Designed for modern Linux 6.x kernels, Singularity leverages the ftrace infrastructure to intercept core system calls, making it one of the most technically sophisticated kernel threats currently available for research and analysis.
Unlike traditional userland rootkits, Singularity operates directly in kernel space, providing deep control over system behavior and visibility. It hides processes, files, directories, and network connections by filtering system calls like getdents, stat, readlinkat, and tcp4_seq_show.
This ensures that malicious activity remains invisible to tools such as ps, netstat, ss, and lsof, as well as to advanced detection utilities like rkhunter and chkrootkit.
The rootkit also implements real-time log sanitization, filtering sensitive keywords such as taint, Singularity, and kallsyms_lookup_name from kernel logs, system journals, and diagnostic interfaces like /proc/kmsg and /var/log/kern.log.
This prevents forensic analysts and monitoring software from retrieving any indication of the module’s presence.
By leveraging signals or environment variables, attackers can trigger hidden privilege escalation and gain root access immediately. Once loaded, the module hides itself from /sys/module and lsmod, normalizing the kernel’s taint flags to avoid raising suspicion.
One of Singularity’s most innovative features is its method of blocking and filtering kernel logging through direct syscall interception.
It modifies write-related syscalls, including write, pwrite64, and io_uring_enter, to prevent tampering with ftrace logs or triggering kernel-level warnings.
This blocks defenders from using klogctl-based forensic tools to access kernel logs, effectively neutralizing common detection strategies employed by EDR and forensic platforms.
The rootkit also prevents the loading of new kernel modules on hooking init_module and finit_module, ensuring that no other security tools can intervene once it’s established.
Advanced counters to eBPF-based detection mechanisms make Singularity resilient even against modern behavioral analysis frameworks such as Tracee.
Additionally, the rootkit includes an ICMP-triggered reverse shell feature that provides hidden remote access and automatically conceals new network sessions from user-space monitoring tools.
Developed by security researcher Matheus Alves (MatheuZSecurity), Singularity is openly published on GitHub for research and analysis. Researchers highlight its value as both a red-team testing tool and a study model for understanding kernel-level evasion.
While Singularity’s design underscores the immense power of kernel-level stealth, it also signals a critical challenge for defenders: traditional rootkit detection and monitoring techniques may no longer be sufficient against threats at this level of sophistication.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Kernel-Level Stealth A New Approach to Avoiding klogctl Detection appeared first on Cyber Security News.
Google has released a substantial security update for its Chrome web browser, addressing 26 distinct…
Oracle has issued an out-of-band Security Alert addressing a critical remote code execution (RCE) vulnerability,…
NEW HAVEN, Ind. (WOWO) — The city of New Haven, Indiana has been named a…
A flyer fastened with tape to the bare carrot display at Hannaford in Concord caught…
To his young patients with cystic fibrosis, Brian O’Sullivan was the fun doctor with the…
In an era of rapid shifts, how does a local newsroom remain a trusted source…
This website uses cookies.