Overview: LinkPro rootkit targets GNU/Linux systems: LinkPro is a newly discovered Linux rootkit that leverages eBPF (extended Berkeley Packet Filter) technology to stealthily hide its presence on infected systems. The sophisticated Linux rootkit linkpro was uncovered by Synacktiv CSIRT during an investigation of a compromised AWS infrastructure and evade detection in Linux Systems.

This threat was deployed in an AWS environment after attackers exploited a vulnerable Jenkins server to distribute a malicious Docker image containing a Rust downloader that fetched a memory-resident vShell backdoor. This rootkit’s use of eBPF, a legitimate kernel feature, makes detection challenging in Linux as it operates at a low level within the Linux kernel. 

Leveraging extended Berkeley Packet Filter (eBPF) technology, where linkpro backdoor evades detection by hiding its processes and network activity, activating remotely via a “magic packet.”

Source: www.synacktiv.com 

Issues Details: The attack, originating from a vulnerable Jenkins server, deployed a malicious Docker image across AWS EKS clusters, enabling credential theft and lateral movement. This highlights the misuse of ebpf for advanced persistent threats (apts) in cloud environments. 

The LinkPro rootkit targets GNU/Linux systems, exploiting eBPF kernel capabilities to achieve stealth and remote activation.

It embeds multiple ELF modules, including two eBPF programs that hook into critical kernel system calls like getdents and sys_bpf to hide files, processes, and its own presence from detection tools.

If kernel support for these hooks is unavailable, LinkPro falls back to user-space concealment by loading a malicious shared library via /etc/ld.so.preload. This sophisticated rootkit deploys an advanced network packet filtering mechanism, activating only upon receiving a specific “magic packet” (a TCP SYN with a window size of 54321), allowing the attacker to control the system covertly. 

LinkPro masquerades as the legitimate systemd-resolved service for persistence and uses encrypted channels such as HTTP, DNS tunneling, and raw TCP/UDP for command and control. Its design enables attackers to execute arbitrary commands, perform file operations, and establish proxy tunnels, making it a highly adaptable and stealthy tool for persistent intrusions targeting cloud-native Linux systems. 

Attack Flow 

IOCs 

IOC Type	Indicator	Description
Network	/api/client/file/download?Path=…	URL used to download tools/payloads onto the compromised host.
	/reverse/handshake /reverse/heartbeat /reverse/operation	Endpoints the implant calls in reverse mode to receive operator commands.
	18.199.101.111	Destination IP used by LinkPro in forward (active) mode.
File	/etc/systemd/system/systemd-resolveld.service	Malicious systemd service file named to look like systemd-resolved.
	/root/.tmp~data.ok	Location/name of the LinkPro binary, disguised as a system file.
	/usr/lib/.system/.tmp~data.resolveld	Alternate disguised location for the LinkPro binary.
	/etc/libld.so	Malicious library loaded via /etc/ld.so.preload as a fallback concealment method.
Host	Systemd-resolveld	Fake service name intended to be mistaken for systemd-resolved.
	Conf_map	eBPF map holding the internal port used by the Knock module.
	Knock_map	eBPF map containing authorized IP addresses for the Knock module.
	Main_ebpf_progs	eBPF map listing programs that the Hide module manages.
	Pids_to_hide_map	eBPF map listing process IDs the rootkit hides.
Hashes	D5b2202b7308b25bda8e106552dafb8b6e739ca62287ee33ec77abe4016e698b	Passive linkpro backdoor
	1368f3a8a8254feea14af7dc928af6847cab8fcceec4f21e0166843a75e81964	Active linkpro backdoor
	B11a1aa2809708101b0e2067bd40549fac4880522f7086eb15b71bfb322ff5e7	Ld_Preload module (libld.so)
	B8c8f9888a8764df73442ea78393fe12464e160d840c0e7e573f5d9ea226e164	Hide ebpf module
	364c680f0cab651bb119aa1cd82fefda9384853b1e8f467bcad91c9bdef097d3	Knock ebpf module
	0da5a7d302ca5bc15341f9350a130ce46e18b7f06ca0ecf4a1c37b4029667dbb	Vget downloader

Recommendations: 

Here are some recommendations below 

• Patch the vulnerable Jenkins server (CVE-2024-23897) to prevent initial access. 

• Restrict public exposure of CI/CD tools and enforce strict network segmentation. 

• Monitor for suspicious Docker container deployments and unexpected host filesystem mounts. 

• Watch for unusual or unauthorized eBPF program activity using kernel auditing tools. 

• Regularly update Linux kernels and apply available security patches. 

Conclusion: 
The LinkPro rootkit is anadvanced Linux malware that uses eBPF at the kernel level to stay hidden and persist on systems.

It spreads through Jenkins vulnerabilities, container escapes and remote activation,  highlighting the critical vigilance organizations must maintain to continuously monitor and secure their environments.

To protect against it, companies should focus on timely patching and monitoring suspicious activities. 

References: 

• https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis 

• https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.html