Hidden Malware, Expanding Access, and New Targets at Sea

From maritime systems to Linux servers, attackers are quietly expanding their reach using stealthy backdoors and malware-as-a-service models.

This week’s newsletter highlights the expanding risks posed by increasingly sophisticated malware operations across multiple sectors. A new strain of Mirai malware, known as Broadside, is being used to target maritime shipping by exploiting widely deployed onboard video systems. Researchers also uncovered GhostPenguin, a previously undetected Linux backdoor that remained hidden for months through tailored code and communication techniques designed to evade monitoring. In addition, analysts reported that four separate threat clusters are now leveraging the CastleLoader framework, indicating that its developer, known as GrayBravo, is broadening access to its tooling through a malware-as-a-service model. Together, these developments underscore how quickly adversaries are advancing their capabilities and expanding their operational reach.

New Mirai Variant Targets Maritime Security Systems

A new malware strain called Broadside, which is part of the long running Mirai malware family, is being used in active attacks against maritime shipping companies. Mirai is a type of malware that infects internet connected devices and then uses them to carry out large scale attacks or carry out other malicious activity. In this case, Broadside is exploiting a vulnerability in TBK digital video recorder systems. These are security camera recorders that are commonly installed on cargo ships to monitor areas like the bridge, engine room, and cargo holds. 

Researchers say Broadside is far more advanced than typical Mirai variants. It includes custom communication methods, in memory execution to avoid file based detection, and built in monitoring modes designed to evade security tools. Once running, the malware can harvest credentials, remove competing malware, and launch high volume UDP traffic that can overwhelm satellite communication links and disrupt CCTV feeds. Analysts warn that on vessels with flat or poorly segmented networks, a compromised DVR system can also give attackers a foothold into other critical onboard systems. Access the full article here.

Researchers Identify GhostPenguin, a Stealthy Linux Backdoor Hidden for Months

A previously undocumented Linux backdoor called GhostPenguin has been found running undetected for more than four months. The malware, a multi-threaded program written in C++, provides remote shell access and file system operations, and communicates over encrypted UDP. It was discovered through a threat hunting pipeline that utilizes artificial intelligence, after operating without detection on VirusTotal since July 7, 2025. Analysts say the malware avoids detection by using custom code, minimal data transfer, and a layered, multi stage design that only reveals later stages when communication occurs in a specific sequence. 

GhostPenguin uses RC5 encryption, which is a symmetric block cipher. Using this encryption allows the malware and its command server to encrypt data using the same shared key. The key is derived from a session ID exchanged during the initial handshake. The malware communicates over UDP port 53 and creates a .temp file to prevent duplicate execution. Analysts also observed a structured workflow that includes registration, system information transfer, heartbeat signals, and execution of about 40 commands, all sent in segmented UDP packets that are retransmitted until the server confirms receipt. Access the full article here.

Researchers Track Four Threat Clusters Leveraging CastleLoader Framework

Researchers have identified four separate clusters of malicious activity that all rely on a loader known as CastleLoader, reinforcing the view that the tool is being made available to other operators through a malware as a service model. Recorded Future’s Insikt Group refers to the developer of CastleLoader as GrayBravo, noting that the group moves quickly, produces technically capable tooling, and continues to expand its supporting infrastructure. GrayBravo’s ecosystem includes both CastleRAT and the CastleBot framework, which can pull down and run DLL, EXE, and PE payloads and has been used to distribute a wide range of malware families.

The four observed activity clusters deliver CastleLoader through different approaches, including phishing campaigns, ClickFix based techniques, lures themed around Booking.com, online ads, and fake software update prompts, with each cluster active since early or mid 2025. Analysts also found that GrayBravo relies on a layered infrastructure that uses outward facing command servers backed by additional VPS systems. In one case, operators used misleading or compromised accounts on freight matching services to make their phishing attempts appear legitimate. Recorded Future assesses that CastleLoader is being adopted by a growing number of threat actors, enabling GrayBravo’s tooling to spread more broadly across the criminal ecosystem. Access the full article here.

Yisda Takeaways

This week’s newsletter highlights how quickly malware operations are evolving and how threat actors are growing both their technical capabilities and their operational reach. The Broadside attacks against maritime shipping demonstrate that threat actors are increasingly targeting specialized industrial systems, exploiting devices that are often overlooked yet essential for safety and situational awareness onboard vessels. GhostPenguin’s months-long evasion demonstrates the growing sophistication of stealth focused malware. At the same time, the adoption of CastleLoader by multiple threat clusters shows how the malware-as-a-service model continues to accelerate the spread of advanced tooling, enabling less mature actors to operate with far greater capability. Collectively, these developments point to the need for organizations to prioritize investments in network monitoring, threat hunting, and early stage detection, while also strengthening microsegmentation and adopting zero trust access controls where pertinent to limit attacker movement.