New Linux Rootkit Exploits io_uring, Evades Detection
ARMO’s Curing rootkit uses io_uring to bypass system call monitoring—Falco, Tetragon, and even Microsoft Defender can’t see it.
#CyberAlerts #Linux #CyberSecurity
Attackers can run commands without triggering system calls.
https://thehackernews.com/2025/04/linux-iouring-poc-rootkit-bypasses.html
Anonymous 🐈️🐾☕🍵🏴🇵🇸 :af: /
npub1e7…pet6n
2025-04-25 01:03:02
Author Public Key
npub1e7vzg8ryv42fve4kt5q3t8404xkrqdqe58y27mttshf5dw29vpcqrpet6nPublished at
2025-04-25 01:03:02Event JSON
{
"id": "978c3cc928106f069a6f9d6e7215031503ef2fb96212edcca02772a09e442a2b",
"pubkey": "cf98241c6465549666b65d01159eafa9ac303419a1c8af6d6b85d346b9456070",
"created_at": 1745542982,
"kind": 1,
"tags": [
[
"t",
"cybersecurity"
],
[
"t",
"linux"
],
[
"proxy",
"https://kolektiva.social/@youranonriots/114395904924252811",
"web"
],
[
"t",
"cyberalerts"
],
[
"proxy",
"https://kolektiva.social/users/youranonriots/statuses/114395904924252811",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://kolektiva.social/users/youranonriots/statuses/114395904924252811",
"pink.momostr"
],
[
"-"
]
],
"content": "New Linux Rootkit Exploits io_uring, Evades Detection\n\nARMO’s Curing rootkit uses io_uring to bypass system call monitoring—Falco, Tetragon, and even Microsoft Defender can’t see it.\n#CyberAlerts #Linux #CyberSecurity \nAttackers can run commands without triggering system calls. \nhttps://thehackernews.com/2025/04/linux-iouring-poc-rootkit-bypasses.html",
"sig": "a0929020415dae8caa481e3a583972768d1008067cfb9380fad3c9f4390ef8ed11b13070ac4c53e1576dd8d649ee3fcda06c78742b4870eba9656a8254b875dd"
}