New Linux Rootkit Exploits io_uring, Evades Detection
ARMO’s Curing rootkit uses io_uring to bypass system call monitoring—Falco, Tetragon, and even Microsoft Defender can’t see it.
#CyberAlerts #Linux #CyberSecurity
Attackers can run commands without triggering system calls.
https://thehackernews.com/2025/04/linux-iouring-poc-rootkit-bypasses.html
Anonymous 🐈️🐾☕🍵🏴🇵🇸 /
npub1al…hr5fj
2025-04-25 01:03:02
Author Public Key
npub1al4kgl9l6k0ha8acraw9vaanua704pd6zhy6j55rj2pra6c2f0uqqhr5fjPublished at
2025-04-25 01:03:02Event JSON
{
"id": "44b9d94152a9bf42c42d0956c97fcd5b3ac5661ebb35168da0990d360e2bc068",
"pubkey": "efeb647cbfd59f7e9fb81f5c5677b3e77cfa85ba15c9a9528392823eeb0a4bf8",
"created_at": 1745542982,
"kind": 1,
"tags": [
[
"t",
"cyberalerts"
],
[
"t",
"Linux"
],
[
"t",
"CyberSecurity"
],
[
"proxy",
"https://kolektiva.social/users/youranonriots/statuses/114395904924252811",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "New Linux Rootkit Exploits io_uring, Evades Detection\n\nARMO’s Curing rootkit uses io_uring to bypass system call monitoring—Falco, Tetragon, and even Microsoft Defender can’t see it.\n#CyberAlerts #Linux #CyberSecurity \nAttackers can run commands without triggering system calls. \nhttps://thehackernews.com/2025/04/linux-iouring-poc-rootkit-bypasses.html",
"sig": "66611b1d7bde756510ec2947f6cc16cb3d727d8ef1da0f273340dd4d3f7f0a0c88f767fea63b2f805169215f6e24f095375d3f51ac76f1ac46a3566000ff9388"
}