Sandfly analyzes a leaked Linux loadable kernel module rootkit from a suspected North Korean hacking-group data dump, noting that the broader Phrack material includes activity against South Korea and Taiwan with some overlap to Kimsuky tactics. The 2025 rootkit uses khook-style kernel hooking to hide its module, processes, backdoor traffic, and persistence files while accepting a magic packet on any port to activate encrypted backdoor communications. The backdoor can spawn shells, upload and download files, run proxy functions, and chain hosts for lateral movement, with persistence artifacts such as /usr/lib64/tracker-fs, /usr/include/tracker-fs/tracker-efs, and tracker-fs init or rc scripts. The report provides practical detection guidance around hidden files, unsigned or tainted kernel modules, suspicious systemd services, and direct file checks, making it useful for responders investigating stealthy Linux compromise tied to the leaked DPRK-related tooling.