Cybersecurity experts at Trend Micro have discovered a previously undetected Linux backdoor called GhostPenguin, which evaded detection for over four months. The multi-threaded C++ malware provides remote access via encrypted UDP communications. It was identified through an AI-driven threat-hunting pipeline analyzing samples from VirusTotal.
The GhostPenguin backdoor was first uploaded to VirusTotal on July 7, 2025, masquerading as a systemd file, and went unnoticed by all scanners until Trend Micro's automated tools flagged it in late 2025. Researchers used a pipeline incorporating AI to extract artifacts and apply custom YARA rules, alongside tools like IDA Pro, CAPA, FLOSS, and YARA-X, to dissect the malware and map its behaviors to the MITRE ATT&CK framework.
GhostPenguin establishes remote command-line access on infected Linux machines by communicating over UDP port 53, mimicking DNS traffic to blend in. All data is encrypted using the RC5 cipher with a 16-byte session ID obtained during an initial handshake. Upon execution, it collects system details including IP address, gateway, OS version, hostname, and username, then registers with its command-and-control server.
To avoid multiple instances, the malware creates a ".temp" file in the user's home directory storing its process ID and checks for active processes using kill(pid, 0). It initiates several threads for heartbeat signaling every 500 milliseconds, packet transmission, and reception. Unreliable UDP is mitigated by maintaining a list of unsent packets and retransmitting until acknowledged. The backdoor supports more than 30 commands, enabling file system operations like reading, writing, renaming, deleting, and searching by extension, as well as executing shell commands via /bin/sh and modifying timestamps.
Debug artifacts, unused persistence functions, and code misspellings such as "ImpPersistence" and "Username" suggest ongoing development. On receiving a "Client Offline" command, it self-deletes to erase traces. Trend Vision One now detects it as Backdoor.Linux.GHOSTPENGUIN.A, blocking indicators like 65.20.72.101:53 and 124.221.109.147:5679.
This case underscores the value of AI in surfacing stealthy threats that traditional methods miss, as the malware avoids public libraries and uses minimal, segmented data transfers.