Details of a new Linux rootkit turned up on SecLists.Org's Full Disclosure Mailing List last week: linux rootkit in combination with nginx.CrowdStrike has excellent analysis of it here: HTTP iframe Injecting Linux Rootkit.CrowdStrike's key findings: • The rootkit is generally crime related rather than a specialized targeted attack. It drives traffic to exploit kits. • It appears to be new rather than a modified version of known rootkits. • It is probably Russian in origin.Our analysts are investigating the sample now.