RingReaper: Stealthy Linux Agent Abuses io_uring to Bypass EDR System Call Monitoring

by ddos · November 27, 2025

RingReaper is a simple post-exploitation agent for Linux designed for those who need to operate stealthily, minimizing the chances of being detected by EDR solutions. The idea behind this project was to leverage io_uring, the new asynchronous I/O interface in the Linux kernel, specifically to avoid traditional system calls that most EDRs tend to monitor or even hook.

In practice, RingReaper replaces calls such as read, write, recv, send, connect, among others, with asynchronous I/O operations (io_uring_prep_*), reducing exposure to hooks and event tracing typically collected in a standardized way by security products.

NOTE: Some functions within RingReaper still rely on traditional calls, such as directory reading (opendir, readdir) or symbolic link resolution (readlink), because io_uring does not yet fully support these types of operations natively. Even so, during my tests, these calls did not trigger alerts on the tested EDRs, precisely because they fall outside the monitored network I/O paths.

In summary, RingReaper was built to avoid traditional calls as much as possible, and even in cases where it had to use them, it demonstrated excellent evasion capabilities, with no alerts or detections from common security agents.

About Evasion

RingReaper was designed from the ground up to bypass EDR monitoring. Many security solutions base their detection triggers on intercepting classic syscalls (read, recv, send, connect) at the kernel level. Since io_uring is relatively new and less integrated into the telemetry pipeline of these products, it often goes unnoticed by most agents, allowing for C2 sessions and data exfiltration without triggering alerts.

Even functions that still rely on older syscalls (such as directory reading) remained discreet enough not to raise alarms.

See the full and detailed article at: https://matheuzsecurity.github.io/hacking/evading-linux-edrs-with-io-uring/