AI Tools Reveal the Stealthy GhostPenguin Backdoor Targeting Linux Systems

Cybersecurity researchers at Trend Research have uncovered a previously undetected Linux backdoor dubbed GhostPenguin, a sophisticated, multi-threaded malware written in C++.

The threat was identified using Trend’s AI-driven automated threat hunting pipeline, which collected and analyzed zero-detection samples from VirusTotal.

The pipeline leveraged artificial intelligence to extract artifacts, build structured profiles, and surface undetected threats using custom YARA rules and hunting queries.

The malware sample masquerading as systemd was first uploaded to VirusTotal on July 7, 2025, and remained undetected by all scanners for over 4 months.

Trend’s toolchain, including IDA Pro, CAPA, FLOSS, and YARA-X, was instrumental in decompiling the file, mapping its capabilities, and correlating behaviors with the MITRE ATT&CK framework.

GhostPenguin’s design and multiple debug artifacts indicate that it is still in active development. Researchers also found unused persistence functions and misspelled code identifiers such as ImpPersistence and Username, suggesting the malware is undergoing refinement.

Technical Anatomy and Communication

GhostPenguin operates as a remote backdoor giving attackers full command-line access to infected Linux machines.

It communicates via UDP port 53, which is typically used for DNS traffic, helping it blend into legitimate network traffic. All command-and-control (C&C) data is encrypted using the RC5 cipher, protecting communication from inspection.

Upon execution, the malware collects system information, IP address, gateway, OS version, hostname, and username, and registers with its C&C server.

During initialization, it creates a “.temp” file in the user’s home directory to store its process ID and prevent multiple instances from running simultaneously.

After registration, GhostPenguin starts several threads to handle heartbeat signaling, packet transmission, and data reception. 

The heartbeat mechanism sends small encrypted packets every 500 milliseconds to maintain connection stability.

To ensure reliability despite the unreliable UDP protocol, it keeps an internal list of unsent packets and retransmits them until the server acknowledges receipt.

The backdoor supports more than 30 commands, enabling complete file system manipulation from reading, writing, renaming, and deleting files to executing shell commands via /bin/sh.

It can even search for files by extension and modify file timestamps or directory attributes. Once the “Client Offline” command is received, it initiates self-deletion to remove traces from the system.

Trend Vision One now detects GhostPenguin as a Backdoor.Linux.GHOSTPENGUIN.A, blocking its known indicators of compromise, including 65.20.72.101:53 and 124.221.109.147:5679.

This discovery highlights how AI-powered automation and structured threat intelligence can uncover advanced, stealthy malware that would otherwise remain invisible to traditional detection systems.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post AI Tools Reveal the Stealthy GhostPenguin Backdoor Targeting Linux Systems appeared first on Cyber Security News.