RingReaper: New Linux Tool Leverages io_uring Kernel Feature to Bypass EDR & Stealthily Control Systems
The emergence of a new tool known as RingReaper has sparked concern among cybersecurity experts and penetration testing teams alike. This program leverages a legitimate yet highly potent Linux kernel feature called io_uring to stealthily bypass modern threat detection and response systems (EDR).
Introduced in Linux kernel version 5.1, io_uring was designed to accelerate asynchronous input/output operations. Unlike the traditional model—where each file or network operation generates an individual system call—io_uring enables processes to queue multiple requests simultaneously. The kernel then processes these requests as system resources permit, returning the results through a separate completion queue. This architectural shift eliminates the need for numerous system calls, which are typically easy to detect using standard security tools.
According to specialists, io_uring allows for the concurrent execution of various tasks such as opening files, reading, writing, and establishing network connections. This drastically reduces the volume of discrete system calls, making monitoring more difficult. Moreover, the asynchronous nature of these operations further reduces the activity footprint, thereby evading detection by traditional defense mechanisms.
RingReaper is a remote access agent engineered with an emphasis on stealth and versatility. While it currently lacks a built-in persistence mechanism, its capabilities are nonetheless formidable. Once a system is compromised, RingReaper connects to a command-and-control server operated by the attacker and executes a wide array of tasks—remaining nearly invisible to standard monitoring solutions.
Among its features are network communication management, file manipulation, data upload and download, remote command execution for viewing users, processes, and network connections, as well as self-deletion routines to erase its presence after completing its objectives.
The RingReaper C2 server is written in Python, granting attackers an interactive interface to issue commands and receive responses, including file transfers.
The tool’s ability to evade EDR solutions lies in its use of io_uring for all system interactions. Traditional Linux security solutions typically rely on monitoring system calls like open, connect, read, and write, using syscall hooking or eBPF probes. In contrast, RingReaper routes all activity through io_uring, where visible interactions are limited to subtle calls such as io_uring_enter. This dramatically reduces the number of detectable events, making the tool exceedingly difficult to uncover.
The effectiveness of this technique is amplified by the fact that most contemporary EDR solutions do not yet delve deep enough to monitor io_uring-related calls. Moreover, malicious traffic can be easily disguised as legitimate, especially when transmitted over commonly used ports such as 443.
Despite RingReaper’s formidable stealth capabilities, defenders are not entirely without options. In theory, security teams could implement tracing of io_uring_enter calls or utilize extended eBPF monitoring tailored for io_uring operations. However, the overwhelming majority of commercial products have yet to adopt such measures.
Given the increasing adoption of such sophisticated evasion techniques by cybercriminals, security professionals are urging an immediate reassessment of defense strategies. A deeper understanding of io_uring’s internal mechanisms is now imperative to identify and counter emerging threats in a timely manner.
