New Linux Rootkit ‘Curing’ Exploits io_uring to Evade System Call Monitoring

by | Apr 25, 2025 | News

Post Views: 169

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

New Linux Rootkit ‘Curing’ Evades Detection via io_uring Exploit

A new proof-of-concept rootkit dubbed Curing highlights a critical blind spot in Linux runtime security tools by abusing the io_uring interface to operate without triggering system call monitors. The technique effectively bypasses traditional defenses used by major security solutions.

io_uring: A Legitimate Kernel Feature with Stealth Potential

First introduced in Linux kernel 5.1 in March 2019, io_uring is a system call interface designed for high-performance asynchronous I/O operations. It utilizes a submission queue (SQ) and completion queue (CQ) to reduce the overhead of traditional syscalls by allowing user-space applications to interact with the kernel more efficiently.

But this same performance boost presents a double-edged sword: malicious code can leverage io_uring to perform operations without invoking common system calls — a method increasingly exploited to evade detection.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

How the Curing Rootkit Works

Developed by security researchers at ARMO, the Curing rootkit establishes a covert communication channel between an infected system and a command-and-control (C2) server. Commands are fetched and executed — all without using the system calls that runtime security tools typically monitor.

Instead, the rootkit achieves functionality using io_uring, keeping its activity beneath the radar of tools like Falco and Tetragon, both of which rely heavily on system call hooking to detect malicious behavior.

Security Tools Caught Off Guard

In ARMO’s assessment, leading Linux runtime detection solutions are “blind” to the attack, because they assume visibility through syscall monitoring alone.

“This mechanism allows a user application to perform various actions without using system calls,” ARMO explained in its report. “As a result, security tools relying on system call monitoring are blind to rootkits working solely on io_uring.”

Amit Schendel, Head of Security Research at ARMO, emphasized the larger issue: “Many vendors take the most straightforward path: hooking directly into system calls. While this approach offers quick visibility, it comes with limitations. Most notably, system calls aren’t always guaranteed to be invoked. io_uring, which can bypass them entirely, is a positive and great example.”

Trending: Recon Tool: RADAR

Warnings from Google and the Broader Security Community

The risks of io_uring are not unknown. In June 2023, Google publicly disclosed its decision to limit io_uring usage across Android, ChromeOS, and internal production environments, citing the feature’s ability to “provide strong exploitation primitives.”

Despite being a legitimate and performance-oriented Linux enhancement, io_uring has become an attractive vector for advanced persistence mechanisms — and now, as Curing demonstrates, rootkit deployment.

What’s Next for Linux Runtime Defense?

The Curing PoC is a wake-up call for defenders relying solely on syscall tracing for runtime visibility. It underscores the growing need for deeper inspection of kernel structures, alternative monitoring paths, and awareness of less conventional attack surfaces.

As Linux continues to evolve, security tools must evolve with it — or risk being outpaced by the attackers already taking advantage of the next generation of stealth techniques.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link