Security Affairs
U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts spotted a new stealthy Linux malware dubbed Shikitega

A new Linux malware dubbed Shikitega leverages a multi-stage infection chain to target endpoints and IoT devices. Researchers from AT&T Alien Labs discovered a new piece of stealthy Linux malware, dubbed Shikitega, that targets endpoints and IoT devices. The malware stands out for its multistage infection chain, threat actors use it to gain full control of the system […]

Shikitega

A new Linux malware dubbed Shikitega leverages a multi-stage infection chain to target endpoints and IoT devices.

Researchers from AT&T Alien Labs discovered a new piece of stealthy Linux malware, dubbed Shikitega, that targets endpoints and IoT devices. The malware stands out for its multistage infection chain, threat actors use it to gain full control of the system and carry out other malicious activities, including cryptocurrency mining.

Shikitega can download next-stage payloads from a C2 server and execute them directly in memory, making it highly evasive.

The experts reported that the malware downloads and executes Metasploit’s “Mettle” meterpreter to take over infected machines.

Shikitega exploits vulnerabilities to elevate privileges and maintain persistence. The researchers observed that it uses a polymorphic encoder to avoid detection by anti-virus engines.

Shikitega

The main dropper of the malware is a small ELF file (370 bytes in size), while the size of the actual code is around 300 bytes.

“The malware uses the “Shikata Ga Nai” polymorphic XOR additive feedback encoder, which is one of the most popular encoders used in Metasploit. Using the encoder, the malware runs through several decode loops, where one loop decodes the next layer, until the final shellcode payload is decoded and executed.” reads the analysis published by AT&T Alien Labs. “After several decryption loops, the final payload shellcode will be decrypted and executed.”

Once the malware was installed on a targeted host, it downloaded and executed the Metasploit “Mettle” meterpreter to maximize control over the system and perform multiple operations.

This adds to a growing list of Linux malware observed in the wild in recent months, including BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.

The malware achieves privilege escalation by exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493. The malware leverages the exploit to download and execute the final stage with root privileges, persistence and the payload of the malware.

“Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection. Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload. In addition, the malware abuses known hosting services to host its command and control servers. Stay safe!” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)