Overview
This week's ThreatsDay threat intelligence bulletin opens with a familiar but unsettling observation: attackers are not always breaking in — they are using the parts we already trust.
A token leaks. A bad package slips into a trusted registry. A login trick exploits a legitimate auth flow. An old tool reappears in a new campaign. Individually, each looks like routine noise. Together, they reveal a deliberate pattern: the erosion of implicit trust in the components that make modern infrastructure work.
The bulletin covers Linux rootkits, a router zero-day under active exploitation, AI-assisted intrusions, new scam kit platforms, and 25 additional threat stories from the past week.
This Week's Headline Threats
1. Linux Rootkits — Persistence Through the Kernel
New Linux rootkit campaigns were detected this week, with threat actors deploying kernel-level persistence mechanisms to survive reboots, hide malicious processes, and evade detection on compromised servers. Rootkits represent the highest tier of Linux persistence — once loaded into the kernel, they can:
- Hide malicious processes from
ps,top, and/proc - Intercept system calls to mask file and network activity
- Survive standard forensic investigation and log analysis
- Persist across reboots via loadable kernel module (LKM) injection
Organizations running Linux servers — particularly in cloud, container, and DevOps environments — should audit kernel module loads and review dmesg output for unexpected LKM events.
Detection commands:
# List currently loaded kernel modules
lsmod | grep -v "$(lsmod | awk '{print $1}' | sort)"
# Check for hidden processes (compare /proc to ps output)
ps aux | awk '{print $2}' | sort -n > /tmp/ps_pids.txt
ls /proc | grep '^[0-9]' | sort -n > /tmp/proc_pids.txt
diff /tmp/ps_pids.txt /tmp/proc_pids.txt
# Review recent kernel module loads
dmesg | grep -i "module\|insmod\|lkm" | tail -502. Router Zero-Day — Active Exploitation
A router zero-day vulnerability is under active exploitation this week, with threat actors targeting consumer and small business routers to establish persistent network access. Router compromises are particularly dangerous because:
| Risk Factor | Impact |
|---|---|
| Traffic interception | All LAN traffic passes through the router — full MITM capability |
| DNS manipulation | Redirecting DNS to attacker-controlled servers enables phishing and credential theft |
| Botnet recruitment | Compromised routers join DDoS infrastructure |
| Persistence | Router firmware often lacks EDR — persistence survives host-level remediation |
| Lateral movement gateway | Router access enables attacks against all connected LAN devices |
Affected router models have not been fully disclosed pending vendor patch coordination. Users should:
- Apply any available firmware updates immediately
- Change default admin credentials
- Disable remote management interfaces if not actively required
- Monitor router DNS settings for unauthorized changes
3. AI-Assisted Intrusions — The Trust Erosion Pattern
This week's bulletin highlights a growing class of AI-assisted intrusion techniques where attackers leverage legitimate AI tools, APIs, and model outputs as intrusion vectors or post-exploitation tools:
- Prompt injection via AI-processed documents — malicious content in PDFs/emails that manipulates AI assistant behavior when summarized
- AI-generated phishing content — higher quality, personalized lures that bypass traditional signature detection
- Automated vulnerability exploitation — AI-accelerated reconnaissance and exploit generation
- Trusted AI tool abuse — using legitimate corporate AI deployments as data exfiltration channels
The pattern this week specifically involves threat actors exploiting the implicit trust organizations place in AI-generated content and AI tool outputs — the same pattern observed across token leaks and supply chain compromises.
4. Scam Kit Infrastructure
New scam kit platforms were identified in underground forums this week, offering turnkey infrastructure for:
- Fake CAPTCHA pages (ClickFix-style delivery)
- SMS fraud and OTP interception services
- Cryptocurrency investment fraud sites
- Voice phishing (vishing) script automation
The commoditization of scam infrastructure means threat actors with minimal technical skill can now launch sophisticated fraud campaigns by purchasing ready-made kits — lowering the barrier to entry for financial cybercrime.
The Week in Numbers
| Category | Count |
|---|---|
| Total stories in this bulletin | 25+ |
| Zero-day vulnerabilities highlighted | 2 |
| Active exploitation confirmed | 3 threats |
| Threat actor groups tracked | 4+ |
| Sectors targeted | Government, Finance, Telecom, Healthcare |
Key Themes This Week
Trust Erosion as a Primary Attack Vector
The common thread across this week's threats is not the sophistication of individual techniques — it is the systematic targeting of trusted components:
- Trusted kernel space → Linux rootkits exploit the implicit trust OS places in kernel modules
- Trusted network infrastructure → Router zero-days exploit the implicit trust LAN devices place in the gateway
- Trusted AI tools → AI-assisted intrusions exploit the implicit trust users place in AI-generated content
- Trusted development tools → Supply chain attacks exploit the implicit trust developers place in package registries
This pattern suggests defenders should adopt a zero-trust posture across all component layers — not just at the perimeter.
Monitoring Priorities for the Week
Priority 1: Linux kernel module audit — unexpected LKMs indicate rootkit activity
Priority 2: Router firmware — apply updates, verify DNS settings
Priority 3: AI tool access review — audit which AI services have access to sensitive data
Priority 4: Package registry monitoring — verify integrity of dependencies before deployment
Priority 5: EDR telemetry review — look for process injection, LOLBIN abuse, and unusual network connections
Detection Guidance
Linux Rootkit Indicators
# Check for hidden network connections
ss -tulnp vs netstat -tulnp (discrepancies indicate rootkit hiding connections)
# Verify /proc/modules vs lsmod
cat /proc/modules | awk '{print $1}' | sort > /tmp/proc_mods.txt
lsmod | tail -n +2 | awk '{print $1}' | sort > /tmp/lsmod_mods.txt
diff /tmp/proc_mods.txt /tmp/lsmod_mods.txt
# Check for file hiding (compare directory listings)
ls -la /etc/ | wc -l
find /etc/ -maxdepth 1 | wc -l
# Large discrepancy suggests rootkit hiding filesRouter Compromise Indicators
- Unexpected DNS server changes in router config
- Unknown admin accounts added to router management
- Unusual outbound traffic from router management IP
- Firmware version rollback or unexpected firmware changes
- Remote management enabled when previously disabled
Sources
- The Hacker News — ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories