Linux Rootkits and macOS Crypto Stealers Surge in Supply Chain Attacks

Recent intelligence indicates a troubling resurgence in highly effective, stealth-oriented threats targeting both server-side infrastructure and high-value macOS endpoints. According to The Hacker News, threat actors have successfully compromised trusted download channels to distribute malicious payloads, marking a significant escalation in Supply Chain Attack methodologies. This week’s findings highlight a combination of novel techniques and the exploitation of legacy CVE entries that organizations have failed to remediate over several years.

How to Detect Linux Rootkit Persistence and Mitigate Supply Chain Risks

The deployment of Linux rootkits remains a primary objective for advanced actors seeking long-term Lateral Movement capabilities. These rootkits often function by hooking system calls or utilizing loadable kernel modules (LKMs) to hide files, network connections, and processes from standard monitoring tools. A sophisticated APT group can maintain access for months by exploiting these low-level hooks. To effectively counter this, SOC teams must look beyond standard process monitoring. Detecting such threats requires deep memory forensics and the use of EDR solutions capable of verifying kernel integrity.

When investigating how to detect Linux rootkit persistence, analysts should prioritize looking for anomalies in the /proc filesystem and unexpected changes in the system call table. Many of these rootkits are now delivered via poisoned binaries in repositories that developers trust, making binary signing and checksum verification mandatory steps in any secure CI/CD pipeline.

macOS Crypto Stealer Evolution and Deployment

The macOS ecosystem is increasingly targeted by specialized Malware designed to exfiltrate cryptocurrency wallet keys and browser-stored credentials. These macOS crypto stealer mitigation steps include implementing strict application notarization checks and monitoring for unauthorized attempts to access the Keychain. Threat actors often use Phishing to trick users into installing what appear to be legitimate productivity tools or updates. Once executed, the malware achieves Privilege Escalation to gain deep access to the filesystem, often bypassing the Transparency, Consent, and Control (TCC) framework by exploiting existing permissions of trusted applications.

WebSocket Skimmers: Bypassing Legacy Detection

Another significant development involves the use of WebSocket-based skimmers. Unlike traditional XSS attacks that rely on HTTP POST requests for data exfiltration, these skimmers establish a persistent connection via WebSockets to a C2 server. This methodology is particularly effective at evading legacy web application firewalls that may not be configured to inspect full WebSocket handshakes. For network defenders, identifying WebSocket skimmer traffic requires a SIEM capable of analyzing protocol-specific IoC markers and long-duration outbound connections from checkout or login pages.

Cloud Misconfigurations and Infrastructure Hygiene

Beyond specific TTPs, the report identifies a trend where cloud servers are being inadvertently turned into ‘public housing’ for malicious actors. This is often the result of misconfigured S3 buckets or open compute instances that lack Zero Trust access controls. In these scenarios, attackers do not even need to exploit a vulnerability; they simply occupy available resources to host malware or perform DDoS attacks. Organizations must audit their public-facing assets to ensure that no server provides accidental root access to unauthenticated users, as recent incidents suggest attackers are stumbling upon these misconfigurations and maintaining a quiet presence for future exploitation.