Singularity, a sophisticated Linux kernel rootkit designed for Linux kernel versions 6.x, has gained significant attention from the cybersecurity community for its advanced stealth mechanisms and powerful capabilities.
This kernel module represents a concerning evolution in rootkit technology, offering multiple attack vectors and comprehensive evasion techniques that challenge current detection systems.
The rootkit operates at the kernel level using Linux Kernel Module (LKM) architecture, making it exceptionally difficult to detect and remove.
Created by security researcher MatheuZSecurity, Singularity leverages ftrace infrastructure to hook system calls, effectively giving attackers complete control over Linux systems while remaining invisible to security tools and administrators.
Singularity combines process hiding, file concealment, and network stealth into a single unified platform. The malware can hide any running process, remove files from directory listings, mask network connections, and instantly escalate privileges to root.
Its kernel-level operation enables real-time log filtering, preventing traces of its presence from appearing in system journals or kernel debugging output.
GitHub analysts and researchers noted that Singularity introduces several unprecedented features specifically designed to bypass enterprise security tools, including endpoint detection and response (EDR) solutions.
The rootkit includes mechanisms to block eBPF-based security monitoring, disable io_uring protections, and prevent legitimate kernel module loading, creating multiple barriers to detection.
Offers sophisticated capabilities
The malware provides remote access via an ICMP-triggered reverse shell. Attackers can send specially crafted ICMP packets containing a magic sequence to establish hidden command and control connections that remain entirely invisible for network monitoring tools like netstat, tcpdump, and packet analyzers.
All child processes spawned through this channel automatically inherit the hiding properties.
Singularity’s detection evasion goes beyond simple hiding. The rootkit actively intercepts and filters attempts to disable ftrace, essentially neutralizing one of Linux’s primary monitoring frameworks.
It monitors more than 15 sensitive syscalls related to file I/O, including write, splice, sendfile, and copy_file_range.
Any process attempting to access these functions receives immediate feedback indicating success, while the rootkit silently prevents actual execution.
.webp "Singularity Linux Kernel Rootkit with New Feature Prevents Detection 3")
The kernel taint mechanism, which marks suspicious kernel behavior, is continuously normalized by Singularity’s tainted_mask clearing thread. This prevents forensic analysts from detecting unauthorized kernel modifications.
Combined with aggressive log sanitization that filters keywords like taint, journal, and kallsyms_lookup_name, Singularity leaves almost no forensic evidence of its operation on compromised systems.
Testing reveals the rootkit successfully bypasses standard detection tools, including unhide, chkrootkit, and rkhunter.
Its compatibility across multiple architectures—x64 and ia32—and support for various kernel versions make it a flexible threat across diverse Linux deployments.
Security teams should consider these findings critical when evaluating their Linux security posture.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
