eBPF-Based “LinkPro” Linux Rootkit Deployed via Jenkins Exploitation and Malicious Docker Image
October 31st, 2025
Critical
_edite.png)
Our Cyber Threat Intelligence Unit is monitoring LinkPro, a new GNU/Linux rootkit discovered by Synacktiv following a compromise of an AWS environment. The intrusion originated from an exposed Jenkins server vulnerable to CVE-2024-23897, which was exploited to deploy a malicious Docker image (kvlnt/vv) across several Kubernetes clusters. This image deployed multiple coordinated components: a VPN/proxy tool (vnt/link), a downloader (vGet/app), a backdoor (vShell), and the LinkPro rootkit, written in Go and equipped with two eBPF modules for stealth and network control. LinkPro can be remotely activated via a TCP “magic packet” (window size 54321) and supports both active (forward) and passive (reverse) control modes. This campaign highlights the growing misuse of eBPF for rootkit concealment and supply-chain attacks in containerized environments, emphasizing the importance of robust CI/CD and Kubernetes security practices.
Technical Details
Attack Type: Linux rootkit leveraging eBPF and ld.so.preload for concealment.
Severity: Critical.
Affected Platforms: GNU/Linux, containerized, and Kubernetes workloads.
Initial Vector and Delivery Method:
Exploitation of Jenkins (CVE-2024-23897): Attackers exploited an exposed Jenkins instance to execute arbitrary commands.
Malicious Docker image (kvlnt/vv): Hosted on Docker Hub (now removed). The image dropped:
start.sh: Initiates SSH and launches secondary payloads.
link (vnt): Connects to vnt.wherewego[.]top:29872 to provide proxy/VPN tunneling.
app (vGet): Downloads an encrypted vShell payload from an Amazon S3 bucket and connects to 56.155.98[.]37 via WebSocket for remote control.
LinkPro Rootkit: Establishes stealth and persistence using kernel- and user-space mechanisms.
Persistence and Concealment:
Kernel-space: Two eBPF programs (“Hide” and “Knock”) loaded via XDP and TC interfaces to conceal processes, files, and network ports.
User-space fallback: Deploys /etc/libld.so and modifies /etc/ld.so.preload to hook libc calls when eBPF is unavailable.
Systemd persistence: Installs disguised services such as /etc/systemd/system/systemd-resolveld.service and hides artifacts from /proc listings.
Operation Modes:
Passive / Reverse Mode: Activated when the “Knock” eBPF program detects a TCP SYN packet with window size 54321. This packet is dropped but records the source IP, opening a one-hour window for operator access on internal port 2233.
Active / Forward Mode: The rootkit directly contacts its C2 using one of five protocols (HTTP, WebSocket, TCP, UDP, or DNS) to issue commands or exfiltrate data.
Network Manipulation: The Knock XDP module rewrites incoming TCP destination ports to 2233, while the TC egress module restores the original source port on outbound packets. This dual-rewriting technique bypasses firewall monitoring and decouples host and network logs, hindering correlation and forensic reconstruction.
Impact
Stealthy persistence: Kernel-level hiding enables long-term access to compromised hosts and Kubernetes nodes.
Remote activation: Command and control can be covertly triggered via a TCP magic packet, leaving minimal traces.
Proxy and pivoting: The vnt proxy facilitates internal reconnaissance and lateral movement across cloud workloads.
Cloud supply-chain exposure: Compromise of containerized environments through malicious images and CI/CD abuse.
Forensic evasion: eBPF-based filtering and TCP header rewriting distort network telemetry and host visibility.
Post-exploitation potential: Enables credential theft, data exfiltration, and further implant deployment.
Detection Method
File integrity: Monitor for the creation or modification of /etc/libld.so, or for changes to /etc/ld.so.preload.
Systemd analysis: Identify any unusual or newly created services that mimic legitimate daemons.
eBPF telemetry: Alert on unexpected XDP, TC, tracepoint, or kretprobe programs loaded at runtime.
Network anomalies:
Detect inbound TCP SYN packets with window size 54321 followed by unusual connection sequences.
Correlate firewall logs with host activity to identify port rewriting or desynchronized connections.
Container and registry scans: Search for or block Docker images named kvlnt/vv.
C2 monitoring: Flag outbound HTTP/WebSocket traffic to 56.155.98[.]37, 18.199.101[.]111, or vnt.wherewego[.]top:29872.
Anomaly correlation: Compare discrepancies between /proc/net and ss outputs, which is a known symptom of LinkPro hiding sockets.
Indicators of Compromise
Type | Indicator | Description |
IP | 56.155.98[.]37 | vShell C2 (WebSocket) |
IP | 18.199.101[.]111 | Forward-mode C2 server |
Domain | vnt.wherewego[.]top:29872 | vnt proxy endpoint |
Docker Image | kvlnt/vv | Malicious image removed from Docker Hub |
File | /etc/libld.so, /etc/ld.so.preload | LD_PRELOAD persistence |
Port | 2233 | Internal LinkPro listener port |
Magic Packet Signature | TCP SYN + Window Size = 54321 | Remote activation trigger |
Recommendations
Patch and harden Jenkins: Apply updates for CVE-2024-23897, remove unauthorized jobs, and isolate exposed instances.
Container hygiene: Identify and delete all containers derived from kvlnt/vv, and rescan internal registries.
Host recovery: Prefer full node re-imaging over in-place cleaning for confirmed infections.
Credential rotation: Replace SSH keys, API tokens, and Kubernetes service account tokens.
eBPF inspection: Audit active programs with bpftool prog show; remove unrecognized entries.
Network containment: Block or closely monitor outbound traffic to known C2s and proxy endpoints.
Firewall hardening: Apply least-privilege ingress rules and enable correlation logging between network edge and host events.
Conclusion
LinkPro represents a new era of Linux rootkits that use eBPF for dynamic concealment and covert activation. By combining kernel-level stealth, CI/CD exploitation, and container-based delivery, it maintains a persistent presence across cloud workloads while avoiding detection by standard host- and network-level telemetry. We urge Organizations using Jenkins or Kubernetes to promptly check for exposure to CVE-2024-23897, remove unverified images, and enforce eBPF telemetry collection in host monitoring systems. Regularly checking /etc/ld.so.preload, eBPF programs, and outbound proxy connections is crucial for early detection and containment.