Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 32 articles for you...
83
security measuresthreat detectioncritical infrastructureWolfsBane: Gelsemium APT Targets Linux Systems with Advanced Backdoor
WolfsBane, the latest Linux variant of the Gelsevirine backdoor, marks a historic turning point in cybersecurity. Attributed to the Gelsemium advanced persistent threat (APT) group, this Linux-based threat broadened their focus from being exclusively Windows-centric since 2014. With sophisticated cyber espionage campaigns by this APT group dating back to 2014, this recent shift to targeting Linux systems is an alarming move considering Linux's widespread deployment across critical infrastructure environments and enterprises. . WolfsBane's discovery illustrates Gelsemium's evolving tactics and indicates a trend of threat actors expanding their operational capabilities to exploit various operating systems. As organizations increasingly rely on Linux servers for robustness and stability, this presents cybersecurity defenses with an overwhelming challenge—they must now adapt by improving detection and mitigation strategies against multi-platform APTs. In this article, I'll explore this emerging threat, compare WolfsBane to its Windows-focused counterpart, and offer practical advice for securing your systems against these evolving attacks. Understanding the Significance of This Discovery WolfsBane, a new Linux backdoor associated with the Gelsemium APT group, marks a significant new development in cybersecurity threats. Gelsemium was previously best known for its Windows malware, including the Gelsevirine backdoor, which has been active since 2014. WolfsBane represents an evident shift by China-affiliated threat actors towards targeting Linux environments, highlighting several key points. WolfsBane indicates that, as endpoint protection and detection tools improve on Windows systems, threat actors have increasingly focused on exploiting vulnerabilities on Linux systems. This change broadens the attack surface, necessitating organizations with multi-platform environments to strengthen security measures across different operating systems. Furthermore, WolfsBane's sophisticated mimicry of Windowsfunctions and persistence mechanisms shows the commitment of threat actors to maintaining access to compromised systems over an extended period. Gelsemium's Tactics and Tools for Success WolfsBane employs a multi-stage infection chain composed of a dropper, launcher, and backdoor. The dropper, disguised as a "cron" file, impersonates legitimate command scheduling tools to facilitate the injection of malicious components into the target system. Once executed as root, it places its launcher and backdoor in the hidden directory $HOME/.Xl1, establishes persistence by configuring systemd services or changing SELinux configuration files, and ensures backdoor execution upon system startup via manipulating system service files while communicating with command-and-control (C&C) servers. This, in turn, facilitates remote command execution and system manipulation via communication channels with its C&C servers. Researchers also identified FireWood, another Linux backdoor not directly associated with Gelsemium tools; its connection may not be established, yet its presence indicates potential cross-APT group collaboration or "digital quartermastering." Web shells found during analysis provide attackers with remote control over compromised web servers, allowing initial access and further exploitation of web shells compromised during an attack. Comparative Analysis: WolfsBane vs. Gelsevirine Despite being tailored for distinct operating systems, Gelsevirine, WolfsBane's Windows counterpart, shares many similarities in structure and functionality. Both variants employ embedded custom libraries for network communication specific to each protocol. Command execution mechanisms in both versions employ hashed command names linked to handler functions for execution. Configuration structures remain consistent across both versions, with some fields being specific to either operating system. At the same time, domains previously flagged as indicators of compromise (IoC) tie WolfsBane back into this infrastructure asused by Gelsevirine. While the core functionalities remain similar, differences arise primarily based on which operating systems they target. Persistence management techniques vary due to differences between Linux and Windows systems regarding how services and security features operate. Furthermore, specifics regarding payload delivery and execution depend on specific system directories or execution contexts for Linux versus Windows systems. Who Is at Risk? WolfsBane targets East and Southeast Asian entities, particularly those operating critical infrastructure or possessing valuable information. Any organization running Linux servers exposed to the Internet—government institutions and agencies, financial services sectors, healthcare providers, educational institutions, and technology/telecommunications firms could all be at risk of WolfsBane attacks. Practical Mitigation Advice for Administrators WolfsBane poses a severe threat to Linux system security, so administrators should take various measures to mitigate its risks and fortify their defenses against it. Admins seeking to strengthen endpoint security must implement comprehensive Endpoint Detection and Response (EDR) solutions capable of detecting abnormal activities on Linux-based systems and alerting them of suspicious or anomalous behaviors. Conducting periodic security audits and continuous monitoring are effective ways of quickly detecting unauthorized changes or any suspicious activity that might threaten security. As part of a secure system configuration, hardening Linux servers by following best practices like disabling unnecessary services and restricting root access is crucial. Furthermore, regularly reviewing and securing systemd service configurations helps protect them against being used maliciously by attackers, guaranteeing only legitimate services start up automatically at boot-up time. One effective network security measure is implementing network segmentation to protect critical systems against potentialcompromise. Moreover, network- and host-based intrusion detection systems (IDSs) are essential to monitoring network traffic for malicious activity, and tracking lists of known malicious domains with network security appliances for proactive blocking is another crucial measure. Regularly revising incident response plans is essential to minimizing damage should an attack occur. This should involve training staff members on responding effectively in case of potential breaches and conducting regular backups to allow system recovery should a compromise occur. Advanced authentication practices, such as mandating multi-factor authentication for all remote access points and administrative accounts, further strengthen security by adding another layer of protection. Implement strong SSH key management practices, including regular key rotation and restricting SSH access only to authorized users. Applying the latest security patches is crucial for vulnerability management. Conducting periodic vulnerability scans is also critical, as doing so helps identify and address security vulnerabilities within a Linux infrastructure. Our Final Thoughts on the WolfsBane Backdoor & Its Implications for Linux Security WolfsBane highlights the ever-evolving tactics employed by advanced persistent threat actors like Gelsemium, which continually adapt to an ever-evolving security landscape. Organizations must remain vigilant and proactive with their security practices across all operating systems to prevent the risks posed by these sophisticated attacks and protect critical infrastructure against possible compromise. Implementing the practical measures we've discussed will go a long way in securing your Linux systems against WolfsBane attacks. . ShadowsLyre's emergence underscores the dynamic tactics of Belladonna, revealing a shift in focus toward Windows platforms.. WolfsBane Backdoor, Gelsemium APT, Linux Malware, Cyber Threats, System Security. . Anthony Pell
Nov 25, 2024
•
Hacks/Cracks
82
threatmalwaregovernmentAPT36 Threatens Indian Government Agencies with Custom Malware
APT36 is a highly sophisticated APT (Advanced Persistent Threat) group known for conducting targeted espionage in South Asia and is strongly linked to Pakistan. . While this APT group is known for targeting the following Indian sectors: Government Defense Education Since 2013, this APT group has been active, and to conduct cyber espionage, it uses the following methods:- Credential harvesting Malware distribution Here below, we have mentioned the resources used by APT36:- Custom-built remote administration tools targeting Windows Lightweight Python-compiled cyber espionage tools serving specific purposes targeting Windows and Linux Weaponized open-source C2 frameworks like Mythic Trojanized installers of Indian government applications like KAVACH multi-factor authentication Trojanized Android apps Credential phishing sites targeting Indian government officials Zscaler analysts dubbed the Windows backdoor used by APT36 ‘ElizaRAT,’ because of unique strings in observed C2 commands. The link for this article located at CyberSecurity News is no longer available. . APT36 utilizes tailored malicious software targeting Indian governmental divisions such as education and defense, representing significant risks.. APT36,CyberEspionage,GovernmentMalware,EducationSecurity,DefenseAttacks. . Brittany Day
Sep 16, 2023
•
Government
83
malwarecyber espionagethreat actorChinese Hackers Target Global Organizations With PingPull Malware
Hackers are deploying new Linux malware variants in cyberespionage attacks, such as a new PingPull variant and a previously undocumented backdoor tracked as 'Sword2033.' . PingPull is a RAT (remote access trojan) first documented by Unit 42 last summer in espionage attacks conducted by the Chinese state-sponsored group Gallium, also known as Alloy Taurus. The attacks targeted government and financial organizations in Australia, Russia, Belgium, Malaysia, Vietnam, and the Philippines. Unit 42 continued to monitor these espionage campaigns and today reports that the Chinese threat actor uses new malware variants against targets in South Africa and Nepal. The Linux variant of PingPull is an ELF file that only 3 out of 62 anti-virus vendors currently flag as malicious. . ShadowStrider is a covert surveillance tool employed in cyber espionage, now focusing on multinational corporations with innovative malware forms.. Linux Malware, Cyber Espionage, Remote Access Trojan, Chinese Hackers, PingPull. . LinuxSecurity.com Team
Apr 26, 2023
•
Hacks/Cracks
83
security updatecyber threatsmalwareIron Tiger Introduces SysUpdate Malware Capabilities For Linux Targets
An infamous Chinese cyber-hacking team has extended its SysUpdate malware framework to target Linux systems. . A pervasive cyber-espionage group known as Iron Tiger, believed to be out of China, has updated one of its malware frameworks to attack Linux-based systems. Researchers at Trend Micro recently discovered that Iron Tiger (aka Emissary Panda or APT27) had added new features to its so called SysUpdate malware family, which allows it to infect Linux platforms in addition to Windows. SysUpdate abuses system services, grabs screenshots, browses and terminates processes, retrieves drive information, executes commands, and can find, delete, rename, upload, and download files as well as peruse a victim's file directory. . A notorious hacking entity known as Shadow Falcon upgrades its DataSync protocol, now focusing on macOS platforms.. Iron Tiger Cyber Attack, SysUpdate Malware, Linux Exploits. . LinuxSecurity.com Team
Mar 03, 2023
•
Hacks/Cracks
83
cyber espionagehacking groupLinux threatsLightBasin's Cyber Espionage: Targeting Linux Servers in Telecoms
The stealthy LightBasin hacking group (also known as UNC1945) is infiltrating telecommunications companies around the world in a campaign that researchers have linked to intelligence gathering and cyber espionage. LightBasin's primary focus is on Linux and Solaris servers that are critical for running telecommunications infrastructure – and are likely to have less security measures in place than Windows systems. . The campaign, which has been active since at least 2016, has been detailed by cybersecurity researchers at CrowdStrike , who've attributed the activity to a group they call LightBasin – also known as UNC1945. It's believed that, since 2019, the offensive hacking group has compromised at least 13 telecommunication companies with the aim of stealing information about mobile communications infrastructure, including subscriber information and call metadata – and in some cases, direct information about what data smartphone users are sending and receiving via their devices. . Cunning cybercriminals exploit vulnerabilities in Unix systems used in finance, siphoning critical data since 2017. Discover the details today.. LightBasin Hackers,Cyber Espionage Techniques,Linux Threats,Telecommunications Security. . LinuxSecurity.com Team
Oct 22, 2021
•
Hacks/Cracks
83
security advisorymalwarecyber attackNew PyMICROPSIA Trojan Threatens Linux and macOS Devices from AridViper
A newly discovered Windows trojan linked to the AridViper threat group, dubbed PyMICROPSIA, shows signs that it might be used to infect computers running Linux and macOS as well. . The new trojan, dubbed PyMICROPSIA by Unit 42, was discovered while investigating AridViper activity (also tracked as Desert Falcon and APT-C-23), a group of Arabic speaking cyberspies focusing their attacks on Middle Eastern targets since at least 2011. AridViper operates mainly out of Palestine, Egypt, and Turkey, and the number of victims they compromised exceeded 3,000 in 2015 [PDF], according to the Global Research and Analysis Team (GReAT) at Kaspersky Lab. . The latest malware strain, named AquaSPIKE by ThreatIntel Team, emerged during a probe into the operations of SolarTide, which aimed at various cloud platforms.. PyMICROPSIA Trojan, Linux Threat, macOS Malware, Cybersecurity Alerts. . LinuxSecurity.com Team
Dec 16, 2020
•
Hacks/Cracks
83
malwareLinux systemscyber espionageFBI Alerts: Drovorub Malware Targeting Linux By Russian State Hackers
Drovorub - yet another strain of malware targeting Linux systems - is being used by malicious Russian hackers to spy on users, steal files and hijack devices. . The revelation from the FBI and National Security Agency that Russian military intelligence has built malware to target Linux systems is the latest dramatic twist in the unrelenting cybersecurity battle. The two agencies have revealed that Russian hackers have been using the previously undisclosed malware for Linux systems, called Drovorub, as part of their cyber-espionage operations. The malware allows hackers to steal files and take over devices . . CIA and DHS disclose Kinsing malware utilized by Chinese cybercriminals to target Linux platforms for information theft.. Drovorub Malware, Linux Security Threat, Russian Cyber Attacks, Malware Surveillance. . LinuxSecurity.com Team
Aug 17, 2020
•
Hacks/Cracks
83
security threatintellectual propertyLinux serversLong-Term Hacking Campaign Targeting Linux Servers: Risks and Threats
Have you heard about the newly uncovered hacking campaign which has been operating successfully against unpatched Linux servers for almost a decade? . Hacking campaigns linked to China have been exploiting vulnerabilities in Linux servers in an operation which successfully stayed under the radar for almost a decade. Detailed by researchers at BlackBerry , the operation, linked to the interests of the Chinese government, is conducting hacking and cyber espionage against a wide array of industries for the purposes of intellectual property theft and data collection. While the overall campaign is multi-platform, a newly uncovered part of it has been exploiting vulnerabilities in Linux since at least 2012 – and without the attackers having to update their offensive capabilities in that time. . Investigate current cyber intrusion efforts attributed to Chinese entities aimed at Linux servers to take advantage of vulnerabilities in security protocols.. Linux exploitation, cyber espionage, hacking threats, security vulnerabilities, data theft. . LinuxSecurity.com Team
Apr 07, 2020
•
Hacks/Cracks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More