A previously undocumented Linux backdoor named GhostPenguin has been discovered evading detection for over four months.
This multi-threaded C++ malware establishes remote shell access and file-system operations via encrypted UDP, making it exceptionally difficult to detect with traditional security tools.
The malware was identified through an advanced threat-hunting pipeline that leverages artificial intelligence to analyze zero-detection samples. GhostPenguin remained undetected on VirusTotal from July 7, 2025, until recently.
The finding highlights how sophisticated threat actors carefully craft code and network communications to remain inconspicuous, avoiding publicly available libraries and GitHub code that could trigger security alerts.
GhostPenguin’s emergence demonstrates challenges defenders face when tracking low-detection malware designed from scratch.
The backdoor uses minimal data transfers between infected hosts and command-and-control servers, further complicating detection efforts.
.webp "GhostPenguin Backdoor With Zero-Detection Attacking Linux Servers Uncovered Using AI-Automated Tools 3")
Trend Micro security analysts identified that the malware’s multi-stage architecture and secure communication channels do not reveal subsequent stages unless the communication sequence unfolds exactly as expected.
Detection Evasion and Infection Mechanism
GhostPenguin employs RC5 encryption with a 16-byte session ID obtained during the initial handshake with the command-and-control server.
The malware transmits its initial session request using an unencrypted UDP packet containing a placeholder ID, which the server replaces with an actual encryption key.
.webp "GhostPenguin Backdoor With Zero-Detection Attacking Linux Servers Uncovered Using AI-Automated Tools 4")
This session ID serves as the RC5 encryption key for all subsequent communications over UDP port 53.
Upon execution, the malware resolves its execution context by obtaining the current user’s home directory and executable path.
It creates a file named .temp in the user’s home directory containing its process ID, preventing multiple instances from running simultaneously.
.webp "GhostPenguin Backdoor With Zero-Detection Attacking Linux Servers Uncovered Using AI-Automated Tools 5")
It validates whether another instance exists by checking if the stored PID corresponds to an active process using kill(pid, 0).
The malware establishes communication through a four-phase workflow: initialization; session ID request; registration; transmission of system information (IP address, hostname, OS version, and architecture); listening state; connection maintenance via heartbeat signals every 500 milliseconds; and task execution, processing commands.
.webp "GhostPenguin Backdoor With Zero-Detection Attacking Linux Servers Uncovered Using AI-Automated Tools 6")
The infected system executes approximately 40 different commands, ranging from remote shell operations to comprehensive file and directory manipulation.
All data transfers are segmented into multiple packets to accommodate UDP payload limitations, and unacknowledged packets are automatically retransmitted until the server confirms receipt.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
