New FlipSwitch Hooking Method Overcomes Linux Kernel Defenses
A newly discovered rootkit technique known as FlipSwitch has reintroduced stealthy syscall hooking on Linux systems by targeting the compiled syscall dispatcher in kernel 6.9. Unlike earlier rootkits that modified the sys_call_table, FlipSwitch scans the machine code of x64_sys_call for the unique call instruction linked to functions such as sys_kill, then patches the offset to reroute execution to malicious handlers. The method involves four steps: retrieving the original syscall function pointer from sys_call_table, abusing kprobes to access kallsyms_lookup_name, scanning for the opcode sequence representing the dispatcher call, and finally disabling CPU write protections in CR0 to overwrite the relative offset. Once its fake handler is in place, FlipSwitch can intercept calls, including kill and getdents64, to hide malicious processes or conceal files. When the rootkit is removed, the dispatcher is restored, reenabled protections conceal evidence of tampering, and forensic artifacts are minimized. This development highlights the evolving cat-and-mouse game between kernel hardening and adversary innovation, as attackers adapt by modifying compiled logic rather than data structures. The stealth and precision of FlipSwitch make it highly effective for long-term persistence, data exfiltration, or disabling system visibility tools without raising immediate alarms. Defenses may include hashing and validating x64_sys_call’s machine code at runtime, auditing kprobe usage, and adopting control-flow integrity enforcement to restrict indirect call redirection. Elastic Security has released a YARA rule capable of flagging FlipSwitch’s patched dispatcher code, enabling defenders to identify intrusions even in memory. Organizations should prioritize layered defenses, runtime monitoring, and proactive threat hunting to detect rootkits such as FlipSwitch before they gain full kernel-level control.
Novel DNS Malware ‘Detour Dog’ Uses TXT Records to Deliver Strela Stealer
Researchers have uncovered an evolving malware campaign known as Detour Dog, which has advanced from simple traffic redirection into a DNS-based C2 system capable of delivering Strela Stealer. The campaign hijacks tens of thousands of compromised websites that issue server-side DNS requests invisible to end users, enabling covert redirections and remote code execution. Initially, these sites funneled traffic to monetization schemes through Los Pollos and Help TDS; however, by mid-2025, the infrastructure had pivoted to active malware delivery. Detour Dog’s name servers now respond to carefully formatted DNS TXT queries with Base64-encoded commands, instructing servers to fetch and execute PHP scripts. These scripts deploy the StarFish backdoor, which subsequently drops Strela Stealer to harvest sensitive data from infected systems. Analysis confirmed that nearly 70% of StarFish staging servers were directly controlled by Detour Dog, marking its full transition into a malware delivery platform. The scale and resilience of the operation are striking, with Shadowserver sinkholing one of its main C2 domains in August 2025 only for Detour Dog to reconstitute infrastructure within hours. Passive DNS telemetry recorded over 39 million TXT queries in 48 hours from more than 30,000 infected hosts across 584 TLDs, spanning 89 countries and including traffic from U.S. Department of Defense IP ranges. Detour Dog also integrates affiliate-driven traffic flows and botnets such as REM Proxy, further complicating attribution and takedown efforts. By combining long-standing monetization techniques with DNS-based malware orchestration, the group has developed a robust and deceptive distribution model that seamlessly integrates into legitimate network activity. This evolution demonstrates how DNS TXT channels can be exploited as covert pathways for malware delivery, thereby bypassing conventional detection systems. To mitigate this threat, organizations should deploy DNS TXT record monitoring, analyze passive DNS telemetry for anomalies, enforce strict egress filtering, and actively sinkhole or block Detour Dog-linked domains to disrupt command delivery chains.
Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert regarding a new wave of targeted attacks deploying the CABINETRAT backdoor, attributed to the UAC-0245 threat cluster. First observed in September 2025, the campaign distributes malicious ZIP archives via the Signal messaging platform, disguised as sensitive documents about the detention of individuals attempting to cross Ukraine’s borders. These archives contain weaponized Microsoft Excel add-ins (XLL files), which, once executed, deploy several components, including an EXE file in the Startup folder, a secondary XLL file in the Excel XLSTART directory, and a PNG image named Office[.]png. Registry changes are made to ensure persistence, while Excel is launched in hidden mode to execute the add-in covertly. The PNG file conceals shellcode that, once parsed, activates CABINETRAT, with additional anti-analysis checks verifying processor count, available memory, and the absence of virtualization tools, including VMware, VirtualBox, and Hyper-V. CABINETRAT itself is a full-featured C-based backdoor capable of gathering system information, enumerating installed applications, capturing screenshots, manipulating files and directories, and exfiltrating or uploading data via TCP connections. Its stealth-oriented design, including anti-VM techniques and hidden execution paths, allows attackers to maintain long-term access while evading common detection methods. This campaign highlights a broader trend of Ukrainian infrastructure being repeatedly targeted with custom backdoors and stealers, complementing recent activity involving Amatera Stealer and PureMiner. The use of Signal for delivery, combined with the persistence of an Excel add-in and covert PNG-based payload extraction, demonstrates a layered and deceptive tradecraft. To defend against such threats, organizations should disable or restrict untrusted XLL execution, monitor for registry and Excel XLSTART modifications, enforce strict endpoint monitoring for hidden process launches, and scrutinize anomalous TCP communications indicative of covert backdoor traffic.
New MatrixPDF Toolkit Turns PDFs into Phishing and Malware Lures
Researchers at Varonis have uncovered MatrixPDF, a phishing and malware toolkit that converts legitimate PDF files into interactive lures capable of bypassing email security. First seen on cybercrime forums and advertised via Telegram, the toolkit is marketed as both a phishing simulation and “blackteaming” tool, although its real-world use has centered on credential theft and malware delivery. Attackers can upload a clean PDF and apply deceptive elements, including blurred content, fake “Secure Document” overlays, and clickable prompts that redirect to phishing pages or malicious payloads. MatrixPDF also supports embedded JavaScript actions that execute when the file is opened or when a user interacts with the overlay, allowing for stealthy redirections or the automated retrieval of remote resources. Its drag-and-drop interface, real-time preview, and customization features significantly reduce the technical barrier for attackers, while pricing plans ranging from $400 per month to $1,500 annually make it accessible to a wide range of threat actors. What makes MatrixPDF particularly dangerous is its use of external payload delivery, meaning the PDF itself contains no embedded malware and can slip past most email filters. Varonis demonstrated that malicious PDFs built with the toolkit bypassed Gmail’s filters because links were treated as legitimate user-initiated actions when clicked. By hosting phishing portals or malware downloads externally, adversaries ensure that detection occurs only after the victim interacts, a technique that makes automated scanning less effective. Additionally, the blurred content and “secure access” prompts create a false sense of legitimacy, capitalizing on the inherent trust in PDFs as business documents. While some modern viewers warn of outbound connection attempts, the sophistication and realistic design of these lures raise the likelihood of user compliance. To counter these risks, organizations should implement AI-driven email security that inspects PDF structure, identifies visual overlays and fake prompts, and detonates linked content in sandbox environments before delivery to users.
