BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi
BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
Linux rootkits, router 0-day, AI intrusions: 25 attacks
Back to homeCiberataques

Linux rootkits, router 0-day, AI intrusions: 25 attacks

Attackers exploit trusted tokens, packages, and accounts across 25 incidents reported this week.

  1. Home
  2. ›
  3. Ciberataques
  4. ›
  5. Linux rootkits, router 0-day, AI intrusions: 25 attacks
by Gorka El Bochi Morillo
·
2 min read
·May 26, 2026

What happened

The Hacker News weekly bulletin logs 25 new active incidents in a single reporting window. No single event is catastrophic on its own. The aggregate pattern is the story.

Four headline categories:

Linux rootkits — A rootkit (malware that embeds in the OS kernel to evade antivirus and forensic tools) is active in compromised enterprise Linux environments. The technique isn't new; its reappearance signals defenders have dropped their guard on Linux endpoints.

Router 0-day — An unpatched vulnerability affects widely deployed network hardware. No confirmed CVE at press time, which hampers automated detection across most security tooling.

AI-assisted intrusions — Attackers are using generative AI tools to accelerate recon, craft targeted phishing, and evade detection. This isn't AI hacking autonomously — it's humans hacking faster and cheaper.

Scam kits — Pre-packaged fraud bundles circulating on underground markets. They include phishing pages, fake support scripts, and complete social engineering flows.

The common thread across every incident: attackers aren't forcing entry — they're using keys they already hold. A leaked token. A poisoned package via a supply chain attack (an attack that compromises the software supply chain — libraries, updates, and tools your code already trusts). A reused credential. A legitimate support account taken over.

Why it matters

25 incidents in one week isn't the alarming number. The alarming part is the normalization of the vector. When the attack path runs through a trusted package or an internal tool update, perimeter controls detect nothing. Traffic looks legitimate because it originates from a legitimate source.

Linux rootkits are especially painful for SOC (Security Operations Center — the team that monitors and responds to threats) teams. A well-implemented rootkit can run for weeks without triggering a single alert. EDR (endpoint detection and response — security software that monitors endpoint behavior) coverage on Linux still lags significantly behind Windows equivalents.

The router 0-day adds another critical angle: network infrastructure that most organizations patch far less rigorously than their application servers.

What to do

  • Audit third-party packages updated in the last 7 days. Compare checksums against officially published hashes.
  • Review active access tokens — especially CI/CD, repo, and cloud tool tokens. Rotate anything older than 90 days.
  • Check your perimeter router firmware version and monitor the vendor's advisory feed until a CVE or patch is published.
  • Deploy file integrity monitoring on critical Linux hosts. `auditd` or a Linux-capable EDR will catch anomalous kernel module modifications.
  • Train support staff on social engineering. Scam kits target people, not systems.

The perimeter model has been dead for years — many teams just haven't updated their playbook. When the attack arrives via a trusted channel, behavioral anomaly detection is the only control that holds. Origin-based detection won't catch it.

What to do

  • Rotate access tokens older than 90 days immediately.
  • Audit third-party packages updated in the past 7 days.
  • Check perimeter router firmware against the active 0-day.

Share this story

Help more people discover BBLabs News.

Linux rootkits, router 0-day, AI intrusions: 25 attacks
VerticalDownload image
LinkedInXWhatsApp

Interested in Ciberataques?

Subscribe to this stream and get the most relevant news every day — no spam, no noise.

Subscribe

Related articles

Destacado
Ciberataques4 jun 2026·2 min

Megalodon malware hits 5,500+ GitHub repos in 6 hours

Megalodon malware pushed malicious commits to 5,500+ GitHub repos in six hours, stealing developer credentials and secrets.

  • Audit recent GitHub commits for unauthorized changes or unknown accounts
  • Rotate all tokens and API keys with write access immediately
  • Enable GitHub secret scanning with push protection across your org
Gorka El Bochi Morillo
Leer artículo
Ciberataques3 jun 2026·2 min

JINX-0164 hits crypto firms with fake recruiter macOS malware

JINX-0164 uses fake recruiter lures to deploy custom macOS malware against crypto firms and steal digital assets.

Leer artículo
Ciberataques1 jun 2026·2 min

Dutch police arrest admins of bulletproof hosting used by Russian hackers

Dutch authorities arrested two admins of a bulletproof hosting service — infrastructure that ignores legal takedown requests — used by Russia-aligned threat actors.

Leer artículo

Want to get news like this every day?

Browse all articles
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi