To quickly familiarize yourself with advanced Linux threats, we recommend reviewing the following external articles, which present the actual threat landscape, attack characteristics, exploitation areas, and post-exploitation steps. Reviewing the following materials will allow you to grasp the context which will greatly facilitate further learning quickly.

Analysis reports:

• The Silent, Fileless Threat of VShell

  • https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
    

• Leaked North Korean Linux Stealth Rootkit Analysis:

  • https://sandflysecurity.com/blog/leaked-north-korean-linux-stealth-rootkit-analysis
    

• Sindoor Dropper: New Phishing Campaign:

  • https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/
    

• Plague: A Newly Discovered PAM-Based Backdoor for Linux

  • https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

• UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion:

  • https://www.group-ib.com/blog/unc2891-bank-heist/
    

• LD_PRELOAD still alive - The Evolution of Linux Binaries in Targeted Cloud Operations:

  • https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/
    

• Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets:

  • https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/
    

• UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell:

  • https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/
    

• Outlaw Linux Malware:

  • https://www.elastic.co/security-labs/outlaw-linux-malware
    

• Likely Chinese Threat Actor Uses Low-Detection Linux Backdoor and NHAS Reverse SSH:

  • https://dmpdump.github.io/posts/Low_Detection_backdoor_NHAS_RSSH/
    

• BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets:

  • https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html

• IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX:

  • https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
    

• Auto-Color: An Emerging and Evasive Linux Backdoor:

  • https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/
    

• Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence:

  • https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
    

• Helldown Ransomware: an overview of this emerging threat:

  • https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/
    

• Puma - a sophisticated loadable kernel module (LKM) rootkit:

  • https://www.elastic.co/security-labs/declawing-pumakit
    

• Bootkity - the first UEFI bootkit for Linux:

  • https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/
    

• How BPF-Enabled Malware Works - Bracing for Emerging Threats:

  • https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/how-bpf-enabled-malware-works-bracing-for-emerging-threats
    

• The Elusive GoblinRAT – The Story Behind the Most Secretive and Mysterious Linux Backdoor Found in Government Infrastructures [TRANSLATE TO EN]:

  • https://rt-solar.ru/solar-4rays/blog/4861/

  • https://vk.com/video-172362100_456239172
    

• New Zero-Detection Variant of Melofee Backdoor from Winnti Strikes RHEL 7.9:

  • https://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/

  • https://x.com/CraigHRowland/status/1856637908658405881
    

• perfctl: A Stealthy Malware Targeting Millions of Linux Servers:

  • https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
    

• IcePeony with the '996' work culture:

  • https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
    

• Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA:

  • https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa
    

• Bulbature, beneath the waves of GobRAT:

  • https://blog.sekoia.io/bulbature-beneath-the-waves-of-gobrat/
    

• New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers:

  • https://thehackernews.com/2023/08/new-skidmap-redis-malware-variant.html

• Sysrv - a botnet written in Golang:

  • https://ultimacybr.co.uk/2023-10-04-Sysrv/
    

• Breaking Down Linux.Gomir: Understanding this Backdoor’s TTPs:

  • https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html
    

• Reptile and MEDUSA in UNC3886:

  • https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations

• Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency

  theft and financial gain:

  • https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf
    

• Springtail: New Linux Backdoor Added to Toolkit:

  • https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage

• Frog4Shell — FritzFrog Botnet Adds One-Days to Its Arsenal:

  • https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell

• Ivanti Connect Secure: Journey to the core of the DSLog backdoor:

  • https://www.orangecyberdefense.com/global/blog/research/ivanti-connect-secure-journey-to-the-core-of-the-dslog-backdoor
    

• COATHANGER FortiGate RAT:

  • https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf

• New Linux Remote Access Trojan targets Thailand:

  • https://www.group-ib.com/blog/krasue-rat/
    

• Free Download Manager backdoored – a possible supply chain attack on Linux machines:

  • https://securelist.com/backdoored-free-download-manager-linux-malware/110465/
    

• !!! Tracking interesting Linux malware !!! :

  • https://github.com/timb-machine/linux-malware

• eBPF Linux Malware:

  • https://redcanary.com/blog/ebpf-malware/

• XorDDoS 

• Symbiote:

  • https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
    

• Syslogk:

  • https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/
    

• Facefish Linux Rootkit

• Panchan

• Tsunami Botnet Malware:

  • https://asec.ahnlab.com/en/54647/

• IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks:

  • https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/

• VMware ESXi servers subjected to Akira for Linux ransomware attacks:

  • https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/

  • https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/

• Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel:

  • https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html

• Python-based fileless malware targets cloud workloads to deliver crypto-miner:

  • https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads
    

• Trendmicro Linux Threat Report 2021 1H:

  • https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations