Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools

**Doctor Web investigators identified an active Southeast Asia-focused campaign that leverages malicious eBPF programs to hide a kernel-module rootkit and install a remote access trojan; the trojan supports traffic-tunneling and retrieves configuration from public platforms (GitHub, blogs), enabling stealthy C2 communications and post-exploitation use.**