Cybersecurity

AI Intrusions, Evolving Linux Rootkits Mark New Threat Era

May 22, 2026 7 min read Source: Thehackernews 14 views

The cybersecurity landscape is witnessing a significant shift as advanced AI begins to power new intrusion campaigns, signaling a more sophisticated era of digital threats. Concurrently, long-standing Linux rootkits continue to evolve with new evasion techniques, posing a persistent challenge for defenders. These developments highlight a dual-pronged evolution in cyber warfare, from state-level admissions of espionage to critical software vulnerabilities.

New intrusion campaigns are actively deploying advanced artificial intelligence, leveraging agentic AI for sophisticated network penetration and signaling an escalation in attack sophistication.
A sophisticated Linux rootkit, initially documented several years ago, continues to be refined and actively utilized by threat actors, demonstrating its enduring effectiveness and adaptation.
High-ranking government figures have publicly confirmed ongoing cyber espionage operations between major nations, underscoring the constant digital friction and intelligence gathering in geopolitical relations.

Intelligence briefing: Why this matters: Organizations and national security agencies must urgently adapt their defensive strategies to counter both rapidly emerging AI-driven threats and the continuous evolution of long-standing, stealthy malware.

Fraud suspects unmasked

The Dutch police said the identity of 74 of 100 suspects has been unmasked following the launch of an initiative called Game Over?! that displays blurred photos of 100 suspected fraudsters on billboards at various public places, as well as in television and online advertisements, giving the criminals two weeks to surrender before the images are unblurred. Of these, 34 suspects voluntarily reported to authorities, while the remaining suspects were identified through information provided by the public. The youngest suspect is only 14, and the oldest is 42 years old. Game Over?! was launched in March 2026.

Espionage admission

U.S President Donald Trump said he and Chinese President Xi Jinping discussed cyber attacks and espionage activities carried out by both nations during the bilateral meetings last week. "They're talking about the spying. Well, we do it too," Trump said during his return flight to the U.S. "We spy like hell on them too," adding "I told him, 'we do a lot of stuff to you that you don't know about and you're doing things to us that we probably do know about.'" While Trump did not elaborate on the attacks carried out against China, the acknowledgement comes as China has been accused of conducting sweeping intrusions into U.S. networks.

Composer token leak

Composer, a dependency manager for the PHP programming language, has urged its users to update Composer to version 2.9.8 or 2.2.28 (LTS). "The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKEN's or GitHub App installation tokens to the GitHub Actions logs," Composer said. The vulnerability has been assigned the CVE identifier CVE-2026-45793 (CVSS score: 7.5). The development came after GitHub introduced a new format for these tokens as of late last month. "The new format, including a - (hyphen) fails Composer's validation and leads to disclosure of the GITHUB_TOKEN in logs," Composer said. As workarounds, it's advised to disable any GitHub Actions workflow that runs Composer commands until Composer has been updated.

Linux rootkit persists

In July 2022, cybersecurity firm Intezer detailed a Linux malware named OrBit that implements advanced evasion techniques, gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Nearly four years later, several new artifacts of the userland rootkit have been identified, indicating that the malware is being actively refined and maintained by its operators. "We discovered two parallel lineages: a full-featured 'Lineage A' build that tracks closely with the 2022 original, and a lite 'Lineage B' fork that drops entire capability domains (PAM, pcap, TCP-port hiding) in exchange for a smaller footprint," researcher Nicole Fishbein said. "Along the way, the operators rotate XOR keys, shuffle install paths, swap backdoor credentials, add auditd-evasion hooks, and eventually bolt on a service-side PAM impersonation primitive." OrBit has been put to use by Blockade Spider, a cybercrime group running Embargo ransomware campaigns. It's assessed that OrBit is a fork of an open-source rootkit called Medusa, which first publicly surfaced in December 2022. "Based on this information, there are two options: either the Medusa author published a privately-circulated rootkit source that had already been deployed operationally, or the earliest OrBit sample was built from a pre-publication snapshot of the same tree," Intezer said. "Either way, the 2022 OrBit sample and the December 2022 Medusa source tree are the same codebase. This suggests that the backdoor was created before its public release and has since been selectively forked, configured, and redeployed by multiple operators over four years."

AI-driven intrusions surge

Two emerging campaigns, dubbed SHADOW-AETHER-040 and SHADOW-AETHER-064, have independently deployed agentic AI with "strikingly similar tactics" to facilitate intrusion operations against governments and financial organizations in Latin America. "Both campaigns established traffic tunnels to victim systems, enabling AI agents to conduct malicious attacks directly into victim internal network environments via ProxyChains and SSH," Trend Micro said. "The AI agents dynamically generated multiple hacking tools and scripts, rather than relying on pre-built hacking tools. This reduced the likelihood of detection by traditional security solutions that rely on known tool signatures." The two activity clusters are said to be the work of separate entities. The attackers bypassed AI safety controls by framing their requests as authorized penetration testing and red teaming exercises. Undertaken by a Spanish-speaking threat actor, SHADOW-AETHER-040 has compromised six government entities in Mexico between December 27, 2025, and January 4, 2026. This activity is consistent with Gambit Security's report about large-scale compromise of multiple Mexican government organizations between December 2025 and February 2026 by an unknown adversary using Anthropic's Claude and OpenAI's GPT AI models to carry out the intrusion activities. According to Dragos, which is tracking the activity as TAT26-12, one of these attacks targeted a municipal water and drainage utility in January 2026, leading to an unsuccessful attempt to breach its operational technology environment. "Claude acted as the primary technical executor and independently identified the OT environment's relevance to critical infrastructure, assessed its potential as a crown jewel asset, and investigated possible access pathways to breach the IT-OT boundary," Dragos said. The second campaign, linked to a Portuguese-speaking hacking crew named SHADOW-AETHER-064, has been active since April and has singled out financial organizations in Brazil. The findings show how commercial AI tools are compressing the traditional attack kill chain, accelerating tasks like reconnaissance and exploit development that historically required significant time and operator expertise. Like in the case of VoidLink, while the tools assembled for these attacks may not be particularly sophisticated or novel, the speed at which AI models generate and improve upon them is operationally significant, essentially collapsing what would have taken days or weeks of manual development effort into hours.

Mythos intel sharing expands

According to the Wall Street Journal, Anthropic has begun letting users of its Mythos AI model share cybersecurity threats with others who may face similar vulnerabilities. "Last week, Anthropic began telling the companies they could share information about cyber threats and Mythos findings with other entities as long as it was done responsibly," a spokesperson for the company was quoted as saying. "As the program has matured, we've adapted them to ensure key information can be shared broadly - including outside the program - for maximum defensive impact." The development comes as Cloudflare said Mythos is a "real step forward" and is capable of chaining "small attack primitives together into a working exploit." It's also equipped to find vulnerabilities and prove they are exploitable. The web infrastructure and security company also said it has designed a multi-stage vulnerability discovery harness to scan codebases across "runtime, edge data path, protocol stack, control plane, and the open-source projects we depend on." Just like Microsoft's MDASH, different agents handle different responsibilities: "hunter" agents identify candidate vulnerabilities, others argue for or against their exploitability, while a deduplication stage collapses findings that share the same root cause. A tracer agent checks whether attacker-controlled input actually reaches the bug from outside the system, while a final "reporting" agent writes a structured report.

Calls now encrypted

Discord has announced that all voice and video

Analysis

The convergence of artificial intelligence with traditional malware development marks a critical turning point, empowering threat actors with unprecedented automation and evasion capabilities. This dual challenge, alongside explicit admissions of state-level cyber warfare, mandates a comprehensive reassessment of current security postures and intelligence-gathering methods. Proactive threat intelligence, robust patch management, and cross-sector collaboration are more vital than ever to navigate this complex and escalating digital battlespace.

cybersecurityai threatslinux malwarerootkitsespionagenational securityvulnerability

📰 Primary Source: Thehackernews