Singularity, a stealth-focused Linux Kernel Module (LKM) rootkit targeting modern 6.x kernels, has added a powerful log‐evasion capability that prevents its detection through traditional kernel logging interfaces such as klogctl.
Designed as a “final boss” rootkit for defenders, Singularity notes deep kernel hooking, advanced log sanitization, and EDR evasion techniques to stay invisible on compromised systems.
Developed for contemporary distributions running kernels like 6.8.0-79-generic and 6.12, Singularity operates entirely in kernel space using ftrace-based syscall and function hooking.
Once loaded, the module hides itself, cannot be unloaded without a reboot, and aggressively neutralizes common incident response and detection workflows.
Its author’s tagline – “Shall we give forensics a little work?” – reflects the project’s clear goal: to raise the bar for DFIR and threat hunting on Linux.
The latest enhancement focuses on preventing detection via kernel log inspection tools that rely on klogctl and /proc/kmsg.
Singularity performs real-time filtering of sensitive strings and indicators from multiple log sources, including /proc/kmsg, /var/log/kern.log, syslog, auth.log, /proc/kallsyms, /proc/vmallocinfo, and kernel tracing paths such as /sys/kernel/debug/tracing/*.
Any references to rootkit-related identifiers like “singularity”, “Singularity”, “matheuz”, “zer0t”, “obliviate”, “kallsyms_lookup_name”, or “taint” are stripped before they reach user space, effectively blinding analysts who depend on dmesg, journalctl, or tools built on klogctl to spot malicious kernel activity.
Singularity Linux Kernel Rootkit
This log sanitization is only one component of Singularity’s broader stealth arsenal. The rootkit supports complete process hiding from /proc, ps, top, htop, and other monitoring tools, automatically tracking and concealing child processes via the sched_process_fork tracepoint.
It also hides files and directories based on configurable patterns, blocks chdir into hidden paths, and conceals TCP UDP connections and ports from ss, netstat, lsof, and /proc/net/*.
Network traffic on a chosen port is filtered at the raw socket layer, and an ICMP-triggered reverse shell provides a fully hidden remote root session.mkdir singularity
echo “secret” > singularity/data.txt.
Privilege escalation is built in. Attackers can gain root either by setting a special environment variable (for example, launching a shell with MAGIC=mtz) or by sending a specific signal (such as kill -59 $$), which both elevates the caller to UID 0 and, when configured, hides the process.
These mechanisms are customizable: operators can change the “magic” word, ICMP sequence, hidden port, patterns, process names, and thread names to evade signature-based detection and threat intelligence fingerprints.
To counter modern telemetry and EDR tooling, Singularity aggressively interferes with observability mechanisms.
It intercepts and blocks eBPF-related syscalls, preventing the loading of tracing, kprobe, and LSM programs, and obstructs operations such as BPF_PROG_LOAD, BPF_ITER_CREATE, BPF_PROG_GET_NEXT_ID, and BPF_RAW_TRACEPOINT_OPEN.
It also protects ftrace control by transparently blocking attempts to disable tracing or modify ftrace_enabled, and includes specific handling for io_uring-based attempts to bypass these protections.
Security tools such as Tracee, bpftrace, bpftool, and io_uring-based monitors are explicitly targeted.
In practice, this enables Singularity to bypass a wide spectrum of traditional and modern detection tools, including unhide, chkrootkit, rkhunter, process and filesystem monitors, packet analyzers like tcpdump and Wireshark, module inspection tools (lsmod, /proc/modules, /sys/module), and several Linux EDR solutions documented in public case studies.
Mitigations
One published example demonstrates how Singularity can be used to bypass Elastic’s EDR capabilities by combining process hiding, log sanitization, and telemetry disruption.
Despite its depth, the author notes that Singularity is not perfectly undetectable and hints that determined forensic analysts can still find traces under certain conditions.
Nonetheless, by preventing visibility through klogctl and related log channels, aggressively filtering audit and kernel messages, and disabling popular observability paths, the rootkit significantly complicates detection efforts.
For defenders, Singularity serves as a stark reminder that Linux kernel–level threats are rapidly evolving, and that relying solely on user-space logs, standard tools, or unprotected eBPF/ftrace-based detection is no longer sufficient.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.