#Diamorphine rootkit deploys crypto miner on #Linux
A forked script is used to stealthily deploy a cryptocurrency #miner, disguised as a Python file. Diamorphine intercepts system calls and hides its presence. Let’s take a closer look at this threat’s behavior using #ANYRUN’s Linux VM, which provides full visibility into process activity and persistence mechanisms.

The attack #script capabilities:
Propagating from the compromised host to other systems, including stealing SSH keys to move laterally
Privilege escalation
Installing required dependencies
Establishing persistence via #systemd
Terminating rival cryptocurrency miners
Establishing a three‑layer self‑defense stack:
– Replacing the ps utility
– Installing the Diamorphine #rootkit
– Loading a library that intercepts system calls

️ Both the rootkit and the miner are built from open‑source code obtained on #GitHub, highlighting the ongoing abuse of publicly available tooling in Linux threats.

See Linux analysis session and collect #IOCs: https://app.any.run/tasks/a750fe79-9565-449d-afa3-7e523f84c6ad/?utm_source=mastodon&utm_medium=post&utm_campaign=diamorphine&utm_term=070525&utm_content=linktoservice

Use this TI Lookup query to find fresh samples and enhance your organization's security response: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=diamorphine&utm_content=linktotilookup&utm_term=070525#%7B%2522query%2522:%2522commandLine:%255C%2522Diamorphine.ko%255C%2522%2522,%2522dateRange%2522:180%7D%20

Analyze and investigate the latest #malware and phishing threats with #ANYRUN

Earth Kurma Uses Rootkits and Cloud Services to Target Southeast Asia

Pulse ID: 6818f66e1b135d244073e509
Pulse Link: https://otx.alienvault.com/pulse/6818f66e1b135d244073e509
Pulse Author: cryptocti
Created: 2025-05-05 17:33:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

"#Malware maker sponsors a #shitpost by a #TechIlliterate #Windows n0ob to sell their #Rootkit to #TechIlliterates" would'nt be as clickbaity but a #HonestVideoTitle instead...

https://www.youtube.com/watch?v=UKLTGoftJi8

Nice how site refers to the application features "monitor employee productivity" back in my day this was called spying using a rootkit.

RE: https://sfba.social/@twrling/114419685349438823

Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

An APT group named Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. The campaign, which dates back to November 2020, employs advanced custom malware, rootkits, and cloud storage services for data exfiltration. Earth Kurma utilizes sophisticated tools like TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, demonstrating adaptive malware toolsets and complex evasion techniques. The attackers focus on lateral movement, persistence, and data collection, using various utilities to scan infrastructures and deploy malware. They also employ rootkits to maintain stealth and bypass detection. The group's primary objective appears to be cyberespionage, with a high risk of sensitive data compromise and prolonged, undetected network access.

Pulse ID: 6813dda8c5c2a896eb350730
Pulse Link: https://otx.alienvault.com/pulse/6813dda8c5c2a896eb350730
Pulse Author: AlienVault
Created: 2025-05-01 20:46:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

PoC #rootkit #Curing evades traditional #Linux detection systems
https://securityaffairs.com/177098/hacking/poc-rootkit-curing-evades-traditional-linux-detection-systems.html
#securityaffairs #hacking

Sicherheitsforscher haben ein #Linux-#Rootkit entwickelt, das die #Kernel-#API io_uring ausnutzt, um unentdeckt zu bleiben. Überwachungstools erkennen etwaige Angriffe darüber nicht. https://winfuture.de/news,150557.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

#Hackers can now bypass #Linux #security thanks to terrifying new Curing #rootkit

https://betanews.com/2025/04/24/hackers-bypass-linux-security-with-armo-curing-rootkit/

#Linux '#io_uring' security blindspot allows stealthy #rootkit attacks

https://www.bleepingcomputer.com/news/security/linux-io-uring-security-blindspot-allows-stealthy-rootkit-attacks/

The Rise of 'Curing': A New Linux Rootkit Exploiting io_uring

A newly unveiled rootkit named 'Curing' is pushing the boundaries of cybersecurity by leveraging the Linux kernel's io_uring feature, allowing attackers to execute malicious activities undetected. Thi...

https://news.lavx.hu/article/the-rise-of-curing-a-new-linux-rootkit-exploiting-io-uring

Whoa, hold up! There's a new Linux rootkit dubbed "Curing" out in the wild, and it's got a nasty trick: leveraging `io_uring` to slip right past traditional security tools. Why? Because most of those tools are laser-focused on system calls... which `io_uring` can bypass.

So, what's the deal with `io_uring`? Picture an application chatting directly with the kernel, essentially skipping the front desk where system calls usually check-in. "Curing" exploits this direct line for its command-and-control communication, leaving *none* of the usual suspicious system call footprints. Talk about stealth mode! And heads up – Google has actually been warning about the potential risks here for some time.

Speaking from a pentester's perspective, this is yet another stark reminder: just relying on "basic" security isn't going to cut it. We really need to dive deeper, get our hands dirty with kernel-level analysis and understanding. Let's be clear: running automated scans is *not* the same as a thorough penetration test!

What about you? Are you utilizing `io_uring` in your environment? What kind of security measures have you put in place around it? Seriously curious – how do you see kernel security evolving from here? Let's discuss!

Fortinet advierte que atacantes pueden conservar el acceso incluso después de la aplicación de parches https://blog.elhacker.net/2025/04/fortinet-advierte-atacantes-mantienen-acceso-tras-aplicacion-parche-seguridad.html #vulnerabilidad #persistencia #fortinet #Rootkit #bug #cve

OBSCURE#BAT #Malware Highlights Risks of API Hooking. Researchers discovered an attack chain that uses several layers of obfuscated #batch files and #PowerShell scripts to deliver an advanced and persistent #rootkit.
https://www.darkreading.com/vulnerabilities-threats/obscurebat-malware-highlights-api-hooking
#security

"Passwort" Folge 25: Staatlich sanktionierte Schnüffelsoftware

Dieses Mal nehmen sich die Podcast-Hosts eines kontroversen Themas an: Unternehmen installieren über Sicherheitslücken Malware - und das in staatlichem Auftrag.

https://www.heise.de/news/Passwort-Folge-25-Staatlich-sanktionierte-Schnueffelsoftware-10271855.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

The Art of Linux Kernel Rootkits

An advanced and deep introduction about Linux kernel mode rookits, how to detect, what are hooks and how it works.

https://inferi.club/post/the-art-of-linux-kernel-rootkits

"Passwort" Folge 23: Schnitzeljagd um ein Linux-Bootkit

Sicherheitsforscher finden zufällig die Malware "Bootkitty" und analysieren sie. Was kann sie und wer steckt dahinter? Christopher und Sylvester rätseln mit.

https://www.heise.de/news/Passwort-Folge-23-Schnitzeljagd-um-ein-Linux-Bootkit-10236522.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Pumakit – Sophisticated Linux Rootkit That Persist Even After Reboots https://gbhackers.com/pumakit-linux-rootkit-persistence/ #CyberSecurityNews #IncidentResponse #cybersecurity #Linuxmalware #LinuxMalware #Rootkit

"Passwort" Folge 23: Schnitzeljagd um ein Linux-Bootkit

Sicherheitsforscher finden zufällig die Malware "Bootkitty" und analysieren sie. Was kann sie und wer steckt dahinter? Christopher und Sylvester rätseln mit.

https://www.heise.de/news/Passwort-Folge-23-Schnitzeljagd-um-ein-Linux-Bootkit-10236522.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

BlackPill is a stealthy Linux rootkit made in Rust.

https://github.com/DualHorizon/blackpill