By rssfeeds-admin 
These tools were built for performance, tracing, and system flexibility. However, security researchers warn that they can also help malware stay hidden. The shift shows how Linux threats are evolving along with the operating system itself.
A rootkit is malware designed to hide malicious activity on a system. Instead of causing immediate, obvious damage, it focuses on stealth, persistence, and long-term access.
Rootkits can hide files, processes, network activity, and even parts of their own code. On Linux, they have traditionally existed either in user space by hijacking shared libraries or in kernel space by modifying core operating system behavior.
New Stealth Paths In Linux
Older Linux rootkits often relied on loadable kernel modules, or LKMs, to hook system calls and hide activity.
These techniques are still important, but they have become harder to use because modern Linux systems include stronger protections such as Secure Boot, module signing, and stricter kernel memory controls.
As a result, attackers are exploring methods that do not depend on traditional modules.
One of the most important newer paths is eBPF. This Linux subsystem enables code to run in the kernel for tracing and filtering.
Because eBPF programs can attach to tracepoints, kprobes, and other kernel events, attackers can potentially use them to monitor or alter behavior without loading a visible kernel module.
That makes detection harder for tools that mainly search for suspicious modules. Public proof-of-concept projects have already shown that eBPF can be abused for syscall interception, covert communications, and stealthy persistence.
Another emerging technique involves io_uring, a high-performance asynchronous I/O interface introduced to reduce syscall overhead.
Researchers say rootkits can abuse io_uring to carry out file, network, and process activity with fewer visible syscall events.
This can weaken security tools that depend heavily on syscall monitoring. Unlike eBPF, io_uring is not a hooking system on its own. However, it can still reduce visibility and help malware blend into normal activity.
Why Defenders Should Pay Attention
The danger is not only the malware itself, but also the way it blends into trusted Linux features. Attackers no longer need to rely only on noisy or elastic outdated rootkit methods.
They can now abuse legitimate subsystems that administrators may already expect to see on production servers.
Researchers from Elastic note that Linux rootkits remain difficult to build because they are fragile, version-dependent, and risky for attackers.
A mistake can crash the system and expose the intrusion. Still, Linux is now central to cloud platforms, containers, telecom systems, IoT, and enterprise infrastructure, making it a high-value target.
The rise of eBPF- and io_uring-based rootkit techniques suggests defenders need deeper visibility into kernel activity, not just traditional file and process monitoring. As Linux threats become more modern, detection strategies will need to evolve just as quickly.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post New Linux Rootkits Leverage eBPF and io_uring For Stealth appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.