Singularity: Advanced Linux Kernel Rootkit Uses ftrace to Bypass EDR and eBPF

by ddos · December 8, 2025

Singularity is a powerful Linux Kernel Module (LKM) rootkit designed for modern 6.x kernels. It provides comprehensive stealth capabilities through advanced system call hooking via ftrace infrastructure.

What is Singularity?

Singularity is a sophisticated rootkit that operates at the kernel level, providing:

Process Hiding: Make any process completely invisible to the system
File & Directory Hiding: Conceal files using pattern matching
Network Stealth: Hide TCP/UDP connections and ports
Privilege Escalation: Multiple methods to gain instant root access
Log Sanitization: Filter kernel logs and system journals in real-time
Self-Hiding: Remove itself from module lists and system monitoring
Remote Access: ICMP-triggered reverse shell with automatic hiding
Anti-Detection: Block eBPF tools, io_uring operations, and prevent module loading
Audit Evasion: Drop audit messages for hidden processes at netlink level

Features

Environment-triggered privilege elevation via signals and environment variables
Complete process hiding from /proc and monitoring tools
Pattern-based filesystem hiding for files and directories
Network connection concealment from netstat, ss, and packet analyzers
Real-time kernel log filtering for dmesg and journalctl
Module self-hiding from lsmod and /sys/module
Automatic kernel taint flag normalization
BPF syscall interception to prevent eBPF-based detection
io_uring protection against asynchronous I/O bypass
Prevention of new kernel module loading
Log masking for kernel messages and system logs
Evasion of standard rootkit detectors (unhide, chkrootkit, rkhunter)
Automatic child process tracking and hiding via tracepoint hooks
Multi-architecture support (x64 + ia32)
Network packet-level filtering with raw socket protection
Protection against all file I/O variants (read, write, splice, sendfile, tee, copy_file_range)
Netlink-level audit message filtering to evade auditd detection