RingReaper Malware Exploits Linux Kernel to Evade Security Controls
A newly discovered malware strain, dubbed RingReaper, is raising alarms among security researchers due to its ability to exploit the Linux kernel’s io_uring framework and bypass modern detection systems. Unlike traditional malware that relies on standard system calls, RingReaper leverages asynchronous I/O primitives (io_uring_prep_* functions) to execute operations without triggering the hooks used by most EDR tools. This represents a fundamental shift in Linux-based threats, as io_uring enables high-performance operations while effectively evading detection by security software, thereby blinding the malware’s activity. Analysts at PICUS Security describe the strain as a post-exploitation agent designed for stealthy reconnaissance, data collection, privilege escalation, and ultimately persistence within compromised environments. By embedding itself at such a low level, RingReaper highlights how attackers are adapting to bypass the very defenses that organizations rely on to detect advanced intrusions. The malware’s tactics extend across multiple phases of operation, demonstrating its sophistication and adaptability. For process discovery, RingReaper executes hidden payloads that asynchronously query the /proc filesystem to harvest process IDs, names, and owners, all without triggering conventional process monitoring. Its network enumeration is equally advanced, replicating netstat functionality through asynchronous access to kernel socket tables, enabling the mapping of active connections while remaining invisible to traditional logging. Beyond discovery, RingReaper includes a self-destruct payload that utilizes io_uring for asynchronous file deletion, thereby removing its binaries without leaving behind artifacts that forensic tools typically flag. This not only complicates incident response but also reduces evidence trails for defenders. The emergence of RingReaper underscores the evolving threat landscape in Linux environments, where the adoption of cutting-edge kernel features has inadvertently provided adversaries with new avenues to outpace defensive technologies.
DripDropper Malware Exploits Apache ActiveMQ Vulnerabilty
Threat actors are actively exploiting a critical Apache ActiveMQ vulnerability (CVE-2023-46604) to gain persistent access to cloud-based Linux environments, deploying a newly identified malware strain dubbed DripDropper. What makes this campaign particularly unusual is that, after establishing access, the attackers patch the very flaw they used to break in, preventing rival adversaries from exploiting the same vector and reducing the chance of detection. Once inside, they modify SSH configurations to allow root login, then deliver DripDropper, a PyInstaller-based ELF downloader protected by a password to resist analysis. DripDropper communicates with attacker-controlled Dropbox accounts, exemplifying the increasing abuse of legitimate cloud services to blend malicious traffic into normal enterprise operations. Its payload delivery chain includes files capable of process monitoring, configuration tampering, and persistence via modifications to cron job files, ensuring continued control of the environment even if administrators perform basic remediation. The attackers also employ diverse tools to establish long-term access, including the Sliver C2 framework and Cloudflare Tunnels for covert communication, making them resilient against takedowns. By the final stage, they download official Apache Maven patches for CVE-2023-46604, effectively closing the door behind them. This ensures defenders cannot easily trace the intrusion method while attackers maintain access through implanted persistence mechanisms. The strategy mirrors prior reports of Chinese-nexus threat groups employing the same “patch-after-exploit” approach to maintain exclusive access to compromised systems. The DripDropper campaign highlights the risks posed by delayed patch management, particularly when adversaries use weaponized exploits for both intrusion and evasion. Organizations relying on Apache ActiveMQ are strongly advised to apply patches promptly, restrict external access to services, enforce VPN or trusted IP restrictions, and closely monitor cloud logs for anomalous activity to detect hidden persistence and unauthorized SSH modifications.
Salty 2FA Emerges as a Sophisticated Phishing-as-a-Service Threat
Phishing remains the dominant cyberattack vector globally, fueled by the rapid growth of Phishing-as-a-Service (PhaaS) platforms that lower the barrier to entry for attackers. Established services, including EvilProxy and Tycoon2FA, are already widely abused, but researchers at ANY[.]RUN recently discovered a new entrant called Salty 2FA. This framework is primarily designed to harvest Microsoft 365 credentials and intercept two-factor authentication codes through a multi-stage execution chain that complicates detection. Salty 2FA employs unusual infrastructure patterns, pairing compound [.]com subdomains with [.]ru domains, and cloaks its scripts with obfuscation methods that include Base64 encoding, session-based XOR keys, and “salted” filler text, which can consist of anything from motivational quotes to frustrate static analysis. The infection chain begins with a trampoline script that launches Cloudflare Turnstile bot protection before pulling in obfuscated payloads from [.]ru domains, which ultimately render a convincing Microsoft login portal with dynamic IDs, keyboard shortcut blocking, and anti-debugging checks. Salty 2FA excels in bypassing multi-factor defenses by capturing push notifications, SMS, OTPs, and voice codes in real time, allowing adversaries to move beyond one-time credential theft and establish persistent access. The framework is highly adaptive, utilizing JSON-driven responses to create seamless phishing flows that mimic legitimate login stages, thereby enhancing the user experience. Campaigns leveraging Salty 2FA have targeted organizations across various industries, including finance, energy, telecom, consulting, logistics, and education, with a strong presence in both the U.S. and Europe. Activity surged in mid-2025, with ongoing campaigns still active, which complicated detection due to the constant mutation of domains and code. Researchers advise defenders to move beyond static IOCs and instead focus on behavioral markers, including suspicious [.]com + [.]ru domain chains, Cloudflare resource patterns, and consistent CDN loading behaviors. While Salty 2FA rivals top-tier phishing kits in terms of stealth and flexibility, its reliance on hardcoded elements and lack of deeper JavaScript exploitation may present defensive opportunities for proactive security teams.
