EvilBit Threat Digest - Kernel Rootkits Get a Cloud-Native Upgrade

KryptoKat: It's Wednesday, and time for the midweek mayhem! This week felt like a return to fundamentals, but with a terrifying twist. We have the usual parade of critical web vulnerabilities serving as reminders to patch our internet-facing everything, a fresh look at phishing campaigns getting clever with redirection, and threat actors continuing to abuse legitimate software to hide their malware. It's all very… familiar.

UncleSp1d3r: And then there's VoidLink. Just when you think you've seen it all, someone creates a malware framework that builds its own kernel rootkits on the fly, customized for whatever poor Linux box it hits. It's either a masterpiece or a sign of the end times. Maybe it's both.

KryptoKat: Let's just say it's evidence that defenders can't afford to get complacent. From cloud-native rootkits to CVSS 10.0 bugs in popular tools, there was plenty to keep us busy. Buckle up, Buttercup, and read on.

The New King of Kernel Malware: VoidLink

UncleSp1d3r: I've been at this for a while, and it takes a lot to wow me. VoidLink does. I shared a rundown of this new malware framework last Friday on my ZeroDay Field Notes, so check that out for a refresher. The story keeps evolving. Researchers at Sysdig and Check Point have documented a new Linux malware framework, reportedly from Chinese-affiliated developers, that solves a classic problem for rootkit authors: kernel version dependency. Writing a Linux Kernel Module (LKM) that works smoothly across various kernel versions is a huge hassle. So, the VoidLink authors just skipped it. Instead, they created a C2 server to handle it.

When the first fileless dropper (made in Zig and using memfd_create to stay off-disk) hits a host, it checks the kernel version and sends that info back to the C2. The C2 then builds a custom kernel module just for that target and sends it over. This "Server-Side Rootkit Compilation" is a real game-changer for stealth and persistence in cloud environments. Every infected host gets its own unique, perfectly compatible rootkit. No more buggy LKMs causing kernel panics and blowing the cover.

The framework is a powerhouse. It takes a hybrid approach, using either the custom LKM or eBPF to hook syscalls, based on the kernel version. It features backup C2 channels (HTTP, ICMP, DNS tunneling, and even a P2P mesh), profiles for installed EDR products to manage their activity, and over 30 plugins for tasks such as credential harvesting, container escapes, and ransomware deployment. There's no sign of widespread use yet, but this thing is ready for heavy-duty work.

KryptoKat: For defenders, signature-based detection for kernel threats is insufficient. The unique-per-host compilation renders file hashes useless. This is purely the domain of behavioral detection. You need runtime tools like Falco or Sysdig Secure that can spot the patterns of compromise: the memfd_create and execveat syscall combination from the initial loader, anomalous finit_module calls, and suspicious eBPF program loading. Hardening your cloud and container environments is key, but detecting the initial execution chain is your best shot at catching this before it goes deep.

Unauthenticated, Unforgiving, and Under Active Attack

KryptoKat: Nothing gets the blood pumping quite like a CVSS 10.0 vulnerability. For this week, we have two demanding items that require immediate attention.

First, a critical unauthenticated remote code execution vulnerability was found in the popular open-source automation platform n8n. Dubbed "Ni8mare" (CVE-2026-21858) the flaw resides in how n8n's webhook handler processes multipart form data. By manipulating the content-type, an attacker can trick the server into treating an uploaded file as a workflow, leading to arbitrary file reads and, ultimately, RCE. This could allow attackers to steal credentials, API keys, and other secrets stored in n8n. If you're running a self-hosted instance, you need to upgrade to version 1.121.0 or later immediately.

Second, the WordPress ecosystem took a hit with a critical privilege escalation bug in the "Modular DS" plugin (CVE-2026-23550), which has over 40,000 active installations. The vulnerability allows an entirely unauthenticated attacker to gain administrator privileges, effectively handing the keys to the entire site over. Making matters worse, this isn't theoretical — it is being actively exploited in the wild. Attackers have been observed creating rogue administrator accounts with usernames such as "backup" to maintain persistence. If you use this plugin, patch to version 2.6.0 or higher, like yesterday, and then hunt for any suspicious admin accounts on your user list.

Hiding in Plain Sight: The DLL Side-Loading Playbook

UncleSp1d3r: DLL side-loading is like the cockroach of evasion tricks: it's been around forever, it's ugly, and it just won't go away. This week, we saw a bunch of campaigns using it effectively.

The idea is simple: find a legit, signed executable that loads a DLL from its current directory before checking system paths. Then, package your malicious DLL with the same name, drop it next to the trusted executable, and let the Windows loader do its thing. It's a smart way to dodge application allow-listing and get your code running in a process that security tools already trust.

• PDFSIDER: Researchers at Resecurity found a new backdoor that drops a legitimate executable from the PDF24 Creator suite (Pdf24.exe) along with a malicious cryptbase.dll. When the user runs the PDF tool, it loads the malicious DLL, which then establishes an AES-encrypted C2 channel.
• Malwarebytes Impersonation: In a classic brand impersonation scheme, threat actors have been distributing ZIP files pretending to be Malwarebytes installers. According to a VirusTotal analysis, the package contains a legit EXE and a malicious CoreMessaging.dll component that, when loaded, deploys an infostealer to harvest browser credentials and crypto wallet data.
• Turla's New Toy: Even sophisticated state actors aren't above the classics. Turla's new Kazuar v3 loader was observed using a signed HP printer utility to side-load its initial payload. This loader is something else. It leverages COM objects for persistence and uses hardware breakpoints to disable ETW and AMSI without modifying any code in memory—more details in the 16 January 2026 edition of ZeroDay Field Notes.

KryptoKat: The defensive advice here is consistent: monitor for anomalous DLL loads. Your EDR should be able to flag when a signed process loads an unsigned DLL from a strange location, like a user's Downloads folder or %APPDATA%. It's a noisy signal to tune, but it's one of the most reliable ways to catch this technique in action.

Quick Hits

• Konni APT Abuses Ad Redirects: In "Operation Poseidon," the Konni APT group is hiding its malicious download links inside legitimate advertising redirection chains. A report from Genians shows how spear-phishing emails use URLs for Google's DoubleClick or NAVER's ad platform. The redirects eventually lead to a compromised server hosting a ZIP file with the EndRAT malware. This effectively outsources the initial URL reputation check to trusted domains, bypassing many email filters.
• GreyNoise Sees Widespread Scanning: The weekly OAST report from GreyNoise shows heavy scanning for known vulnerabilities, primarily using ProjectDiscovery's Interactsh for out-of-band confirmation. Top targets include Next.js (CVE-2024-46982) and an old Supervisord bug (CVE-2017-11610). A valuable reminder of what the internet's background radiation is looking for.
• LNK Files Target Argentina's Judiciary: A targeted campaign is using weaponized LNK files in ZIP archives to deploy a Rust-based RAT against judicial sector entities in Argentina, as documented by Seqrite Labs. The payload is pulled from GitHub via a PowerShell loader. The LNK-in-a-ZIP delivery method continues to prove effective.
• Credential Theft 101: Proving that the simplest attacks still work, a man pleaded guilty to hacking the U.S. Supreme Court's filing system, AmeriCorps, and the VA. His method? Using stolen credentials, then posting said stolen PII to an Instagram account. Enable MFA, people.

KryptoKat: It's a week that perfectly captures the dual reality of our field. We have to prepare for incredibly sophisticated, bespoke threats such as VoidLink while still making sure our users (and our systems) are protected from a nine-year-old Office bug and weak passwords.

UncleSp1d3r: The basics are basics for a reason. They work. For us and for them. Stay patched, stay alert, and keep an eye on those DLL loads.

KryptoKat & UncleSp1d3r