RingReaper io_uring-based Linux malware analysis exposes EDR evasion and self-deletion
Technical Analysis
Summary
Hide ▲
Show ▼
A newly observed RingReaper implant uses io_uring to evade EDR monitoring on Linux systems, creating a defensive blind spot on enterprise servers and cloud workloads. The malware routes process discovery, network enumeration, and self-deletion through asynchronous I/O instead of traditional syscalls, making syscall-hook-based telemetry less effective. The technique matters because it shows how post-exploitation tooling can blend into modern kernel activity while reducing forensic visibility.
Related Happenings
EDR-Freeze user-mode race condition against Windows Error Reporting and MiniDumpWriteDump
Technical Analysis
First: 22.09.2025 20:07
Last: 22.09.2025 20:07
Sources 1
About this happening:
Researchers demonstrated **EDR-Freeze**, a **user-mode** race condition that can freeze **EDR** and antivirus processes on **Windows 11 24H2**, weakening endpoint defenses without...
EDR-Freeze user-mode race condition against Windows Error Reporting and MiniDumpWriteDump
Technical AnalysisAbout this happening: Researchers demonstrated **EDR-Freeze**, a **user-mode** race condition that can freeze **EDR** and antivirus processes on **Windows 11 24H2**, weakening endpoint defenses without...
Timeline
-
19.08.2025 23:01 1 articles · 9mo ago
Picus Security analyzes RingReaper's io_uring-based Linux EDR evasion
Technical Analysis UpdatePicus Security analyzes RingReaper, a stealthy post-exploitation Linux malware tool that uses the Linux kernel’s io_uring framework to replace traditional syscalls and reduce the traces that endpoint detection and response (EDR) tools rely on. The analysis says the malware surfaced mid-year in 2025 and targets enterprise Linux servers and cloud workloads, using io_uring for process discovery, pseudo terminal enumeration, active network connection discovery, logged-in user enumeration, data collection, privilege escalation, and a self-destruct routine that erases its binaries and reduces forensic visibility.
Show sources
- 'RingReaper' Sneaks Right Past Linux EDRs — www.darkreading.com — 19.08.2025 23:01