RingReaper Malware Exploits io_uring to Evade Linux EDRs
Summary
Hide â˛
Show âŧ
A sophisticated post-exploit tool named RingReaper has been observed using the io_uring framework in the Linux kernel to evade endpoint detection and response (EDR) systems. This malware, first detected mid-2025, targets enterprise Linux servers and cloud workloads by replacing traditional system calls with io_uring operations, making it difficult for EDR tools to detect. RingReaper performs various malicious activities, including process discovery, data collection, and privilege escalation, all while minimizing forensic visibility. The malware's use of io_uring represents a significant evolution in evasion techniques, highlighting the need for enhanced monitoring and security measures in Linux environments. RingReaper operates entirely in-memory, avoiding disk-based detection, and can target a wide range of Linux devices.
Timeline
-
19.08.2025 23:01 đ° 2 articles
RingReaper Malware Exploits io_uring to Evade Linux EDRs
A sophisticated post-exploitation tool named RingReaper has been observed using the io_uring framework in the Linux kernel to evade endpoint detection and response (EDR) systems. This malware, first detected mid-2025, targets enterprise Linux servers and cloud workloads by replacing traditional system calls with io_uring operations, making it difficult for EDR tools to detect. RingReaper performs various malicious activities, including process discovery, data collection, and privilege escalation, all while minimizing forensic visibility. The malware's use of io_uring represents a significant evolution in evasion techniques, highlighting the need for enhanced monitoring and security measures in Linux environments. RingReaper operates entirely in-memory, avoiding disk-based detection, and can target a wide range of Linux devices. The malware uses io_uring to enumerate system processes, active pseudo-terminal (PTS) sessions, network connections, and logged-in users. It collects user information from the /etc/passwd file and abuses SUID binaries for privilege escalation. The malware includes a self-destruct feature that erases its binaries and removes traces of its presence on the system.
Show sources
- 'RingReaper' Sneaks Right Past Linux EDRs â www.darkreading.com â 19.08.2025 23:01
- Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection â thehackernews.com â 22.08.2025 17:31
Information Snippets
-
RingReaper leverages the io_uring framework in Linux kernel version 5.1 to perform asynchronous I/O operations, reducing the traces typically detected by EDR tools.
First reported: 19.08.2025 23:01đ° 2 sources, 2 articlesShow sources
- 'RingReaper' Sneaks Right Past Linux EDRs â www.darkreading.com â 19.08.2025 23:01
- Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection â thehackernews.com â 22.08.2025 17:31
-
The malware uses io_uring for process discovery, network enumeration, data collection, and privilege escalation.
First reported: 19.08.2025 23:01đ° 2 sources, 2 articlesShow sources
- 'RingReaper' Sneaks Right Past Linux EDRs â www.darkreading.com â 19.08.2025 23:01
- Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection â thehackernews.com â 22.08.2025 17:31
-
RingReaper includes a self-destruct feature that erases its binaries and removes traces of its presence on the system.
First reported: 19.08.2025 23:01đ° 2 sources, 2 articlesShow sources
- 'RingReaper' Sneaks Right Past Linux EDRs â www.darkreading.com â 19.08.2025 23:01
- Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection â thehackernews.com â 22.08.2025 17:31
-
The malware targets enterprise Linux servers and cloud workloads, where EDR agents are deployed and stealth is crucial.
First reported: 19.08.2025 23:01đ° 1 source, 1 articleShow sources
- 'RingReaper' Sneaks Right Past Linux EDRs â www.darkreading.com â 19.08.2025 23:01
-
RingReaper's author is likely highly sophisticated, requiring expert knowledge of Linux kernel APIs and asynchronous I/O.
First reported: 19.08.2025 23:01đ° 1 source, 1 articleShow sources
- 'RingReaper' Sneaks Right Past Linux EDRs â www.darkreading.com â 19.08.2025 23:01
Similar Happenings
UNC5518 deploys CORNFLAKE.V3 backdoor via ClickFix and fake CAPTCHA pages
UNC5518, an access-as-a-service threat actor, deploys the CORNFLAKE.V3 backdoor using the ClickFix social engineering tactic and fake CAPTCHA pages. This backdoor is used by at least two other groups, UNC5774 and UNC4108, to initiate multi-stage infections and drop additional payloads. The attack begins with users being tricked into running a malicious PowerShell script via a fake CAPTCHA page. The script executes a dropper payload that ultimately launches CORNFLAKE.V3, which supports various payload types and collects system information. The backdoor has been observed in both JavaScript and PHP versions and uses Cloudflare tunnels to avoid detection. A new ClickFix variant manipulates AI-generated text summaries to deliver malicious commands, turning AI tools into active participants in social engineering attacks.
Warlock Ransomware Exploits SharePoint Vulnerabilities
Warlock ransomware targets vulnerable on-premises Microsoft SharePoint servers, exploiting recent vulnerabilities to gain access and escalate privileges. The ransomware, believed to be a derivative of LockBit 3.0, uses DLL sideloading and other tactics to evade detection and spread within compromised networks. The campaign includes extensive reconnaissance, credential dumping, and lateral movement, ultimately deploying ransomware and leaving ransom notes in affected directories. The threat actor behind Warlock is suspected to be Storm-2603, a China-backed group known for targeting SharePoint vulnerabilities. The ransomware has been observed targeting government agencies and private-sector organizations across multiple countries. Microsoft has released patches for the affected SharePoint versions, and organizations are advised to apply these updates immediately to mitigate the risk.
GodRAT Trojan targets trading firms with steganography and Gh0st RAT code
A new remote access trojan (RAT) called GodRAT targets trading and brokerage firms. The malware is delivered via malicious .SCR files disguised as financial documents sent over Skype. The campaign uses steganography to hide shellcode within image files, which downloads the malware from a command-and-control (C2) server. The attacks have been active since September 2024 and target several countries, including Hong Kong and the United Arab Emirates. GodRAT is based on Gh0st RAT and employs a plugin-based approach to harvest sensitive information and deliver secondary payloads. The malware is linked to the Winnti (APT41) threat actor. The screen saver files act as self-extracting executables that sideload a malicious DLL. This DLL extracts shellcode from a .JPG image, leading to the deployment of GodRAT. The trojan communicates with the C2 server to collect system information and execute various commands, including injecting plugins, downloading files, and opening URLs. One of the plugins is a FileManager DLL that can perform file operations and deliver additional payloads, such as a password stealer and AsyncRAT.
DripDropper Malware Campaign Exploits and Patches CVE-2023-46604 in Apache ActiveMQ
A threat actor, dubbed DripDropper, exploited a nearly 2-year-old vulnerability (CVE-2023-46604) in Apache ActiveMQ to compromise Linux servers. The attacker then patched the same vulnerability to prevent other threat actors from exploiting it. The campaign involved deploying a new malware loader, DripDropper, which communicates with an attacker-controlled Dropbox account. The attackers used various tools, including the Sliver framework and Cloudflare Tunnels, to maintain persistent access to compromised systems. The attackers modified existing sshd configurations to enable root login, granting them elevated access. The DripDropper malware is a PyInstaller ELF binary that requires a password to run, resisting analysis. The campaign highlights the importance of timely patching and robust security practices. The attackers targeted Linux servers running vulnerable versions of Apache ActiveMQ. They used the vulnerability to gain initial access, perform reconnaissance, and deploy malware. The campaign was discovered by Red Canary while monitoring cloud-based Linux environments. The attackers' tactics included patching the exploited vulnerability to prevent other threat actors from using the same flaw and to avoid detection by automated scans.
Public Exploit for Chained SAP Flaws Enables Remote Code Execution
A public exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged, exposing unpatched systems to remote code execution. The exploit chains CVE-2025-31324 and CVE-2025-42999 to bypass authentication and execute arbitrary commands. Multiple threat actors, including ransomware groups and espionage crews, have weaponized these vulnerabilities, which were exploited as zero-days since at least March 2025. The exploit allows unauthenticated attackers to execute arbitrary commands, upload files, and achieve complete system takeover. The vulnerabilities were addressed by SAP in April and May 2025, but many systems remain unpatched. The exploit can also be used for living-off-the-land attacks, executing OS commands with SAP administrator privileges. The exploit was released by Scattered Lapsus$ Hunters, a new alliance formed by Scattered Spider and ShinyHunters. The deserialization gadget in the exploit can be reused to exploit other recently patched SAP vulnerabilities. The exploit was published on VX-Underground and shared on the social media platform X. The attack chain involves first exploiting CVE-2025-31324 to access critical functionality and then exploiting CVE-2025-42999 to deserialize the payload and execute code with SAP system privileges. The vulnerabilities can be mitigated by applying SAP Security Note 3594142 and Security Note 3604119.