Information Security News

Singularity: Advanced Linux Kernel Rootkit Uses ftrace to Bypass EDR and eBPF

by ·

Singularity is a powerful Linux Kernel Module (LKM) rootkit designed for modern 6.x kernels. It provides comprehensive stealth capabilities through advanced system call hooking via ftrace infrastructure.

What is Singularity?

Singularity is a sophisticated rootkit that operates at the kernel level, providing:

  • Process Hiding: Make any process completely invisible to the system
  • File & Directory Hiding: Conceal files using pattern matching
  • Network Stealth: Hide TCP/UDP connections and ports
  • Privilege Escalation: Multiple methods to gain instant root access
  • Log Sanitization: Filter kernel logs and system journals in real-time
  • Self-Hiding: Remove itself from module lists and system monitoring
  • Remote Access: ICMP-triggered reverse shell with automatic hiding
  • Anti-Detection: Block eBPF tools, io_uring operations, and prevent module loading
  • Audit Evasion: Drop audit messages for hidden processes at netlink level

Features

  • Environment-triggered privilege elevation via signals and environment variables
  • Complete process hiding from /proc and monitoring tools
  • Pattern-based filesystem hiding for files and directories
  • Network connection concealment from netstat, ss, and packet analyzers
  • Real-time kernel log filtering for dmesg and journalctl
  • Module self-hiding from lsmod and /sys/module
  • Automatic kernel taint flag normalization
  • BPF syscall interception to prevent eBPF-based detection
  • io_uring protection against asynchronous I/O bypass
  • Prevention of new kernel module loading
  • Log masking for kernel messages and system logs
  • Evasion of standard rootkit detectors (unhide, chkrootkit, rkhunter)
  • Automatic child process tracking and hiding via tracepoint hooks
  • Multi-architecture support (x64 + ia32)
  • Network packet-level filtering with raw socket protection
  • Protection against all file I/O variants (read, write, splice, sendfile, tee, copy_file_range)
  • Netlink-level audit message filtering to evade auditd detection

Full Research ArticleSingularity: A Final Boss Linux Kernel Rootkit

EDR Evasion Case StudyBypassing Elastic EDR with Singularity

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: