Thursday April 02, 2026

COLDEYE Kernel-Level Malware Targeting Telecom Networks

Advisory ID: NCC-CSIRT-2026-013

Summary: 

COLDEYE backdoor is a sophisticated kernel-level malware used in targeted cyber-espionage campaigns. This malware is known to provide persistent root-level access to compromised systems and is associated with advanced threat actors such as UNC2814.
COLDEYE has been observed in telecom infrastructure, government systems, and cloud-hosted services, where it enables attackers to manipulate critical data, exfiltrate information, and maintain long-term stealth access.

Damage: Critical

Probability: High

Product(s): 

Linux-based enterprise servers

Version(s): 

No specific version; affects general Linux distros

Platform(s):

Linux (Ubuntu, Debian, CentOS, RHEL); virtualized cloud instances

Indicators of Compromise (IOCs): 

Organizations are advised to cross-check the following IoCs with their SIEM and endpoint monitoring tools:

  • Unexpected kernel modules loaded on Linux servers
  • Unauthorized system services or startup scripts
  • Outbound connections to unusual cloud storage APIs from critical servers
  • Unauthorized file changes in system directories (/etc, /usr/bin)
  • Anomalous processes running with root privileges

Description: 

COLDEYE is a highly sophisticated kernel-level backdoor that primarily targets Linux servers in telecom networks, government systems, and cloud-hosted platforms. It achieves persistent root-level access by installing as a kernel module or system-level rootkit, enabling it to remain active after system reboots and evade traditional endpoint detection mechanisms. The malware can escalate privileges on misconfigured or vulnerable servers, granting attackers unrestricted access to critical system files, administrative credentials, and network services.
COLDEYE communicates with remote command-and-control infrastructure, often leveraging legitimate cloud services such as Google Sheets via the GRIDTIDE backdoor framework. This allows attackers to execute scripts, upload or download files, and perform detailed system reconnaissance while blending with normal network traffic. The malware facilitates the exfiltration of sensitive information, including subscriber databases, call detail records, SMS data, and cloud service tokens. It uses stealth techniques, such as kernel-level hooks and process masking, to avoid detection by host-based intrusion detection systems.
After establishing a foothold, COLDEYE may move laterally within networks, exploiting SSH, VPN, or internal service credentials to compromise additional systems. Its operational impact is significant, potentially exposing subscriber privacy, critical intelligence, and core telecom operations, including lawful interception systems. By maintaining long-term access, attackers can monitor and manipulate sensitive communications over extended periods. Deployment typically occurs following an initial compromise through vulnerable services, phishing targeting administrative accounts, or other advanced persistent threat tools, forming part of a larger espionage campaign.

Impacts: 

  • Compromise of Sensitive Data
  • Unauthorized System Control
  • Lateral Network Compromise
  • Operational Disruption
  • Long-Term Surveillance
  • Reputational and Regulatory Impact
  • Financial Consequences

Threat Types: 

  • Advanced Persistent Threat (APT)
  • Kernel-Level Malware / Rootkit
  • Data Exfiltration / Espionage
  • Unauthorized Access / Privilege Escalation
  • Command-and-Control (C2) Abuse
  • Lateral Movement
  • Telecom / Infrastructure Disruption

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Isolate compromised systems from the network
  • Conduct full system integrity checks and Memory Forensics
  • Monitor unusual outbound connections to cloud services
  • Apply the latest OS and kernel security updates and disable unused services and accounts
  • Restrict administrative and root access
  • Implement network and host-based anomaly detection
  • Monitor for abnormal process execution and kernel module loading
  • Review system logs for unauthorized access events
  • Implement UEFI Secure Boot where possible to prevent the loading of unsigned malicious kernel modules

References: