Ghost in the machine! Operation Zero Disco hijacks Cisco switches via a critical SNMP flaw, installing an undetectable rootkit for total, persistent control. Patch now

Continue reading
In one of the most significant cybersecurity disclosures of the year, Trend Micro has detailed "Operation Zero Disco," a highly sophisticated attack campaign leveraging a critical vulnerability in Cisco switches. The threat actors use a flaw in the Simple Network Management Protocol (SNMP) to install a stealthy Linux rootkit, granting them permanent, hidden control over the network infrastructure. This represents a fundamental shift in attacker methodology, moving from servers and workstations to the very backbone of the network itself.
The entire attack chain begins with a single point of failure: CVE-2025-20352.
This is a critical-rated vulnerability (CVSS score likely 9.8+) within the SNMP subsystem of specific Cisco IOS XE and IOS Software. SNMP, or Simple Network Management Protocol, is a ubiquitous service used for monitoring and managing network devices. The flaw allows an unauthenticated, remote attacker to execute arbitrary code with the highest level of privileges (root) by sending a specially crafted SNMP packet to a vulnerable device.
The most alarming aspect is that the exploitation requires no user interaction and leaves no immediate forensic trace, making the initial breach virtually silent.
The campaign has shown a deliberate focus on essential Cisco switching hardware, including:
These devices are not obscure; they are the foundational plumbing of enterprise networks worldwide, handling data for corporations, governments, and critical infrastructure. The attackers are strategically targeting older, unpatched, or internet-facing instances of this equipment.
Operation Zero Disco is not a simple smash-and-grab; it is a methodical, multi-stage operation designed for maximum stealth and persistence.
The attack initiates with broad scanning to identify vulnerable devices. Once a target is located, the attacker deploys the exploit for CVE-2025-20352. This malicious SNMP packet triggers the vulnerability, allowing the attacker to break out of the protocol's intended constraints and execute their own commands on the underlying operating system with root-level authority.
With a foothold established, the attacker installs their namesake payload: a custom Linux rootkit. This is where the operation's true sophistication is revealed. Unlike traditional malware that writes files to a disk, this rootkit is largely fileless. It operates by injecting malicious code directly into the memory of the key IOSd process—the core software that runs the switch's operating system.
Key capabilities of the rootkit include:
To maintain remote control, the rootkit establishes a covert communication channel. A separate UDP-based backdoor component listens for encrypted commands from the attacker's command-and-control (C2) server.
This backdoor controller grants the attacker god-like control over the device, enabling them to:
With full, invisible control over a network switch, the attacker gains a strategic vantage point. They can now:
Given the severity and stealth of this threat, a layered and immediate defensive strategy is non-negotiable.
The single most effective action is to apply the official patch. Organizations must immediately upgrade their Cisco switches to a fixed software release. The Cisco Software Checker should be used to identify the correct version for specific hardware models.
If patching cannot be performed instantly, a temporary mitigation is available. Administrators can disable the specific vulnerable Object ID (OID) using the SNMP view configuration:
`snmp-server view NO-DISCO iso excluded` `snmp-server community public view NO-DISCO RO`
Important Note: This is a temporary workaround, not a permanent solution. Patching remains critical.
Beyond immediate mitigation, organizations must reinforce their security posture:
It demonstrates that advanced threat actors are now systematically targeting the network infrastructure itself with tools designed to be invisible to conventional security controls.
The combination of a potent, remotely exploitable flaw and an advanced, persistent rootkit creates a perfect storm for enterprise security. This campaign serves as a stark reminder that network devices are not just plumbing—they are critical security endpoints that require the same level of scrutiny, patching, and monitoring as any server or desktop.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.