Linux rootkits, router 0-day, AI intrusions: 25 attacks

What happened

The Hacker News weekly bulletin logs 25 new active incidents in a single reporting window. No single event is catastrophic on its own. The aggregate pattern is the story.

Four headline categories:

Linux rootkits — A rootkit (malware that embeds in the OS kernel to evade antivirus and forensic tools) is active in compromised enterprise Linux environments. The technique isn't new; its reappearance signals defenders have dropped their guard on Linux endpoints.

Router 0-day — An unpatched vulnerability affects widely deployed network hardware. No confirmed CVE at press time, which hampers automated detection across most security tooling.

AI-assisted intrusions — Attackers are using generative AI tools to accelerate recon, craft targeted phishing, and evade detection. This isn't AI hacking autonomously — it's humans hacking faster and cheaper.

Scam kits — Pre-packaged fraud bundles circulating on underground markets. They include phishing pages, fake support scripts, and complete social engineering flows.

The common thread across every incident: attackers aren't forcing entry — they're using keys they already hold. A leaked token. A poisoned package via a supply chain attack (an attack that compromises the software supply chain — libraries, updates, and tools your code already trusts). A reused credential. A legitimate support account taken over.

Why it matters

25 incidents in one week isn't the alarming number. The alarming part is the normalization of the vector. When the attack path runs through a trusted package or an internal tool update, perimeter controls detect nothing. Traffic looks legitimate because it originates from a legitimate source.

Linux rootkits are especially painful for SOC (Security Operations Center — the team that monitors and responds to threats) teams. A well-implemented rootkit can run for weeks without triggering a single alert. EDR (endpoint detection and response — security software that monitors endpoint behavior) coverage on Linux still lags significantly behind Windows equivalents.

The router 0-day adds another critical angle: network infrastructure that most organizations patch far less rigorously than their application servers.

What to do

• Audit third-party packages updated in the last 7 days. Compare checksums against officially published hashes.
• Review active access tokens — especially CI/CD, repo, and cloud tool tokens. Rotate anything older than 90 days.
• Check your perimeter router firmware version and monitor the vendor's advisory feed until a CVE or patch is published.
• Deploy file integrity monitoring on critical Linux hosts. `auditd` or a Linux-capable EDR will catch anomalous kernel module modifications.
• Train support staff on social engineering. Scam kits target people, not systems.

The perimeter model has been dead for years — many teams just haven't updated their playbook. When the attack arrives via a trusted channel, behavioral anomaly detection is the only control that holds. Origin-based detection won't catch it.