Breaking the Trust: Runtime Attacks in Modern Infrastructure

Research

Breaking the Trust: Runtime Attacks in Modern Infrastructure

From kernel rootkits to eBPF backdoors, attackers are targeting the deepest layers of your infrastructure to gain persistent, undetectable access. Once they control the runtime, every monitoring tool you trust can be lying to you.

Yakir KadkodaJune 3, 2026 • 10 min read

Breaking the Trust: Runtime Attacks in Modern Infrastructure

In our previous blog, we introduced the concept of runtime integrity and why it matters for modern AI infrastructure. In this blog, we take the next step and examine real-world runtime attack campaigns, their operational patterns, and the expanding arsenal attackers use to maintain persistent, undetectable access.

Runtime attack campaigns have evolved dramatically over the past few years and are accelerating even further at the edge of the AI era. Defense evasion and long-term persistence have become a central focus, with attackers investing significant time and resources into maintaining access and avoiding detection.

The rise of AI is further accelerating this trend. With access to powerful tools, shared malware frameworks, and AI-assisted development, attackers can quickly adapt existing techniques, copy and modify code, and significantly enhance their campaigns.

The Threat Landscape of Campaigns Against Runtime Environments

Modern attackers increasingly target large shared computing infrastructures such as cloud platforms, AI data centers, and research computing environments, where a single compromise can provide access to substantial compute power and internal network connectivity.

  • State-sponsored threat actors: skillful and goal-motivated groups seeking access for financial, espionage, disruption, or high-value information theft objectives.
  • Financially motivated cybercriminals: increasingly capable groups operating with corporate-like structure and seeking financial value from malicious activity.
  • Hacktivists: groups operating mainly around activism goals.

Once initial access is gained, these workloads provide scalable compute resources, shared-tenants for lateral movement, persistent infrastructure, and access to internal services and credentials. Attackers typically obtain this initial access through misconfigured cloud services, exposed management interfaces, vulnerable containers, or stolen credentials.

TeamTNT

TeamTNT is one of the most prolific threat groups targeting cloud-native environments. Active since around 2019, the group primarily targets misconfigured Docker APIs, Kubernetes clusters, and exposed cloud services.

  • Deploys user-space and kernel-level rootkits.
  • Installs persistence scripts.
  • Steals cloud credentials and tokens across AWS, GCP, and Azure.

WatchDog

WatchDog targets Docker hosts and Kubernetes nodes in cloud environments. Initial access often occurs through exposed Docker APIs, weak SSH credentials, and vulnerable container services.

WatchDog campaigns have been observed installing Diamorphine rootkits to hide processes associated with mining operations and evade monitoring tools in cloud workloads.

Kinsing

Kinsing is a Linux malware family frequently observed in attacks against cloud workloads and containerized infrastructure. Attackers exploit vulnerabilities in web applications or container environments to gain access, after which the malware downloads additional payloads.

BPFDoor Campaigns

The BPFDoor backdoor has been used in espionage operations targeting cloud-hosted Linux infrastructure, telecommunications providers, and government networks. Its use of BPF packet filters allows attackers to monitor network traffic inside the kernel while remaining hidden.

Focusing on Runtime Rootkits

Modern widespread runtime malware operates directly inside the execution environment - manipulating the kernel, intercepting system calls, or injecting logic into running processes.

  • Kernel-level manipulation, where attackers modify the operating system itself.
  • User-space manipulation, where attackers hide activity inside running applications.

Kernel Runtime Integrity Attacks

Kernel-level implants provide attackers with the highest possible control over a system. Because the kernel mediates interaction between hardware, processes, memory, and the network stack, compromising it allows malicious actors to manipulate almost any observable behavior of the machine.

  • Hiding processes, files, and network connections.
  • Intercepting or modifying system calls.
  • Injecting network backdoors.

Attackers have begun exploiting eBPF, a powerful kernel instrumentation technology originally designed for observability, networking, and security monitoring. Because eBPF programs run inside the kernel and can be dynamically loaded without traditional kernel modules, they provide an attractive platform for stealthy implants.

Diamorphine

Diamorphine is a widely known Linux loadable kernel module rootkit whose source code has been publicly available for years. Once installed, it hooks the sys_call_table to intercept system calls, hide processes, conceal files or directories, and grant root privileges to selected processes.

Drovorub

Drovorub is a modular Linux malware toolkit composed of a command-and-control server, a client implant, an optional relay agent, and a kernel module rootkit that provides stealth and persistence.

LinkPro

LinkPro is a kernel-space Linux rootkit first discovered in October 2025 during an incident response investigation. The rootkit leverages eBPF to execute malicious programs directly inside the kernel while being orchestrated from user space.

BPFDoor

BPFDoor is a stealthy Linux backdoor used in long-running cyber-espionage campaigns. Instead of opening a listening port, it injects BPF filters into the kernel networking stack so it can silently monitor packets and activate only when the correct trigger sequence is received.

User-Space Runtime Integrity Attacks

Not all runtime attacks require kernel modification. Many modern campaigns compromise runtime integrity by injecting malicious logic directly into user-space processes.

  • Shared library hijacking.
  • Process injection.
  • API interception.

One common mechanism is LD_PRELOAD, which allows attackers to override standard system library functions and hide malicious libraries, files, processes, and network connections from system utilities.

Hybrid Approach - Both Kernel-Level and User-Space Runtime Integrity Attacks

User-space rootkits are evolving to adopt kernel-level modules or become fully kernel-level rootkits, reflecting a broader trend where attackers combine user-space implants with kernel instrumentation technologies to evade modern monitoring systems.