🛡 Detect Medusa Rootkit on Linux – Test Guide
A new stealth rootkit called Medusa uses LD_PRELOAD to hijack dynamic libraries and hide files, processes, and ports from commands like ls, ps, and netstat.
Goal: Catch Medusa by bypassing its tricks.
⸻
How to Detect It (Step-by-Step)
1. Use statically built BusyBox – it doesn’t rely on dynamic libraries, so it ignores LD_PRELOAD.
2. Launch a clean shell:
3. Run commands inside it:
4. Compare output with normal shell.
If you see hidden files/processes appear in BusyBox but not in bash → You’re likely infected.
⸻
🔴 Don’t install BusyBox via apt on a live compromised system.
Instead:
• Run it from a USB or RAM (/dev/shm) to avoid overwriting evidence.
references:
github
blog
#Rootkit
@GoSecurity
A new stealth rootkit called Medusa uses LD_PRELOAD to hijack dynamic libraries and hide files, processes, and ports from commands like ls, ps, and netstat.
Goal: Catch Medusa by bypassing its tricks.
⸻
How to Detect It (Step-by-Step)
1. Use statically built BusyBox – it doesn’t rely on dynamic libraries, so it ignores LD_PRELOAD.
2. Launch a clean shell:
busybox ash
3. Run commands inside it:
ls -la /lib
ps aux
netstat -tulpn
4. Compare output with normal shell.
If you see hidden files/processes appear in BusyBox but not in bash → You’re likely infected.
⸻
🔴 Don’t install BusyBox via apt on a live compromised system.
Instead:
• Run it from a USB or RAM (/dev/shm) to avoid overwriting evidence.
references:
github
blog
#Rootkit
@GoSecurity
The OWASP Smart Contract Top 10 (2025) is a standard awareness document providing Web3 developers and security teams with insights into the top 10 vulnerabilities found in smart contracts.
https://owasp.org/www-project-smart-contract-top-10/
https://owasp.org/www-project-smart-contract-top-10/
Researchers cracked the encryption used by DarkBit ransomware
https://securityaffairs.com/181064/malware/researchers-cracked-the-encryption-used-by-darkbit-ransomware.html
https://securityaffairs.com/181064/malware/researchers-cracked-the-encryption-used-by-darkbit-ransomware.html
Security Affairs
Researchers cracked the encryption used by DarkBit ransomware
Researchers at cybersecurity firm Profero cracked DarkBit ransomware encryption, allowing victims to recover files for free.
Researcher earns Google Chrome ’s top $250K for a sandbox escape vulnerability enabling remote code execution.
https://securityaffairs.com/181057/hacking/chrome-sandbox-escape-nets-security-researcher-250000-reward.html
https://securityaffairs.com/181057/hacking/chrome-sandbox-escape-nets-security-researcher-250000-reward.html
Security Affairs
Chrome sandbox escape nets security researcher $250,000 reward
Researcher earns Google Chrome’s top $250K bounty for a sandbox escape vulnerability enabling remote code execution.