that do not typically interact with such services can help identify potential threats early.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong><a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/outlook-mailbox-malware/">Hackers Hide GoGra Backdoor in Outlook Mailboxes</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/outlook-mailbox-malware/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>xz Backdoor Vulnerability Exposes Linux Systems to Remote Access</title>
		<link>https://firsthackersnews.com/xz-backdoor-vulnerability-linux/</link>
					<comments>https://firsthackersnews.com/xz-backdoor-vulnerability-linux/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Fri, 27 Mar 2026 19:14:56 +0000</pubDate>
				<category><![CDATA[Backdoor]]></category>
		<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[#Backdoor]]></category>
		<category><![CDATA[#CVE20243094]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#CyberThreat]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#LinuxSecurity]]></category>
		<category><![CDATA[#LinuxVulnerability]]></category>
		<category><![CDATA[#Malware]]></category>
		<category><![CDATA[#OpenSourceSecurity]]></category>
		<category><![CDATA[#PatchNow]]></category>
		<category><![CDATA[#SecurityAlert]]></category>
		<category><![CDATA[#ssh]]></category>
		<category><![CDATA[#SupplyChainAttack]]></category>
		<category><![CDATA[#ThreatIntelligence]]></category>
		<category><![CDATA[#xz]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11512</guid>

					<description><![CDATA[<p>Red Hat has raised a critical alert after a supply chain attack was discovered in the widely used</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/xz-backdoor-vulnerability-linux/">xz Backdoor Vulnerability Exposes Linux Systems to Remote Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Red Hat has raised a critical alert after a supply chain attack was discovered in the widely used xz compression tool. Security researchers found that certain recent versions of the library were tampered with, introducing hidden malicious functionality.</p>



<p>This issue, identified as <strong>CVE-2024-3094</strong>, impacts versions 5.6.0 and 5.6.1. The injected code is designed to stay hidden during normal review processes and only becomes active during the software build stage. Once active, it can interfere with SSH authentication, potentially allowing attackers to gain unauthorized access to affected systems.</p>



<h2 class="wp-block-heading">Technical Impact and Mitigation</h2>



<p>The attack is highly sophisticated, as the malicious components are not fully visible in the main source code. Instead, they rely on additional build-time elements to assemble and execute the payload. This makes detection difficult using standard code inspection methods.</p>



<p>Once deployed, the compromised library can alter how SSH authentication behaves, creating an opportunity for attackers to bypass normal security checks and access systems remotely.</p>



<p>Key highlights:</p>



<ul class="wp-block-list">
<li>CVE-2024-3094 affects xz and xz-libs versions 5.6.0 and 5.6.1</li>



<li>Malicious code is triggered during the build process</li>



<li>Targets SSH authentication mechanisms</li>



<li>Impacts Fedora Rawhide, Fedora 40 Beta, Debian unstable, and openSUSE</li>



<li>Red Hat Enterprise Linux (RHEL) remains unaffected</li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong><a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>



<h3 class="wp-block-heading">Immediate Actions</h3>



<ul class="wp-block-list">
<li>Downgrade to trusted xz version 5.4.x</li>



<li>Stop using Fedora Rawhide until systems are secured</li>



<li>Apply official patches and updates from Red Hat</li>



<li>Monitor systems for unusual SSH behavior</li>
</ul>



<p>Even though active exploitation has not been widely reported, the nature of this compromise makes it a high-risk issue. Prompt action is necessary to protect systems from potential unauthorized access.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/xz-backdoor-vulnerability-linux/">xz Backdoor Vulnerability Exposes Linux Systems to Remote Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/xz-backdoor-vulnerability-linux/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>ShadowHS Linux Malware Spreading Quietly</title>
		<link>https://firsthackersnews.com/shadowhs-linux-malware-spreading-quietly/</link>
					<comments>https://firsthackersnews.com/shadowhs-linux-malware-spreading-quietly/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 02 Feb 2026 17:28:17 +0000</pubDate>
				<category><![CDATA[Malware]]></category>
		<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[advanced persistent threat]]></category>
		<category><![CDATA[behavioral detection]]></category>
		<category><![CDATA[blue team]]></category>
		<category><![CDATA[cyber threat intelligence]]></category>
		<category><![CDATA[edr]]></category>
		<category><![CDATA[endpoint detection]]></category>
		<category><![CDATA[Enterprise Security]]></category>
		<category><![CDATA[fileless malware]]></category>
		<category><![CDATA[in-memory attacks]]></category>
		<category><![CDATA[incident response]]></category>
		<category><![CDATA[kernel security]]></category>
		<category><![CDATA[Linux malware]]></category>
		<category><![CDATA[Linux security]]></category>
		<category><![CDATA[malware analysis]]></category>
		<category><![CDATA[post exploitation]]></category>
		<category><![CDATA[process monitoring]]></category>
		<category><![CDATA[SOC]]></category>
		<category><![CDATA[system hardening]]></category>
		<category><![CDATA[threat hunting]]></category>
		<category><![CDATA[XDR]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11079</guid>

					<description><![CDATA[<p>A newly observed Linux threat called ShadowHS is showing how modern attackers are moving beyond traditional malware. Instead</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/shadowhs-linux-malware-spreading-quietly/">ShadowHS Linux Malware Spreading Quietly</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A newly observed Linux threat called ShadowHS is showing how modern attackers are moving beyond traditional malware. Instead of dropping files on a system, this framework runs completely in memory, making it much harder for standard security tools to detect.</p>



<p>ShadowHS is built from a modified version of a legitimate utility and turned into a full post-exploitation toolkit. It avoids writing anything to disk, hides its process identity, and executes through memory-based techniques that bypass many antivirus and file-monitoring defenses. The infection chain uses encrypted loaders and carefully rebuilds the payload directly in memory before running it.</p>



<p>The final program is launched directly from memory and often imitates trusted processes, such as Python-related services, to reduce suspicion.</p>



<h2 class="wp-block-heading"><strong>Human-Controlled and Stealth Focused</strong></h2>



<p>ShadowHS stands out because it does not behave like typical automated malware. Instead of launching noisy actions right away, it stays quiet at first. The framework focuses on studying the system, identifying security defenses, and ensuring the environment is safe for continued access. This careful, low-profile behavior suggests direct human control rather than a fully automated attack.</p>



<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="466" src="https://firsthackersnews.com/wp-content/uploads/2026/02/image-1024x466.png" alt="" class="wp-image-11080" srcset="https://firsthackersnews.com/wp-content/uploads/2026/02/image-200x91.png 200w, https://firsthackersnews.com/wp-content/uploads/2026/02/image-300x136.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/02/image-400x182.png 400w, https://firsthackersnews.com/wp-content/uploads/2026/02/image-600x273.png 600w, https://firsthackersnews.com/wp-content/uploads/2026/02/image-768x349.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/02/image-800x364.png 800w, https://firsthackersnews.com/wp-content/uploads/2026/02/image-1024x466.png 1024w, https://firsthackersnews.com/wp-content/uploads/2026/02/image-1200x546.png 1200w, https://firsthackersnews.com/wp-content/uploads/2026/02/image.png 1321w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Memory-Based Payload Execution (Source: CRIL)</figcaption></figure>



<p>The tool gathers detailed information about installed security products by checking system paths, running services, and protection components. The findings help operators understand what defenses are active before deciding on the next step.</p>



<p>It also includes logic to remove other malicious programs that may already be present. By scanning for known malware, cryptominers, hidden kernel components, and suspicious in-memory programs, it tries to take exclusive control of the system.</p>



<p>Beyond that, the framework examines the system’s overall defense posture, reviewing kernel protections, loaded modules, and process activity to detect monitoring or security instrumentation.</p>



<p>For data theft, ShadowHS uses less common communication methods instead of standard tools like SSH or file transfer utilities. It creates hidden channels using user-space tunneling techniques, allowing files to be moved without triggering typical network monitoring alerts. Because of how these tunnels work, the traffic can appear local while actually being redirected externally, helping the activity remain unnoticed.</p>



<h2 class="wp-block-heading"><strong>Security Measures</strong></h2>



<p>When fully activated, ShadowHS can start hidden crypto mining, scan networks to move sideways, and try to collect credentials from systems, cloud services, and virtual platforms.</p>



<p>Since it runs in memory and avoids writing files, regular antivirus tools may not detect it. Protection depends more on watching system behavior than scanning files.</p>



<p>To lower the risk:</p>



<ul class="wp-block-list">
<li>Monitor unusual process and memory activity</li>



<li>Track suspicious command-line behavior</li>



<li>Use deeper system and kernel-level monitoring</li>



<li>Limit what applications can do at runtime</li>



<li>Watch for strange or hidden network connections</li>
</ul>



<p>This threat shows that modern Linux attacks are becoming quieter and more controlled, making behavior-based detection more important than ever.</p>



<h2 class="wp-block-heading" id="h-indicators-of-compromise-iocs"><strong>Indicators of Compromise (IOCs)</strong></h2>



<figure class="wp-block-table"><table><thead><tr><th>Indicator</th><th>Indicator Type</th><th>Description</th></tr></thead><tbody><tr><td>91.92.242[.]200</td><td>IPv4</td><td>Primary payload staging infrastructure</td></tr><tr><td>62.171.153[.]47</td><td>IPv4</td><td>Operator-controlled relay for exfiltration and post-compromise operations</td></tr><tr><td>20c1819c2fb886375d9504b0e7e5debb87ec9d1a53073b1f3f36dd6a6ac3f427</td><td>SHA-256</td><td>Main obfuscated shell loader script</td></tr><tr><td>9f2cfc65b480695aa2fd847db901e6b1135b5ed982d9942c61b629243d6830dd</td><td>SHA-256</td><td>Custom weaponized hackshell payload</td></tr><tr><td>148f199591b9a696197ec72f8edb0cf4f90c5dcad0805cfab4a660f65bf27ef3</td><td>SHA-256</td><td>RustScan port scanner</td></tr><tr><td>574a17028b28fdf860e23754d16ede622e4e27bac11d33dbf5c39db501dfccdc</td><td>SHA-256</td><td>spirit-x86_64.tgz archive</td></tr><tr><td>3f014aa3e339d33760934f180915045daf922ca8ae07531c8e716608e683d92d</td><td>SHA-256</td><td>spirit/-bash (UPX-packed binary)</td></tr><tr><td>847846a0f0c76cf5699342a066378774f1101d2fb74850e3731dc9b74e12a69d</td><td>SHA-256</td><td>spirit/-bash (unpacked Golang binary)</td></tr><tr><td>5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6</td><td>SHA-256</td><td>gpu1/screen miner wrapper</td></tr><tr><td>e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096</td><td>SHA-256</td><td>gpu1/lol miner component</td></tr><tr><td>0bb7d4d8a9c8f6b3622d07ae9892aa34dc2d0171209e2829d7d39d5024fd79ef</td><td>SHA-256</td><td>xmr/xmrigremove.sh</td></tr><tr><td>9fdaf64180b7d02b399d2a92f1cdd062af2e6584852ea597c50194b62cca3c0b</td><td>SHA-256</td><td>gpustak/-bash binary</td></tr><tr><td>b3ee445675fce1fccf365a7b681b316124b1a5f0a7e87042136e91776b187f39</td><td>SHA-256</td><td>gpustak/libxmrstak_cuda_backend.so CUDA backend</td></tr><tr><td>5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6</td><td>SHA-256</td><td>gpustak/screen miner wrapper</td></tr><tr><td>5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6</td><td>SHA-256</td><td>gpuecho/screen miner wrapper</td></tr><tr><td>3ba88f92a87c0bb01b13754190c36d8af7cd047f738ebb3d6f975960fe7614d6</td><td>SHA-256</td><td>gpuecho/lol miner component</td></tr><tr><td>5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6</td><td>SHA-256</td><td>gpu/screen miner wrapper</td></tr><tr><td>e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096</td><td>SHA-256</td><td>gpu/lol miner component</td></tr><tr><td>4069eaadc94efb5be43b768c47d526e4c080b7d35b4c9e7eeb63b8dcf0038d7d</td><td>SHA-256</td><td>ex/dirtycredz.x86_64 credential exploitation tool</td></tr><tr><td>72023e9829b0de93cf9f057858cac1bcd4a0499b018fb81406e08cd3053ae55b</td><td>SHA-256</td><td>ex/payload.so shared object payload</td></tr><tr><td>662d4e58e95b7b27eb961f3d81d299af961892c74bc7a1f2bb7a8f2442030d0e</td><td>SHA-256</td><td>ex/overlay helper component</td></tr><tr><td>e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</td><td>SHA-256</td><td>ex/GCONV_PATH=./lol empty placeholder file</td></tr><tr><td>c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f</td><td>SHA-256</td><td>ex/payload.c payload source code</td></tr><tr><td>666122c39b2fd4499678105420e21b938f0f62defdbc85275e14156ae69539d6</td><td>SHA-256</td><td>ex/blast exploitation utility</td></tr><tr><td>8007b94d367b7dbacaac4c1da0305b489f0f3f7a38770dcdb68d5824fe33d041</td><td>SHA-256</td><td>ex/dp Dirty Pipe exploit</td></tr><tr><td>072e08b38a18a00d75b139a5bbb18ac4aa891f4fd013b55bfd3d6747e1ba0a27</td><td>SHA-256</td><td>ex/ubu privilege escalation helper</td></tr><tr><td>6c50fcf14af7f984a152016498bf4096dd1f71e9d35000301b8319bd50f7f6d0</td><td>SHA-256</td><td>ex/cve-2025-21756 exploit binary</td></tr><tr><td>04a072481ebda2aa8f9e0dac371847f210199a503bf31950d796901d5dbe9d58</td><td>SHA-256</td><td>ex/traitor-x86_64 privilege escalation tool</td></tr><tr><td>19df5436972b330910f7cb9856ef5fb17320f50b6ced68a76faecddcafa7dcd7</td><td>SHA-256</td><td>ex/autoroot.sh automated root escalation script</td></tr><tr><td>7fbab71fcc454401f6c3db91ed0afb0027266d5681c23900894f1002ceca389a</td><td>SHA-256</td><td>ex/dirtypipe.x86_64 Dirty Pipe exploit variant</td></tr><tr><td>e5a6deec56095d0ae702655ea2899c752f4a0735f9077605d933a04d45cd7e24</td><td>SHA-256</td><td>ex/dirtypagetable.x86_64 kernel exploitation tool</td></tr><tr><td>7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97</td><td>SHA-256</td><td>ex/lol/gconv-modules GCONV-based exploitation component</td></tr></tbody></table></figure>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong> <a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/shadowhs-linux-malware-spreading-quietly/">ShadowHS Linux Malware Spreading Quietly</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/shadowhs-linux-malware-spreading-quietly/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Critical Linux Vulnerabilities Expose Systems to Root Access Exploits</title>
		<link>https://firsthackersnews.com/critical-linux-vulnerabilities-root-access-exploits/</link>
					<comments>https://firsthackersnews.com/critical-linux-vulnerabilities-root-access-exploits/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 19 Jun 2025 05:44:19 +0000</pubDate>
				<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[#CVE-2025-6018]]></category>
		<category><![CDATA[#CVE-2025-6019]]></category>
		<category><![CDATA[#Fedora cybersecurity]]></category>
		<category><![CDATA[#Linux vulnerabilities]]></category>
		<category><![CDATA[#openSUSE Leap 15]]></category>
		<category><![CDATA[#PAM vulnerability]]></category>
		<category><![CDATA[#Qualys TRU]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=10324</guid>

					<description><![CDATA[<p>Newly discovered Linux vulnerabilities, identified as CVE-2025-6018, CVE-2025-6019, and CVE-2025-6020, threaten major distributions like Ubuntu, Debian, Fedora, and</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/critical-linux-vulnerabilities-root-access-exploits/">Critical Linux Vulnerabilities Expose Systems to Root Access Exploits</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Newly discovered <strong>Linux vulnerabilities</strong>, identified as <strong>CVE-2025-6018</strong>, <strong>CVE-2025-6019</strong>, and <strong>CVE-2025-6020</strong>, threaten major distributions like <strong>Ubuntu</strong>, <strong>Debian</strong>, <strong>Fedora</strong>, and <strong>openSUSE Leap 15</strong>. Uncovered by the <strong>Qualys Threat Research Unit (TRU)</strong>, these <strong>local privilege escalation (LPE)</strong> flaws allow attackers to gain <strong>full root access</strong>, risking <strong>data breaches</strong> and <strong>system compromise</strong>.</p>



<h1 class="wp-block-heading"><strong>What Are These Linux Vulnerabilities?</strong></h1>



<h2 class="wp-block-heading"><strong>CVE-2025-6018: PAM Misconfiguration</strong></h2>



<p>This flaw in <strong>openSUSE Leap 15</strong>’s <strong>Pluggable Authentication Modules (PAM)</strong> lets unprivileged users gain “<strong>allow_active</strong>” status, granting unauthorized <strong>Polkit actions</strong>. By treating <strong>SSH sessions</strong> as local, attackers can escalate privileges, paving the way for deeper exploits.</p>



<h2 class="wp-block-heading"><strong>CVE-2025-6019: Udisks Daemon Flaw</strong></h2>



<p>Exploiting <strong>libblockdev</strong> via the <strong>udisks daemon</strong>—a default component in most Linux distributions—this vulnerability allows attackers with “allow_active” status to achieve <strong>root privileges</strong>. Qualys TRU’s <strong>proof-of-concept exploits</strong> confirmed rapid root access on <strong>Ubuntu</strong>, <strong>Debian</strong>, and <strong>Fedora</strong>.</p>



<h2 class="wp-block-heading"><strong>CVE-2025-6020: PAM Namespace Issue</strong></h2>



<p>A <strong>path traversal vulnerability</strong> (CVSS: 7.8) in <strong>Linux PAM</strong> (up to 1.7.0) enables <strong>symlink attacks</strong> and <strong>race conditions</strong> in <strong>pam_namespace</strong>. Fixed in <strong>Linux PAM 1.7.1</strong>, it poses a <strong>root escalation</strong> risk if unpatched.</p>



<p>Chained together, these flaws create a dangerous “<strong>local-to-root</strong>” path, enabling <strong>data theft</strong>, <strong>ransomware</strong>, and <strong>backdoor implantation</strong>.</p>



<h2 class="wp-block-heading"><strong>Why These Flaws Matter</strong></h2>



<p>With <strong>udisks</strong> installed by default, most Linux systems are vulnerable. As Qualys TRU’s <strong>Saeed Abbasi</strong> noted, “The exploit’s simplicity and udisks’ ubiquity make this a universal threat.” Root access allows attackers to cause <strong>operational downtime</strong> or <strong>lateral movement</strong> in networks, threatening enterprises and individuals.</p>



<h3 class="wp-block-heading"><strong>Protect against these Linux security flaws with these steps:</strong></h3>



<ul class="wp-block-list">
<li><strong>Patch Immediately</strong>: Update to <strong>Linux PAM 1.7.1</strong>, patched <strong>libblockdev</strong>, and <strong>udisks</strong>. Check Ubuntu’s Security Notices or Fedora’s Updates.</li>



<li><strong>Disable PAM Namespace</strong>: Mitigate CVE-2025-6020 by disabling <strong>pam_namespace</strong> or securing <strong>namespace.init</strong>.</li>



<li><strong>Monitor Systems</strong>: Use <strong>threat intelligence</strong> tools to detect exploit attempts.</li>



<li><strong>Limit Access</strong>: Restrict privileges to minimize <strong>lateral movement</strong> risks.</li>
</ul>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/critical-linux-vulnerabilities-root-access-exploits/">Critical Linux Vulnerabilities Expose Systems to Root Access Exploits</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/critical-linux-vulnerabilities-root-access-exploits/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>New Rust Code in Linux Kernel Addresses Memory Bugs</title>
		<link>https://firsthackersnews.com/rust-code/</link>
					<comments>https://firsthackersnews.com/rust-code/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Tue, 11 Mar 2025 01:26:03 +0000</pubDate>
				<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Tips]]></category>
		<category><![CDATA[linux kernel]]></category>
		<category><![CDATA[Memory Bugs]]></category>
		<category><![CDATA[rust code]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security update]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=9761</guid>

					<description><![CDATA[<p>Rust in the Linux kernel enhances memory safety, a key focus in development. Launched in 2021 by Miguel</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/rust-code/">New Rust Code in Linux Kernel Addresses Memory Bugs</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Rust in the Linux kernel enhances memory safety, a key focus in development. Launched in 2021 by Miguel Ojeda, Rust for Linux aims to reduce vulnerabilities in new drivers and modules, not replace the entire kernel.</p>



<h2 class="wp-block-heading"><strong>New Rust Code in Linux Kernel </strong></h2>



<p>Rust reduces memory safety bugs, data races, and logic errors, making it ideal for kernel development.</p>



<p>It simplifies writing drivers and modules with modern abstractions and enforces documentation for APIs, safety checks, and ‘unsafe’ blocks.</p>



<p>Rust was officially merged into the Linux kernel in October 2022, with companies now dedicating engineers to its development.</p>



<p>Rust integration in Linux is expanding across subsystems, with drivers like PHY, Null Block, and Apple AGX GPU in development.</p>



<p>The Linux 6.13 merge added Rust misc driver bindings, paving the way for more Rust drivers. Greg Kroah-Hartman sees this as a turning point for adoption.</p>



<p>The next merge window may bring PCI and platform drivers, further strengthening Rust’s role in Linux.</p>



<p>With increased security benefits, support from Miguel Ojeda, and backing from the Alpha-Omega project, Rust for Linux is shaping a safer kernel future.</p>



<p>Kernel maintainer Jonathan Corbet confirmed Rust’s viability, highlighting its importance for Linux’s future.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/rust-code/">New Rust Code in Linux Kernel Addresses Memory Bugs</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/rust-code/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>GRUB2 Vulnerabilities Put Millions of Linux Devices at Risk</title>
		<link>https://firsthackersnews.com/grub2-vulnerabilities/</link>
					<comments>https://firsthackersnews.com/grub2-vulnerabilities/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Wed, 26 Feb 2025 18:07:19 +0000</pubDate>
				<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Exploitation]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Regulation]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Tips]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[CVE]]></category>
		<category><![CDATA[GRUB2 Vulnerability]]></category>
		<category><![CDATA[Linux devices]]></category>
		<category><![CDATA[remote code execution]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security patch]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[security vulnerability]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=9693</guid>

					<description><![CDATA[<p>GRUB2 vulnerabilities expose millions of Linux devices to secure boot bypass and remote code execution. Discovered during a</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/grub2-vulnerabilities/">GRUB2 Vulnerabilities Put Millions of Linux Devices at Risk</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>GRUB2 vulnerabilities expose millions of Linux devices to secure boot bypass and remote code execution. Discovered during a security audit, these flaws impact filesystem parsing, memory management, and network settings. Patches released on February 18, 2025, address issues like heap overflows and memory corruption in UEFI environments.</p>



<h2 class="wp-block-heading"><strong>GRUB2 Vulnerability</strong></h2>



<p>GRUB2’s critical role in booting operating systems makes it a prime target for attackers. Researchers found multiple flaws in filesystem drivers, including integer overflows in UFS, HFS+, and ReiserFS.</p>



<ul class="wp-block-list">
<li><strong>CVE-2025-0677</strong>: Crafted symlinks in UFS partitions can cause buffer overflows.</li>



<li><strong>CVE-2024-45782</strong>: Unvalidated HFS volume names can overwrite heap metadata.</li>



<li><strong>CVE-2025-0624</strong>: Malicious DHCP servers can exploit GRUB2’s network stack, leading to remote code execution before the OS loads.</li>
</ul>



<p>“These flaws allow attackers to compromise systems before security protections activate,” said Red Hat engineer Marco A Benatto.</p>



<p>Seven vulnerabilities arise from insufficient bounds checking in filesystem drivers:</p>



<ul class="wp-block-list">
<li><strong>CVE-2025-0678 (Squash4) &amp; CVE-2025-0685 (JFS)</strong>: Malicious size values trigger out-of-bounds writes during file reads.</li>



<li><strong>CVE-2025-0686 (ROMFS)</strong>: Integer overflow in symlink resolution corrupts heap structures.</li>



<li><strong>CVE-2024-45774</strong>: Crafted JPEGs in boot themes or EFI partitions can overwrite memory via duplicate SOF0 markers, enabling persistence.</li>



<li><strong>CVE-2025-0622</strong>: Use-after-free in the GPG module allows execution of rogue payloads, threatening UEFI Secure Boot.</li>



<li><strong>CVE-2025-1118</strong>: Unsecured memory dumps risk exposing cryptographic secrets under Secure Boot.</li>
</ul>



<p>“These flaws bypass integrity checks by exploiting legitimate filesystem operations,” said Oracle’s Jan Setje-Eilers.</p>



<p>To address GRUB2 security flaws, updates must be applied to <strong>GRUB2, shim, and SBAT metadata</strong>, as traditional UEFI revocation lists (dbx) won’t be used.</p>



<ul class="wp-block-list">
<li><strong>Update Requirements</strong>: Vendors must rebuild boot artifacts using SBAT generation 5 or higher to ensure component-level revocation.</li>



<li><strong>Patch Deployment</strong>: Major Linux distributions like Red Hat, SUSE, and Oracle Linux began releasing updates on February 25, 2025.</li>



<li><strong>Residual Risks</strong>: Legacy systems and embedded devices remain vulnerable due to infrequent update cycles.</li>



<li><strong>Security Implications</strong>: Unpatched systems could compromise network-wide Secure Boot integrity.</li>
</ul>



<h3 class="wp-block-heading">Key Takeaways for Administrators</h3>



<ul class="wp-block-list">
<li>Prioritize Bootloader Updates: Ensure GRUB2 and related components are patched.</li>



<li>Verify SBAT Status: Use tools like mokutil to check compliance.</li>



<li>Enhance Security Practices: Developers should adopt memory-safe coding to prevent future vulnerabilities.</li>
</ul>



<p>As attackers target low-level components, cross-industry collaboration remains vital in securing firmware and maintaining system integrity.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong> <a href="https://twitter.com/Info_FHNews" target="_blank" rel="noreferrer noopener">Twitter</a>,<a href="https://www.instagram.com/first_hackers_news/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/grub2-vulnerabilities/">GRUB2 Vulnerabilities Put Millions of Linux Devices at Risk</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/grub2-vulnerabilities/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Linux Systems Under Attack: New Auto-Color Malware Grants Remote Access</title>
		<link>https://firsthackersnews.com/linux-malware-2/</link>
					<comments>https://firsthackersnews.com/linux-malware-2/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Tue, 25 Feb 2025 17:11:00 +0000</pubDate>
				<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[infected systems]]></category>
		<category><![CDATA[Linux malware]]></category>
		<category><![CDATA[Linux systems]]></category>
		<category><![CDATA[Root Privilege Exploitation]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security update]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=9685</guid>

					<description><![CDATA[<p>Palo Alto Networks researchers have discovered a new Linux malware, &#8220;Auto-Color,&#8221; which poses a serious threat due to</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/linux-malware-2/">Linux Systems Under Attack: New Auto-Color Malware Grants Remote Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p><span style="font-size: revert; color: initial;">Palo Alto Networks researchers have discovered a new Linux malware, &#8220;Auto-Color,&#8221; which poses a serious threat due to its advanced evasion methods and ability to give attackers full remote access to infected systems.</span></p>



<p>Found between November and December 2024, the malware targets Linux systems, mainly in universities and government offices in North America and Asia. </p>



<p>It uses advanced techniques to remain undetected, including disguising itself with harmless file names like &#8220;door&#8221; or &#8220;egg&#8221; and employing a malicious library, libcext.so.2, to mimic legitimate system files.</p>



<h2 class="wp-block-heading"><strong>Installation and Root Privilege Exploitation</strong></h2>



<p>When executed, Auto-Color checks if its file name is &#8220;Auto-color.&#8221; If not, it renames itself and installs a hidden library implant. The installation requires the user to have root privileges.</p>



<p>Without root access, the malware is limited in its actions but still remains a threat in later stages. With root access, it installs the libcext.so.2 library in the system’s base directory and alters files like /etc/ld.preload for persistence. This change lets the malware load its library first, overriding key system functions.</p>



<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="644" src="https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-1024x644.png" alt="" class="wp-image-9686" srcset="https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-200x126.png 200w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-300x189.png 300w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-320x202.png 320w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-400x252.png 400w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-600x378.png 600w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-700x441.png 700w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-768x483.png 768w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-800x503.png 800w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-1024x644.png 1024w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-1200x755.png 1200w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11-1536x967.png 1536w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-11.png 1748w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Initial installation of Auto-color.<br></figcaption></figure>



<p>Auto-Color uses custom encryption to hide its configuration and C2 server communication, making it hard to detect. It encrypts payloads with a stream cipher and manipulates system files, like /proc/net/tcp, to conceal network activity.</p>



<p> The malware also hides C2 connections by removing traces of specific IPs or ports, making its operations difficult to track, similar to techniques used by Symbiote but more advanced.</p>



<p>Once installed, Auto-Color gives attackers full remote access, including:</p>



<ul class="wp-block-list">
<li>Establishing reverse shell connections</li>



<li>Acting as a proxy for further attacks</li>



<li>Manipulating files and running programs</li>



<li>Sending and changing global configuration data</li>
</ul>



<p>It communicates with C2 servers using a custom encrypted protocol. Commands trigger actions like gathering system data or uninstalling itself.</p>



<p>Indicators of compromise include files with names like “log,” “edu,” or “door,” each with the same size (229,160 bytes) but different hashes due to encrypted payloads. Suspicious changes to /etc/ld.preload or unusual network activity could also indicate infection.</p>



<p>Palo Alto Networks recommends using Cortex XDR and Advanced WildFire to detect and block Auto-Color. Organizations should monitor for IoCs and use strong endpoint protection. In case of infection, consult incident response teams like Unit 42 for remediation.</p>



<p>This highlights the need for proactive threat detection and response against increasingly advanced Linux malware.</p>



<h2 class="wp-block-heading" id="section-9-title">Indicators of Compromise</h2>



<p><strong>Malicious files from Auto-Color:</strong></p>



<p>SHA256 hash:&nbsp;270fc72074c697ba5921f7b61a6128b968ca6ccbf8906645e796cfc3072d4c43</p>



<ul class="wp-block-list">
<li>File size: 229,160 bytes</li>



<li>File name:&nbsp;log</li>



<li>File type: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked</li>



<li>File description: Sample 1 malware from Auto-color</li>
</ul>



<p>SHA256 hash:&nbsp;65a84f6a9b4ccddcdae812ab8783938e3f4c12cfba670131b1a80395710c6fb4</p>



<ul class="wp-block-list">
<li>File size: 229,160 bytes</li>



<li>File name:&nbsp;edus</li>



<li>File type: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked</li>



<li>File description: Sample 2 malware from Auto-color</li>
</ul>



<p>SHA256 hash:&nbsp;83d50fcf97b0c1ec3de25b11684ca8db6f159c212f7ff50c92083ec5fbd3a633</p>



<ul class="wp-block-list">
<li>File size: 229,160 bytes</li>



<li>File name:&nbsp;egg</li>



<li>File type: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked</li>



<li>File description: Sample 3 malware from Auto-color</li>
</ul>



<p>SHA256 hash:&nbsp;a1b09720edcab4d396a53ec568fe6f4ab2851ad00c954255bf1a0c04a9d53d0a</p>



<ul class="wp-block-list">
<li>File size: 229,160 bytes</li>



<li>File name:&nbsp;edu</li>



<li>File type: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked</li>



<li>File description: Sample 4 malware from Auto-color</li>
</ul>



<p>SHA256 hash:&nbsp;bace40f886aac1bab03bf26f2f463ac418616bacc956ed97045b7c3072f02d6b</p>



<ul class="wp-block-list">
<li>File size: 229,160 bytes</li>



<li>File name:&nbsp;door</li>



<li>File type: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked</li>



<li>File description: Sample 5 malware from Auto-color</li>
</ul>



<p>SHA256 hash:&nbsp;e1c86a578e8d0b272e2df2d6dd9033c842c7ab5b09cda72c588e0410dc3048f7</p>



<ul class="wp-block-list">
<li>File size: 229,160 bytes</li>



<li>File name:&nbsp;exup</li>



<li>File type: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked</li>



<li>File description: Sample 6 malware from Auto-color</li>
</ul>



<p>SHA256 hash:&nbsp;85a77f08fd66aeabc887cb7d4eb8362259afa9c3699a70e3b81efac9042bb255</p>



<ul class="wp-block-list">
<li>File size: 229,160 bytes</li>



<li>File name:&nbsp;law</li>



<li>File type: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked</li>



<li>File description: Sample 7 malware from Auto-color</li>
</ul>



<p>SHA256 hash:&nbsp;bf503b5eb456f74187a17bb8c08bccc9b3d91a7f0f6fd50110540b051510d1ca</p>



<ul class="wp-block-list">
<li>File size: 35,160 bytes</li>



<li>File name:&nbsp;libcext.so.2</li>



<li>File type: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked</li>



<li>File description: Library Implant from Auto-color</li>
</ul>



<p><strong>Malicious C2 IP Addresses from Auto-Color:</strong></p>



<ul class="wp-block-list">
<li>146[.]70[.]41[.]178:443 &#8211; log sample</li>



<li>216[.]245[.]184[.]214:443 &#8211; edus/egg sample</li>



<li>146[.]70[.]87[.]67:443 &#8211; edu/door sample</li>



<li>65[.]38[.]121[.]64:443 &#8211; exup sample</li>



<li>206[.]189[.]149[.]191:443 &#8211; law sample</li>
</ul>



<p><span class="" data-state="closed"><span class="flex h-[30px] w-[30px] items-center justify-center"><path fill-rule="evenodd" clip-rule="evenodd" d="M12.1318 2.50389C12.3321 2.15338 12.7235 1.95768 13.124 2.00775L13.5778 2.06447C16.0449 2.37286 17.636 4.83353 16.9048 7.20993L16.354 8.99999H17.0722C19.7097 8.99999 21.6253 11.5079 20.9313 14.0525L19.5677 19.0525C19.0931 20.7927 17.5124 22 15.7086 22H6C4.34315 22 3 20.6568 3 19V12C3 10.3431 4.34315 8.99999 6 8.99999H8C8.25952 8.99999 8.49914 8.86094 8.6279 8.63561L12.1318 2.50389ZM10 20H15.7086C16.6105 20 17.4008 19.3964 17.6381 18.5262L19.0018 13.5262C19.3488 12.2539 18.391 11 17.0722 11H15C14.6827 11 14.3841 10.8494 14.1956 10.5941C14.0071 10.3388 13.9509 10.0092 14.0442 9.70591L14.9932 6.62175C15.3384 5.49984 14.6484 4.34036 13.5319 4.08468L10.3644 9.62789C10.0522 10.1742 9.56691 10.5859 9 10.8098V19C9 19.5523 9.44772 20 10 20ZM7 11V19C7 19.3506 7.06015 19.6872 7.17071 20H6C5.44772 20 5 19.5523 5 19V12C5 11.4477 5.44772 11 6 11H7Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M11.8727 21.4961C11.6725 21.8466 11.2811 22.0423 10.8805 21.9922L10.4267 21.9355C7.95958 21.6271 6.36855 19.1665 7.09975 16.7901L7.65054 15H6.93226C4.29476 15 2.37923 12.4921 3.0732 9.94753L4.43684 4.94753C4.91145 3.20728 6.49209 2 8.29589 2H18.0045C19.6614 2 21.0045 3.34315 21.0045 5V12C21.0045 13.6569 19.6614 15 18.0045 15H16.0045C15.745 15 15.5054 15.1391 15.3766 15.3644L11.8727 21.4961ZM14.0045 4H8.29589C7.39399 4 6.60367 4.60364 6.36637 5.47376L5.00273 10.4738C4.65574 11.746 5.61351 13 6.93226 13H9.00451C9.32185 13 9.62036 13.1506 9.8089 13.4059C9.99743 13.6612 10.0536 13.9908 9.96028 14.2941L9.01131 17.3782C8.6661 18.5002 9.35608 19.6596 10.4726 19.9153L13.6401 14.3721C13.9523 13.8258 14.4376 13.4141 15.0045 13.1902V5C15.0045 4.44772 14.5568 4 14.0045 4ZM17.0045 13V5C17.0045 4.64937 16.9444 4.31278 16.8338 4H18.0045C18.5568 4 19.0045 4.44772 19.0045 5V12C19.0045 12.5523 18.5568 13 18.0045 13H17.0045Z" fill="currentColor"></path><path fill-rule="evenodd" clip-rule="evenodd" d="M11 4.9099C11 4.47485 10.4828 4.24734 10.1621 4.54132L6.67572 7.7372C6.49129 7.90626 6.25019 8.00005 6 8.00005H4C3.44772 8.00005 3 8.44776 3 9.00005V15C3 15.5523 3.44772 16 4 16H6C6.25019 16 6.49129 16.0938 6.67572 16.2629L10.1621 19.4588C10.4828 19.7527 11 19.5252 11 19.0902V4.9099ZM8.81069 3.06701C10.4142 1.59714 13 2.73463 13 4.9099V19.0902C13 21.2655 10.4142 22.403 8.81069 20.9331L5.61102 18H4C2.34315 18 1 16.6569 1 15V9.00005C1 7.34319 2.34315 6.00005 4 6.00005H5.61102L8.81069 3.06701ZM20.3166 6.35665C20.8019 6.09313 21.409 6.27296 21.6725 6.75833C22.5191 8.3176 22.9996 10.1042 22.9996 12.0001C22.9996 13.8507 22.5418 15.5974 21.7323 17.1302C21.4744 17.6185 20.8695 17.8054 20.3811 17.5475C19.8927 17.2896 19.7059 16.6846 19.9638 16.1962C20.6249 14.9444 20.9996 13.5175 20.9996 12.0001C20.9996 10.4458 20.6064 8.98627 19.9149 7.71262C19.6514 7.22726 19.8312 6.62017 20.3166 6.35665ZM15.7994 7.90049C16.241 7.5688 16.8679 7.65789 17.1995 8.09947C18.0156 9.18593 18.4996 10.5379 18.4996 12.0001C18.4996 13.3127 18.1094 14.5372 17.4385 15.5604C17.1357 16.0222 16.5158 16.1511 16.0539 15.8483C15.5921 15.5455 15.4632 14.9255 15.766 14.4637C16.2298 13.7564 16.4996 12.9113 16.4996 12.0001C16.4996 10.9859 16.1653 10.0526 15.6004 9.30063C15.2687 8.85905 15.3578 8.23218 15.7994 7.90049Z" fill="currentColor"></path><path d="M2.5 5.5C4.3 5.2 5.2 4 5.5 2.5C5.8 4 6.7 5.2 8.5 5.5C6.7 5.8 5.8 7 5.5 8.5C5.2 7 4.3 5.8 2.5 5.5Z" fill="currentColor" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round"></path><path d="M5.66282 16.5231L5.18413 19.3952C5.12203 19.7678 5.09098 19.9541 5.14876 20.0888C5.19933 20.2067 5.29328 20.3007 5.41118 20.3512C5.54589 20.409 5.73218 20.378 6.10476 20.3159L8.97693 19.8372C9.72813 19.712 10.1037 19.6494 10.4542 19.521C10.7652 19.407 11.0608 19.2549 11.3343 19.068C11.6425 18.8575 11.9118 18.5882 12.4503 18.0497L20 10.5C21.3807 9.11929 21.3807 6.88071 20 5.5C18.6193 4.11929 16.3807 4.11929 15 5.5L7.45026 13.0497C6.91175 13.5882 6.6425 13.8575 6.43197 14.1657C6.24513 14.4392 6.09299 14.7348 5.97903 15.0458C5.85062 15.3963 5.78802 15.7719 5.66282 16.5231Z" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path><path d="M14.5 7L18.5 11" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path></span></span><span class="hidden"></span><span class="" data-state="closed"><path d="M3.06957 10.8763C3.62331 6.43564 7.40967 3 12 3C14.2824 3 16.4028 3.85067 18.0118 5.25439V4C18.0118 3.44772 18.4595 3 19.0118 3C19.5641 3 20.0118 3.44772 20.0118 4V8C20.0118 8.55228 19.5641 9 19.0118 9H15C14.4477 9 14 8.55228 14 8C14 7.44772 14.4477 7 15 7H16.9571C15.6757 5.76379 13.9101 5 12 5C8.43108 5 5.48466 7.67174 5.0542 11.1237C4.98586 11.6718 4.48619 12.0607 3.93815 11.9923C3.39011 11.924 3.00123 11.4243 3.06957 10.8763ZM20.0618 12.0077C20.6099 12.076 20.9988 12.5757 20.9304 13.1237C20.3767 17.5644 16.5903 21 12 21C9.72322 21 7.60762 20.1535 5.99999 18.7559V20C5.99999 20.5523 5.55228 21 4.99999 21C4.44771 21 3.99999 20.5523 3.99999 20V16C3.99999 15.4477 4.44771 15 4.99999 15H8.99999C9.55228 15 9.99999 15.4477 9.99999 16C9.99999 16.5523 9.55228 17 8.99999 17H7.04285C8.32433 18.2362 10.0899 19 12 19C15.5689 19 18.5153 16.3283 18.9458 12.8763C19.0141 12.3282 19.5138 11.9393 20.0618 12.0077Z" fill="currentColor"></path><span class="overflow-hidden text-clip whitespace-nowrap text-sm"></span></span></p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong> <a href="https://twitter.com/Info_FHNews" target="_blank" rel="noreferrer noopener">Twitter</a>,<a href="https://www.instagram.com/first_hackers_news/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/linux-malware-2/">Linux Systems Under Attack: New Auto-Color Malware Grants Remote Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/linux-malware-2/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>RansomHub Now Targets Windows, ESXi, Linux, and FreeBSD</title>
		<link>https://firsthackersnews.com/ransomhub-2/</link>
					<comments>https://firsthackersnews.com/ransomhub-2/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 17 Feb 2025 17:06:00 +0000</pubDate>
				<category><![CDATA[BOTNET]]></category>
		<category><![CDATA[Exploitation]]></category>
		<category><![CDATA[Linux Malware]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Ransomware]]></category>
		<category><![CDATA[windows]]></category>
		<category><![CDATA[#security]]></category>
		<category><![CDATA[ESXi]]></category>
		<category><![CDATA[freebsd]]></category>
		<category><![CDATA[Linux]]></category>
		<category><![CDATA[RansomHub]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[Windows]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=9635</guid>

					<description><![CDATA[<p>RansomHub has rapidly emerged as a major cybercrime syndicate in 2024–2025, expanding its arsenal to target Windows, VMware</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/ransomhub-2/">RansomHub Now Targets Windows, ESXi, Linux, and FreeBSD</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>RansomHub has rapidly emerged as a major cybercrime syndicate in 2024–2025, expanding its arsenal to target Windows, VMware ESXi, Linux, and FreeBSD in global attacks. </p>



<p>The group employs advanced evasion techniques, cross-platform encryption, and exploits vulnerabilities in enterprise infrastructure. Group-IB analysts report that RansomHub has compromised over 600 organizations, including those in healthcare, finance, and critical infrastructure.</p>



<h3 class="wp-block-heading">Multi-OS Encryption Capabilities</h3>



<p>RansomHub’s ransomware adapts to different platforms, using specific commands and encryption methods for each.</p>



<p>For Windows, a PowerShell command runs the ransomware with options to set a password, disable networking, and skip certain virtual machines:<br><strong><code>powershell RansomHub.exe -pass &lt;SHA256&gt; -fast -disable-net -skip-vm "VM1"</code></strong></p>



<p>A JSON file, decrypted at runtime, controls whitelisted directories, process termination lists, and credentials for spreading within networks.</p>



<p>The ESXi encryptor, written in C++, shuts down virtual machines with <strong>vim-cmd</strong> and encrypts files like <strong>.vmdk</strong> and <strong>.vmx</strong> using <strong>ChaCha20</strong> and <strong>Curve25519</strong> encryption. A flaw in the <strong>/tmp/app.pid</strong> check lets defenders stop encryption by writing <strong>-1</strong> to the file, forcing an infinite loop.</p>



<p>Example ESXi code:</p>



<p>if (access(&#8220;/tmp/app.pid&#8221;, F_OK) == 0) {<br>pid_t pid = read_pid();<br>if (kill(pid, 0) == 0) {<br>kill(pid, SIGKILL);<br>exit(0);<br>}<br>}</p>



<p>The Linux version encrypts files in 1 MB chunks and disables <strong>syslog</strong> to avoid detection.</p>



<p>On FreeBSD, the ransomware, detected as <strong>Ransom.FreeBSD.INTERLOCK.THJBBBD</strong>, skips important system folders (<strong>/boot, /etc</strong>) and adds <strong>.interlock</strong> to encrypted files.</p>



<p>RansomHub spreads by exploiting known vulnerabilities like <strong>CVE-2024-3400</strong> (Palo Alto firewalls) and <strong>CVE-2021-42278/CVE-2020-1472</strong> (Active Directory).</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="1008" height="322" src="https://firsthackersnews.com/wp-content/uploads/2025/02/image-7.png" alt="" class="wp-image-9636" srcset="https://firsthackersnews.com/wp-content/uploads/2025/02/image-7-200x64.png 200w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-7-300x96.png 300w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-7-400x128.png 400w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-7-600x192.png 600w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-7-768x245.png 768w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-7-800x256.png 800w, https://firsthackersnews.com/wp-content/uploads/2025/02/image-7.png 1008w" sizes="auto, (max-width: 1008px) 100vw, 1008px" /><figcaption class="wp-element-caption">Excerpt from Palo Alto&#8217;s security advisory (Source: Group-IB)<br><br>The group pressures victims by threatening regulatory reporting for PDPL violations.<br><br>json // Decrypted configuration snippet { &#8220;master_public_key&#8221;: &#8220;a1b2c3&#8230;&#8221;, &#8220;extension&#8221;: &#8220;.6706c3&#8221;, &#8220;note_file_name&#8221;: &#8220;README.txt&#8221;, &#8220;kill_processes&#8221;: [&#8220;MsMpEng.exe&#8221;, &#8220;TaniumCX.exe&#8221;] }<br><br>CISA urges organizations to patch <strong>CVE-2024-3400</strong> and audit remote services to counter RansomHub. Detection includes YARA rules, monitoring suspicious PowerShell commands, and blocking known IoCs. With RansomHub exploiting zero-days and recruiting ex-ALPHV/LockBit affiliates, strong endpoint security and backup isolation are critical.<br><br><strong>&#x200d;Follow Us on:<strong> <a href="https://twitter.com/Info_FHNews" target="_blank" rel="noreferrer noopener">Twitter</a>,<a href="https://www.instagram.com/first_hackers_news/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong><br><br></figcaption></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/ransomhub-2/">RansomHub Now Targets Windows, ESXi, Linux, and FreeBSD</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/ransomhub-2/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
