“A True Nightmare”: Leaked Archive Reveals a Highly Sophisticated Linux Rootkit

In the latest issue of the hacker magazine Phrack, a vast archive has been published detailing the operations of North Korean cybercriminal groups. The leak includes exploitation techniques, information on compromised systems, and a Linux rootkit showcasing a remarkable degree of stealth and sophistication.

The authors of the publication note that some of the material points to a Chinese group targeting government agencies and private companies in South Korea and Taiwan. However, numerous overlaps were found with operations attributed to the well-known North Korean collective Kimsuky.

The archive contains certificates granting access to restricted networks, as well as screenshots documenting the development of active backdoors. Particularly concerning is the presence of executable malware for multiple platforms, which, if launched, could cause significant damage.

The rootkit, analyzed in its 2025 variant, is implemented as a loadable Linux kernel module built on the khook library. This architecture allows it to intercept system calls at the kernel level, bypassing standard detection mechanisms.

The malware conceals itself from lsmod, hides processes, network activity, and autostart files within /etc/init.d and /etc/rc.d. Activation occurs upon receiving a special packet on any port, after which an encrypted channel is opened—capable of launching a command shell, transferring files, configuring proxies, or chaining multiple hosts together.

To enhance stealth, anti-analysis measures have been incorporated: command histories are redirected to /dev/null, timeouts are suppressed, and all network communication is encrypted.

According to experts, the module installs itself under the guise of a tracker-fs component in /usr/lib64, labeled as unsigned (defaulting to the name vmwfxs) and communicates through a nonstandard socket /proc/acpi/pcicard. Its weakness lies in its rigid dependence on specific kernel versions, meaning updates may disrupt its functionality. Nevertheless, the rootkit disguises its traffic as legitimate services such as SSH or web ports, thereby evading firewalls.

Detection of such threats is challenging but possible. Automated tools can uncover hidden files, invisible processes, and traces of kernel modifications. Manual inspection involves reviewing dmesg logs or /var/log/kern.log for unsigned modules, probing suspicious paths through direct system calls, and auditing systemd services—particularly tracker-fs.service. At the binary level, suspicious strings appear in /usr/include/tracker-fs/tracker-efs, pointing to the program’s malicious intent. Even though it evades standard utilities like ps and ss, specialized tools can still identify active processes.

The rootkit’s capabilities extend to multi-stage connections, SOCKS5 proxy support, and delayed packet transmission to evade monitoring. In the event of compromise, experts recommend isolating the system and fully rebuilding it, as root-level access negates any guarantee of integrity. They advise focusing on universal detection techniques rather than signature-based indicators, which can be easily altered.

This leaked archive once again highlights that state-sponsored toolkits achieve an extraordinary level of stealth and effectiveness. Against the backdrop of escalating nation-state cyberattacks, Linux administrators must prioritize vigilant monitoring to identify anomalies and prevent long-term intrusions.