New Linux EDR Evasion Tool Exploits io_uring Kernel Feature

A new tool named RingReaper is raising eyebrows among defenders and red teamers alike.

By leveraging the legitimate, high-performance Linux kernel feature known as io_uring, RingReaper demonstrates how advanced attackers can sidestep even modern Endpoint Detection and Response (EDR) systems.

The Rise of io_uring in Offensive Security

Introduced in Linux kernel 5.1, io_uring was designed to provide high-throughput, asynchronous I/O operations.

Instead of the traditional model—where each file or network operation triggers a separate, easily monitored syscall—io_uring enables a process to submit multiple I/O requests to a shared queue.

The kernel processes these requests as resources allow, returning results through a separate completion queue. This design eliminates the repetitive, blocking syscalls that most EDRs are built to monitor.

Key advantages of io_uring for attackers:

• Multiple operations (open, read, write, send, connect) are handled in batches.
• Fewer individual syscalls are visible to EDRs.
• Asynchronous operations reduce the “noise” typically generated by malware.

RingReaper is a backdoor agent that, while not persistent yet, is designed for stealth and flexibility.

It connects to an attacker-controlled server (C2), accepting commands and performing a range of post-exploitation tasks—all while evading traditional monitoring.

Core features include:

• Network communication via io_uring_prep_send and io_uring_prep_recv
• File operations using io_uring_prep_openat and io_uring_prep_read
• File upload/download without explicit read/write syscalls
• Remote command execution: listing users, processes, and connections
• Self-deletion using io_uring_prep_unlinkat

The agent’s C2 server, written in Python, allows operators to interactively send commands and receive responses, including file transfers.

How EDRs Are Bypassed

Traditional Linux EDR tools monitor syscalls like open, connect, read, and write—often using hooks or eBPF probes.

RingReaper sidesteps these by funneling all I/O through io_uring, which batches operations and exposes only minimal syscall activity (primarily io_uring_enter).

This drastically reduces the number of events visible to EDRs, making detection much harder.

Why this works:

• Most EDRs do not yet deeply monitor io_uring-related syscalls.
• Malicious traffic can be disguised as legitimate, especially over standard ports like 443.

While RingReaper currently enjoys a high degree of stealth, defenders are not powerless.

In theory, EDRs could hook io_uring_enter or use eBPF to trace io_uring operations, but few commercial products do so today.

As advanced attackers adopt these techniques, defenders must adapt—by updating detection logic and gaining familiarity with io_uring’s internals.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free