Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

LinkPro eBPF Rootkit Exploitation via Jenkins (CVE-2024-23897)

Published on: November 7, 2025

Share:
LinkPro eBPF Rootkit Exploitation via Jenkins (CVE-2024-23897)

Overview

LinkPro is a newly identified GNU/Linux rootkit discovered by Synacktiv following the compromise of an AWS environment. The intrusion originated from an exposed Jenkins server vulnerable to CVE-2024-23897, which was exploited to deploy a malicious Docker image (kvlnt/vv) across multiple Kubernetes clusters.

This malicious image deployed a coordinated toolkit:

  • vnt/link – a VPN and proxy utility for internal pivoting
  • vGet/app – a downloader that retrieves encrypted payloads
  • vShell – an interactive backdoor for remote command execution
  • LinkPro Rootkit – a stealthy Go-based implant with two eBPF modules for concealment and network manipulation

The LinkPro rootkit can be remotely activated using a TCP “magic packet” (window size 54321) and operates in both active (forward) and passive (reverse) control modes.
The campaign highlights the rising use of eBPF-based rootkits for stealth, persistence, and supply-chain exploitation in containerized and CI/CD environments.

Who It Impacts

  • Organizations running Jenkins servers exposed to the internet or not patched against CVE-2024-23897
  • Kubernetes clusters integrated with CI/CD pipelines pulling unverified container images
  • Cloud workloads (AWS, GCP, Azure) that reuse images or share container registries
  • Linux hosts permitting privileged containers or unmonitored eBPF loading

How It Impacts

Attack Type: Linux rootkit leveraging eBPF and ld.so.preload for concealment

Initial Vector & Delivery:

  • Exploitation of Jenkins CVE-2024-23897 for remote code execution
  • Deployment of malicious Docker image kvlnt/vv (previously hosted on Docker Hub)

Payload Components:

ComponentFunction
start.shLaunches SSH and secondary payloads
link  (vnt)Connects to vnt.wherewego[.]top:29872  providing VPN/proxy tunneling
app  (vGet)

Downloads encrypted vShell  payload from S3 and connects to 56.155.98[.]37

 via WebSocket

LinkProRootkit with kernel/user persistence, eBPF stealth, and C2 connectivity

Persistence and Concealment:

  • Kernel-space: Two eBPF programs — “Hide” and “Knock” — loaded via XDP and TC interfaces conceal processes, files, and network ports.
  • User-space fallback: Creates /etc/libld.so and modifies /etc/ld.so.preload to hook libc calls if eBPF is unavailable.
  • Systemd persistence: Deploys disguised services (e.g., /etc/systemd/system/systemd-resolveld.service) and hides entries from /proc.

Operation Modes:

  • Passive/Reverse: Triggered by TCP SYN with window size 54321. Records source IP and opens port 2233 for one hour.
  • Active/Forward: Periodically contacts C2s via HTTP, WebSocket, TCP, UDP, or DNS for commands and exfiltration.

Network Manipulation:
The “Knock” XDP module rewrites inbound TCP destination ports to 2233, while the TC egress module restores the original source port, evading firewall correlation and host-level telemetry.

Targeted Products

  • Jenkins CI/CD (vulnerable to CVE-2024-23897)
  • Docker Engine / Docker Hub – used to host and distribute kvlnt/vv image
  • Kubernetes clusters consuming compromised container images
  • GNU/Linux systems supporting eBPF (kernel 4.9+)

Recommendations

  1. Patch and harden Jenkins:
    • Apply all security updates addressing CVE-2024-23897.
    • Remove unauthorized jobs and plugins.
    • Restrict public access to Jenkins web interfaces and agent ports.
  2. Container hygiene:
    • Identify and remove all containers/images derived from kvlnt/vv.
    • Rescan internal registries for similar images or tags.
  3. Host recovery:
    • Perform full node re-imaging or rebuilds from trusted sources (avoid in-place cleanup).
    • Validate integrity of /etc/ld.so.preload and remove malicious /etc/libld.so.
  4. Credential rotation:
    • Replace SSH keys, Jenkins credentials, API tokens, and Kubernetes service account tokens.
  5. eBPF inspection:
    • Audit active programs and maps:  
sudo bpftool prog show
sudo bpftool map show
sudo ls -al /sys/fs/bpf
  • Investigate unrecognized or recently loaded programs.
  1. Network containment:
    • Block or monitor outbound connections to known C2s and proxy endpoints.
    • Detect TCP SYN packets with window size 54321.
  2. Firewall hardening:
    • Implement least-privilege ingress/egress rules.
    • Enable and correlate firewall and host network logs to detect port rewriting anomalies.
  3. Long-term hardening:
    • Enforce signed and scanned container images.
    • Enable kernel lockdown and restrict eBPF loading to privileged, monitored processes.
    • Apply least privilege to CI/CD runners and disable --privileged containers.

Indicators of Compromise (IOCs)

TypeIndicatorDescription
IP56.155.98[.]37vShell C2 (WebSocket)
IP18.199.101[.]111Forward-mode C2 server
Domainvnt.wherewego[.]top:29872vnt proxy endpoint
Docker Imagekvlnt/vvMalicious image (removed from Docker Hub)
File/etc/libld.so, /etc/ld.so.preloadLD_PRELOAD persistence hooks
Port2233Internal LinkPro listener
Magic Packet SignatureTCP SYN + Window Size 54321Remote activation trigger


 

Additional Behavioral IOCs:

  • New or disguised systemd services (e.g., systemd-resolveld.service)
  • Hidden entries in /proc or mismatched process/network listings (ss vs /proc/net)
  • Unexpected XDP/TC programs visible in bpftool output
  • Unusual outbound HTTP or WebSocket sessions to C2 addresses
  • Inbound packets triggering connection sequences to hidden port 2233

References

← Back to all bulletins