Hackers have exploited a remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkits targeting unprotected Linux systems. The attacks, tracked as 'Operation Zero Disco', involved the use of compromised Cisco devices to manipulate logs and network configurations, posing significant risks even to newer switches due to persistent targeting. Currently, there are no reliable tools to detect these compromises, making low-level investigations essential for suspected breaches.

The UNC2891 hacking group, known as LightBasin, utilized a 4G-equipped Raspberry Pi to infiltrate a bank's network, aiming to commit ATM fraud. Although their attempt to deploy a sophisticated rootkit named Caketap was thwarted, the attack showcased advanced techniques for maintaining stealth and lateral movement within the bank's systems.