Linux rootkits have historically received less attention than their Windows counterparts, but the rapid adoption of Linux in cloud infrastructure, containers, and IoT devices has shifted the threat landscape.
Attackers are constantly innovating, and over the past two decades, Linux rootkits have evolved significantly.
While early threats relied on easily detectable userland shared object injections or Loadable Kernel Modules (LKMs), modern threat actors have found new ways to hide in plain sight.
Security researchers from Elastic have documented how the latest generation of Linux rootkits exploits legitimate, advanced kernel interfaces, specifically eBPF and io_uring.
To achieve unprecedented levels of stealth, persistence, and evasion against modern Endpoint Detection and Response (EDR) systems.
This evolution is a direct response to improved defensive measures. As enterprise environments increasingly deploy Secure Boot, module signing, and strict kernel lockdown policies, traditional kernel-space rootkits are frequently blocked or quickly discovered by standard security auditing tools.
To bypass these roadblocks, attackers have shifted their focus to built-in kernel features that are designed for performance and tracing, turning them into powerful weapons for subverting the operating system.
The Shift to eBPF for Undetectable Execution
The extended Berkeley Packet Filter (eBPF) was originally created for safe packet filtering and kernel tracing. Since Linux kernel version 4.8, it has grown into a highly programmable in-kernel virtual machine.
eBPF allows developers to safely execute bytecode within the kernel without needing to load custom modules or modify the kernel source code.
Unfortunately, malicious actors have realized that eBPF can also be used to attach hidden code to system call hooks, tracepoints, or Linux Security Module (LSM) events.
Because eBPF rootkits do not load traditional kernel modules, they are effectively invisible to standard LKM scanners like rkhunter or chkrootkit.
Furthermore, they seamlessly bypass Secure Boot restrictions since they do not require out-of-tree module loading.
Prominent examples of this technique include proof-of-concept tools like TripleCross, which injects eBPF programs to hook system calls such as execve, and Boopkit, which implements a covert command-and-control channel entirely through eBPF.
Here is a simplified example of how an attacker might use eBPF to hook a system call:
c// Attach this eBPF program to the tracepoint for sys_enter_execve
SEC("tp/syscalls/sys_enter_execve")
int tp_sys_enter_execve(struct sys_execve_enter_ctx *ctx) {
// Get the current process's PID and TID
__u64 pid_tgid = bpf_get_current_pid_tgid();
// Delegate handling logic to a malicious helper function
return handle_tp_sys_enter_execve(ctx, pid_tgid);
}
These programs run with high privileges and can manipulate process execution, hide files, and filter network traffic without leaving obvious footprints on the system.
Exploiting io_uring for Evasion
While eBPF is used for direct hooking, attackers are also leveraging io_uring to evade detection.
Introduced in Linux 5.1, io_uring is a high-performance asynchronous I/O interface that allows applications to batch multiple system operations through shared memory rings.
This was designed to dramatically reduce the performance overhead of system calls. However, threat actors have discovered that this batching capability is perfect for evasion.
By using the io_uring_enter function to process multiple file, network, and memory operations at once, a rootkit generates far fewer observable system call events.
Traditional EDR solutions and monitoring tools that rely on intercepting individual system calls are often blinded by this approach.
Experimental rootkits, such as RingReaper, demonstrate how attackers can use io_uring to stealthily replace common system calls like read, write, and connect.
This technique fundamentally changes the visibility surface for defenders. Because the malicious process submits a massive queue of operations directly into the kernel, the typical telemetry noise is practically silenced.
As Linux continues to dominate modern enterprise and cloud architecture, these highly advanced, living-off-the-land techniques highlight an urgent need for security teams to develop new low-level monitoring strategies.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
