{"id":55558,"date":"2024-03-12T15:36:43","date_gmt":"2024-03-12T15:36:43","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35641\/Never-Before-Seen-Linux-Malware-Gets-Installed-Using-1-Day-Exploits.html"},"modified":"2024-03-12T15:36:43","modified_gmt":"2024-03-12T15:36:43","slug":"never-before-seen-linux-malware-gets-installed-using-1-day-exploits","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/","title":{"rendered":"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/06\/malware-800x451.jpg\" alt=\"Never-before-seen Linux malware gets installed using 1-day exploits\"><figcaption class=\"caption\">\n<div class=\"caption-credit\">Getty Images<\/div>\n<\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/security\/2024\/03\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">41<\/span> <\/a> <\/aside>\n<p> <!-- cache hit 208:single\/related:18ad7d7f64bec6abd56fc99807b13151 --><!-- empty --><\/p>\n<p>Researchers have unearthed Linux malware that circulated in the wild for at least two years before being identified as a credential stealer that\u2019s installed by the exploitation of recently patched vulnerabilities.<\/p>\n<p>The newly identified malware is a Linux variant of NerbianRAT, a remote access Trojan <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques\">first described<\/a> in 2022 by researchers at security firm Proofpoint. Last Friday, Checkpoint Research revealed that the Linux version has existed since at least the same year, when it was uploaded to the VirusTotal malware identification site. Checkpoint went on to conclude that Magnet Goblin\u2014the name the security firm uses to track the financially motivated threat actor using the malware\u2014has installed it by exploiting \u201c1-days,\u201d which are recently patched vulnerabilities. Attackers in this scenario reverse engineer security updates, or copy associated proof-of-concept exploits, for use against devices that have yet to install the patches.<\/p>\n<p>Checkpoint also identified MiniNerbian, a smaller version of NerbianRAT for Linux that\u2019s used to backdoor servers running the Magento ecommerce server, primarily for use as command-and-control servers that devices infected by NerbianRAT connect to. Researchers elsewhere have reported encountering servers that appear to have been compromised with MiniNerbian, but Checkpoint Research appears to have been the first to identify the underlying binary.<\/p>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<p>\u201cMagnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian,\u201d Checkpoint researchers <a href=\"https:\/\/research.checkpoint.com\/2024\/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities\/\">wrote<\/a>. \u201cThose tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.\u201d<\/p>\n<p>Checkpoint discovered the Linux malware while researching recent attacks that exploit <a href=\"https:\/\/arstechnica.com\/security\/2024\/02\/as-if-two-ivanti-vulnerabilities-under-explot-wasnt-bad-enough-now-there-are-3\/\">critical vulnerabilities<\/a> in Ivanti Secure Connect, which have been under mass exploitation since early January. In the past, Magnet Goblin has installed the malware by exploiting one-day vulnerabilities in Magento, Qlink Sense, and possibly Apache ActiveMQ.<\/p>\n<p>In the course of its investigation into the Ivanti exploitation, Checkpoint found the Linux version of NerbianRAT on compromised servers that were under the control of Magnet Goblin. URLs included:<\/p>\n<p><a href=\"http:\/\/94.156.71%5B.%5D115\/lxrthttp:\/\/91.92.240%5B.%5D113\/aparche2http:\/\/45.9.149%5B.%5D215\/aparche2\">http:\/\/94.156.71[.]115\/lxrt<\/a><br \/><a href=\"http:\/\/94.156.71%5B.%5D115\/lxrthttp:\/\/91.92.240%5B.%5D113\/aparche2http:\/\/45.9.149%5B.%5D215\/aparche2\">http:\/\/91.92.240[.]113\/aparche2<\/a><br \/><a href=\"http:\/\/94.156.71%5B.%5D115\/lxrthttp:\/\/91.92.240%5B.%5D113\/aparche2http:\/\/45.9.149%5B.%5D215\/aparche2\">http:\/\/45.9.149[.]215\/aparche2<\/a><\/p>\n<p>The Linux variants connect back to the attacker-controlled IP 172.86.66[.]165.<\/p>\n<p>Besides deploying NerbianRAT, Magnet Goblin also installed a custom variant of malware tracked as WarpWire, a piece of stealer malware <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/investigating-ivanti-zero-day-exploitation\">recently reported<\/a> by security firm Mandiant. The variant Checkpoint encountered stole VPN credentials and sent them to a server at the domain miltonhouse[.]nl.<\/p>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/03\/figure2.jpg\" class=\"enlarge\" data-height=\"146\" data-width=\"646\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/03\/figure2-640x145.jpg\" width=\"640\" height=\"145\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/03\/figure2.jpg 2x\"><\/a><figcaption class=\"caption\">\n<div class=\"caption-credit\">Checkpoint Research<\/div>\n<\/figcaption><\/figure>\n<p>NerbianRAT Windows featured robust code that took pains to hide itself and to prevent reverse engineering by rivals or researchers.<\/p>\n<p>\u201cUnlike its Windows equivalent, the Linux version barely has any protective measures,\u201d Checkpoint said. \u201cIt is sloppily compiled with DWARF debugging information, which allows researchers to view, among other things, function names and global variable names.\u201d<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35641\/Never-Before-Seen-Linux-Malware-Gets-Installed-Using-1-Day-Exploits.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":55559,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[10878],"class_list":["post-55558","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinehackermalwarelinuxbackdoor"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-03-12T15:36:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/06\/malware-800x451.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits\",\"datePublished\":\"2024-03-12T15:36:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/\"},\"wordCount\":477,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits.jpg\",\"keywords\":[\"headline,hacker,malware,linux,backdoor\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/\",\"name\":\"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits.jpg\",\"datePublished\":\"2024-03-12T15:36:43+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits.jpg\",\"width\":800,\"height\":451},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,malware,linux,backdoor\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackermalwarelinuxbackdoor\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/","og_locale":"en_US","og_type":"article","og_title":"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-03-12T15:36:43+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2023\/06\/malware-800x451.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits","datePublished":"2024-03-12T15:36:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/"},"wordCount":477,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits.jpg","keywords":["headline,hacker,malware,linux,backdoor"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/","url":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/","name":"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits.jpg","datePublished":"2024-03-12T15:36:43+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/03\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits.jpg","width":800,"height":451},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/never-before-seen-linux-malware-gets-installed-using-1-day-exploits\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,malware,linux,backdoor","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackermalwarelinuxbackdoor\/"},{"@type":"ListItem","position":3,"name":"Never Before Seen Linux Malware Gets Installed Using 1-Day Exploits"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55558"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55558\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55559"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}