Zero Disco rootkit
Zero Disco rootkit is a Linux rootkit deployed in the Operation Zero Disco campaign described by Trend Micro. The campaign exploited a recently disclosed security flaw affecting Cisco IOS Software and IOS XE Software, targeting older and unprotected systems and Cisco network devices. The malware is characterized in the source content as stealthy and highly sophisticated. High-confidence details available from the content indicate its role as a Linux rootkit installed after exploitation of the Cisco vulnerability; no additional capabilities, specific infection chain details, threat actor attribution, industries targeted, or indicators of compromise are provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A stealthy Linux rootkit/backdoor implanted on vulnerable Cisco switches via exploitation of SNMP and Telnet vulnerabilities. It provides persistent, nearly invisible access by hooking into IOSd memory, hiding configuration changes, disabling logs, and allowing remote command execution via UDP listeners.
A Linux rootkit/backdoor deployed on Cisco IOS/IOS XE devices via exploitation of SNMP and Telnet vulnerabilities. It provides persistent, covert access, sets a universal password, hides malicious activity, and enables lateral movement within segmented networks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.