Linux rootkits are emerging as a significant and sophisticated threat within modern IT infrastructure, leveraging advanced kernel features to evade detection. This escalation in sophistication, highlighted by recent research, signifies a critical shift in the cybersecurity landscape, particularly as Linux systems become increasingly prevalent in cloud environments, container orchestration, IoT deployments, and high-performance computing.
Elastic Security Labs detailed this evolving threat in a two-part research series published on March 5, 2026. The findings trace the lineage of Linux rootkits from early shared-object hijacking techniques to modern implants utilizing Extended Berkeley Packet Filter (eBPF) and io_uring, making them considerably more challenging for traditional security tools to identify and remove.
How eBPF and io_uring Rewrote the Rootkit Playbook
A rootkit’s primary objective is stealth, operating by manipulating how an operating system presents information to users and security software. They can conceal processes, files, and network connections, and even mask their own presence within kernel module lists. The value of a long-undetected rootkit for attackers targeting critical infrastructure, such as government servers or cloud providers, far outweighs that of a quickly flagged intrusion.
The current generation of Linux rootkits represents a significant leap in technical prowess compared to their predecessors. These advanced threats exploit kernel features originally designed for legitimate operational purposes. eBPF, a technology intended for safe in-kernel packet filtering and tracing, is now being repurposed by attackers. They use it to hook system calls (syscalls) and intercept kernel events without resorting to traditional kernel module loading, which is more readily detectable.
Similarly, io_uring, a high-performance asynchronous I/O interface introduced in Linux kernel version 5.1, is being abused. Attackers leverage io_uring to batch system operations, drastically reducing the number of observable syscall events. This stealthy approach effectively blinds security tools that rely on monitoring individual syscalls for signs of malicious activity.
This shift has profound implications for defense. Conventional detection tools like rkhunter and chkrootkit are primarily designed to identify compromises related to loadable kernel modules (LKMs). However, eBPF-based implants do not appear in standard kernel module listings such as /proc/modules and can bypass security measures like Secure Boot. This leaves many production Linux environments, especially those lacking specialized kernel-level telemetry, vulnerable to exploitation by these sophisticated rootkit authors.
The adoption of eBPF by malicious actors represents a fundamental change in their interaction with the Linux kernel. Instead of deploying a potentially system-destabilizing malicious loadable kernel module, attackers can now load eBPF bytecode. This bytecode passes through the kernel’s built-in verifier before being Just-In-Time (JIT) compiled into native machine code. This process lends the implant a semblance of legitimacy to the operating system, making it harder to distinguish from benign operations.
eBPF rootkits typically attach themselves to syscall entry tracepoints or Linux Security Module (LSM) hooks. This grants them visibility into crucial system activities like process execution, file access, and network communication, all without directly modifying function pointers or patching kernel code. For instance, the TripleCross rootkit demonstrated the capability to hook the execve syscall to monitor and manipulate process execution. Boopkit, another example, utilized eBPF to establish a covert command-and-control channel concealed within crafted network packets.
io_uring further enhances evasion by addressing a different detection vector. When a process utilizes io_uring for operations like file reads, writes, or metadata changes, it submits all requests in a single batch through shared memory rings. This circumvents the generation of individual syscalls for each action. Consequently, a malicious process engaging in extensive data collection or reconnaissance can operate with significantly reduced syscall-level telemetry, posing a substantial challenge for Endpoint Detection and Response (EDR) solutions that depend on per-syscall visibility.
Despite these advancements in rootkit technology, defenders are not without recourse. Elastic’s researchers have put forth several actionable recommendations for detecting and responding to these advanced Linux rootkits. Monitoring for anomalous usage of the io_uring_enter and io_uring_register syscalls can help identify processes submitting unusually large batches of operations or registering an excessive number of file descriptors. For eBPF-based threats, auditing all loaded eBPF programs is crucial, especially on systems where such tooling is not typically expected. The presence of unexpected eBPF programs attached to tracepoints or LSM hooks is a strong indicator of compromise.
Methods such as memory forensics, kernel integrity checks, and telemetry gathered at a level below the operating system remain the most reliable strategies for uncovering rootkits that have successfully hidden themselves from standard userland tools. Furthermore, organizations are advised to implement robust kernel lockdown policies, enforce module signing, and maintain up-to-date kernel versions. Updates, particularly those beyond kernel 6.9, introduce architectural changes that can disrupt older syscall table hooking techniques, thereby mitigating some of these advanced evasion methods.