We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
Authorities have dismantled SocksEscort, a service that sold access to a large proxy network built from compromised residential routers. Investigators say much of the infrastructure sat on infected SOHO networking devices, many running embedded Linux firmware.
We’ve been telling ourselves that Snap apps are sandboxed, signed, and therefore low-risk. Not perfect, but good enough. That assumption has been holding for years, mostly because it hasn’t been tested in a way that mattered to day-to-day operations.
UNC2891 has been working its way through gaps in ATM security and broader banking security by slipping small hardware implants into places most teams assume are locked down. Investigators found Raspberry Pi systems sitting near ATM transaction switches, quietly feeding access back to the operators while Linux tooling handled the heavier work inside the network. The group paired that access with cloned cards and a mule network that turned compromised infrastructure into predictable cashouts.
If you’ve tried pulling files from Arch’s main site, hit the AUR, or popped into their forums recently, then you’ve probably noticed things are off. Maybe you hit a dead end. Maybe you’re still cursing at your terminal trying to get a package. That’s because the Arch Linux project is under an ongoing DDoS (Distributed Denial of Service) attack, and it has been two weeks of intermittent outages. For an ecosystem as lightweight and DIY-friendly as Arch, these disruptions hit users and admins hard.
Over the past few years, ransomware has evolved into a highly advanced type of malicious software, targeting individual systems and entire enterprises with increasingly sophisticated attacks. However, the most recent and worrying trend in this evolution is the advent of the cloud-native ransomware.
Alright, let’s talk Plague. If you’re a Linux admin or someone knee-deep in securing systems, this little beast of a backdoor should have your full attention. It’s not like the typical brute-force, ransomware-type malware that makes headlines. This one’s subtle — it creeps into the very thing that defines user authentication on Linux machines: PAM (Pluggable Authentication Modules). And, to add insult to injury, it does so while keeping its tracks covered so well that no major antivirus solutions have been able to flag it.
If you’re an admin managing Linux machines, you’ve got a couple of things on your radar right now. One is CVE-2025-31324, a vulnerability that’s got the potential to turn your well-behaved servers into someone else’s playground. The other is Auto-Color, a backdoor that’s sneaky, persistent, and ruthless when it gets into your systems.
You and I know Linux environments have always been the sturdy, reliable workhorses of IT ecosystems. For decades, they’ve been hailed as these relentless guardians of security—lean, stable, and, for a long time, not really worth the headache for ransomware groups. But that bubble is shrinking quickly. The Gunra ransomware group has changed the rules with its new Linux variant, and this one's got features designed to make Linux admins sweat. So, let’s dive into why this is more than just a footnote in the ransom-game evolution—and why you might need to rethink what you call “secure.”
Let’s talk straight: if you’re running Apache HTTP Server and you haven’t checked your version in a while, you might have a problem. An issue that’s now pretty ancient — CVE-2021-41773 — is still out there getting exploited by hackers, and they’re using it to deploy Linuxsys, a sneaky cryptocurrency miner. This isn’t your typical flash-in-the-pan malware campaign. It’s persistent, it’s clever, and honestly, it’s making a lot of admins look foolish for not locking down their setups.
Linux admins and infosec professionals, let’s talk about a sophisticated attack campaign targeting South Korean web servers. Threat actors are leveraging file upload vulnerabilities to deploy web shells and advanced malware, such as MeshAgent and SuperShell, in a coordinated, multi-stage process.
As a Linux admin, you're no stranger to juggling servers, permissions, and late-night emergencies. Let me introduce you to Qilin ransomware—a crafty, cross-platform adversary designed to unsettle even the most hardened infosec professional. If you haven’t yet encountered it, let me warn you—it’s not just another piece of malware floating around the threat landscape. This ransomware-as-a-service (RaaS) operation is polished, adaptable, and engineered with just the right mix of technical sophistication to demand your attention.
You know how it goes—Linux admins have long prided themselves on running systems that ransomware gangs mostly ignored. Sure, the occasional attack would trickle through, but if you were managing Linux environments, you weren’t waking up every other day wondering if your servers had been locked down by some cryptoware. Well, that sense of security is eroding. The BERT ransomware group just changed the game, targeting Linux systems and proving that ransomware gangs have their sights set on servers—and not just the Windows ones. If you’re running Linux setups for web hosting, cloud platforms, or pretty much any enterprise infrastructure, you need to pay attention to what’s happening here.
Alright, sysadmins and infosec pros, let’s talk about Chaos RAT. If you haven’t already crossed paths with this rather persistent piece of malware, it’s time you get familiar. This thing didn’t just pop up yesterday; it’s been lurking since 2017, originally as a legitimate remote access tool. But, like many open-source projects, it didn’t take long for someone to weaponize it. Fast forward to late 2022, and we’re seeing Chaos RAT meddling with Linux boxes, largely to mine cryptocurrency or snoop around for other nastiness. And now? Windows systems are in their crosshairs, too. Thanks, Golang.
The world of open-source development offers boundless creativity, but it also comes with inherent risks, especially when trust is prioritized over security. Recently, Socket’s Threat Research Team uncovered a chilling supply-chain attack targeting developers who rely on Go modules—a popular tool in software engineering.
As security-minded Linux admins, we take pride in the reliability, flexibility, and security of our systems. The recent emergence of the Curing rootkit has brought attention to a gap that many security tools have overlooked, leaving our systems vulnerable to persistent infections that may go undetected for long periods.
Recently, the infamous China-linked threat actor UNC5174 has launched a sophisticated campaign targeting Linux systems, employing an evolved variant of the SNOWLIGHT malware and a new tool called VShell. This campaign's sophistication lies in its use of advanced techniques and an open-source Remote Access Trojan (RAT) notorious for its stealth and efficiency.
In an alarming development for the cybersecurity community, the ransomware group Hunters International, suspected to be a rebrand of the notorious Hive ransomware, has been linked to extensive attacks on Windows, Linux, FreeBSD, SunOS, and ESXi systems. This discovery underscores the urgent need for robust defenses across all platforms.
As a Linux security administrator, staying ahead of the latest threats is crucial to maintaining the safety, integrity, and performance of your systems. Recently, Elastic Security identified a persistent piece of malware known as Outlaw that employs effective yet straightforward tactics.
Recent discoveries by Socket have exposed an elaborate typosquatting campaign targeting Linux and macOS developers through similar-sounding names for Go packages. This strategy dupes developers into downloading malicious packages that install malware loaders silently onto systems, potentially endangering entire networks.
The Anubis ransomware group has emerged as a growing threat, targeting Linux environments, NAS devices, and ESXi systems. What sets Anubis apart is its novel ransomware-as-a-service (RaaS) model featuring lucrative affiliate programs offering high revenue share programs with financial rewards to encourage attacks with incentives for dissemination.
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
