The infection began with the exploitation of a vulnerable Jenkins server (CVE-2024-238976), which enabled lateral movement into AWS EKS clusters. The threat actor deployed a malicious Docker image (kvlnt/vv) containing a Rust-based downloader (vGet) that retrieved an encrypted vShell backdoor payload from an Amazon S3 bucket. The attackers gained persistence and system access through container escapes enabled by host filesystem mounts and privilege escalation.
Subsequently, the LinkPro rootkit, written in Golang, was installed on multiple GNU/Linux hosts. It embeds four ELF binaries, including two eBPF modules (“Hide” and “Knock”), a shared library (libld.so), and an unused kernel module (arp_diag.ko).
The Hide module leverages tracepoint and kretprobe hooks on getdents and sys_bpf to conceal files, processes, and its own BPF maps from tools like bpftool.
The Knock module monitors for TCP “magic packets” (SYN with window size 54321) that trigger activation of its C2 listener. It redirects traffic internally to the hidden port (2233), bypassing firewalls and obfuscating logs.
If kernel restrictions prevent eBPF use, LinkPro falls back to the LD_PRELOAD technique, installing /etc/libld.so to hook libc functions and hide artifacts in user space.
Persistence is achieved by masquerading as systemd-resolved, creating /usr/lib/.system/.tmp~data.resolveld and a fake unit file /etc/systemd/system/systemd-resolveld.service. Once active, LinkPro enables full remote shell access, file operations, SOCKS5 proxy tunneling, and DNS/HTTP C2 communications.
No definitive attribution has been made, but the activity appears financially motivated, demonstrating advanced operational design and adaptability across diverse kernel configurations.