TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

The Evolving Linux Threat Landscape

2026-03-03 · Read original ↗

ATT&CK techniques detected

9 predictions
T1486Data Encrypted for Impact
97%
“this year, which may open the floodgates to more zero - day vulnerabilities and, more importantly, faster weaponization. an example in 2025 was cve - 2025 - 37899 in the linux kernel, discovered by a researcher using openai ’ s o3 model. if the good guys are doing this, you know …”
T1195.001Compromise Software Dependencies and Development Tools
95%
“rules, effectively creating a " tunnel " through which unapproved code can run on a windows host. targeting endpoints in the software supply chain adversaries are increasingly targeting developer systems, which have become high - value endpoints for several reasons. many develope…”
T1486Data Encrypted for Impact
89%
“need to bolster hypervisor protections. - akira and qilin : two types of ransomware huntress sees pretty often. both akira v2 ransomware and qilin have been designed to abuse vmware esxi. there are reports that qilin has added support for wsl abuse, too. - gunra ransomware : a ne…”
T1486Data Encrypted for Impact
83%
“##points are usually running 24 / 7 on high - performance servers or cloud instances, making them ideal for cryptominer attacks. linux endpoint targeted with a react2shell exploit multi - os and cross - os attacks adversaries are increasingly using multi - operating system attack…”
T1588.001Malware
65%
“need to bolster hypervisor protections. - akira and qilin : two types of ransomware huntress sees pretty often. both akira v2 ransomware and qilin have been designed to abuse vmware esxi. there are reports that qilin has added support for wsl abuse, too. - gunra ransomware : a ne…”
T1486Data Encrypted for Impact
51%
“ransomware, etc. so the threat gap between what we ’ ve seen happen on windows happening on other oss like macos and linux is narrowing. ransomware is one example. it ’ s rare on linux endpoints, but as threat actors evolve, we expect linux ransomware to become more common, closi…”
T1190Exploit Public-Facing Application
49%
“ransomware, etc. so the threat gap between what we ’ ve seen happen on windows happening on other oss like macos and linux is narrowing. ransomware is one example. it ’ s rare on linux endpoints, but as threat actors evolve, we expect linux ransomware to become more common, closi…”
T1195.001Compromise Software Dependencies and Development Tools
31%
“based network devices were compromised in order to obscure malicious activity within the ip space allocated to residential internet users. - lazarus group : a north korean nation - state threat actor that ' s been using the compromised package approach to target developers associ…”
T1588.002Tool
31%
“based network devices were compromised in order to obscure malicious activity within the ip space allocated to residential internet users. - lazarus group : a north korean nation - state threat actor that ' s been using the compromised package approach to target developers associ…”

Summary

Learn about the narrowing threat gap, the rise of cross-platform attacks (like WSL abuse), and the specific ransomware and nation-state actors targeting Linux endpoints in 2026.