eBPF Rootkit Targeting AWS and Linux Environments (Campaign)

This report describes a sophisticated intrusion where attackers exploited CVE-2024-238976 on a Jenkins server to move into AWS EKS clusters, deploy a malicious Docker image (kvlnt/vv) that installed a Rust downloader and an encrypted vShell backdoor, and subsequently installed the LinkPro rootkit (Golang) on Linux hosts. LinkPro uses eBPF modules (Hide and Knock) to conceal artifacts and activate on TCP "magic packets," falls back to LD_PRELOAD when eBPF is unavailable, achieves persistence by impersonating systemd-resolved, and provides remote shell, SOCKS5 proxying, and DNS/HTTP C2, indicating a highly adaptive and operationally mature financial-motivated campaign.