CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

RingReaper post-exploitation tool leverages io_uring to evade Linux EDRs

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A sophisticated post-exploitation tool named RingReaper has emerged, targeting Linux systems. It uses the io_uring framework to evade detection by endpoint detection and response (EDR) systems. RingReaper performs various malicious activities, including process discovery, network enumeration, and privilege escalation, while minimizing its footprint. The tool has been observed in the wild since mid-2025, primarily targeting enterprise Linux servers and cloud workloads. The malware's use of io_uring allows it to bypass traditional syscall hooks relied upon by most Linux EDRs, making it difficult to detect. RingReaper includes a self-destruct feature to erase its presence from the system, further complicating forensic analysis. The tool also enumerates system processes, active pseudo-terminal sessions, network connections, and logged-in users, and collects user information from the /etc/passwd file. It abuses SUID binaries for privilege escalation. The tool's development indicates a high level of sophistication, suggesting it was created by a well-funded actor with deep knowledge of Linux kernel APIs and asynchronous I/O.

Timeline

  1. 19.08.2025 23:01 2 articles · 1mo ago

    RingReaper post-exploitation tool observed in the wild

    RingReaper, a post-exploitation tool targeting Linux systems, has been observed in the wild since mid-2025. The tool leverages the io_uring framework to evade detection by EDR systems, performing various malicious activities while minimizing its footprint. It includes a self-destruct feature to erase its presence from the system, further complicating forensic analysis. The malware's development indicates a high level of sophistication, suggesting it was created by a well-funded actor with deep knowledge of Linux kernel APIs and asynchronous I/O. RingReaper enumerates system processes, active pseudo-terminal sessions, network connections, and logged-in users, and collects user information from the /etc/passwd file. It abuses SUID binaries for privilege escalation.

    Show sources

Information Snippets

Similar Happenings

APT28 deploys NotDoor backdoor via Microsoft Outlook

APT28, a Russian state-sponsored threat group, has been identified deploying a new backdoor malware named NotDoor through Microsoft Outlook. This malware exploits Outlook to facilitate covert communication, data exfiltration, and malware delivery. The backdoor is triggered by specific words in incoming emails, allowing attackers to execute commands on the victim's computer. NotDoor is distributed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The malware uses PowerShell commands encoded in Base64 to perform various functions, including disabling macro security defenses and enabling macro execution. The backdoor maintains persistent access to the targeted system and can initiate data exfiltration through email attachments or upload malicious files. The malware has been used to target multiple companies from different sectors in NATO member countries. It creates a staging folder at %TEMP%\Temp to store and exfiltrate files, and supports commands for executing commands, exfiltrating files, and uploading files to the victim's computer.

Emergence of AI-Powered Ransomware Strain PromptLock

A new AI-powered ransomware strain, named PromptLock, has been identified by ESET researchers. The ransomware leverages an AI model to generate Lua scripts on the fly, complicating detection and defense. PromptLock is not yet active in the wild but is nearly ready for deployment. It can exfiltrate files and encrypt data, with plans to add file destruction capabilities. The ransomware was uploaded to VirusTotal from the United States and is written in Go, targeting both Windows, Linux, and macOS systems. The Bitcoin address used for ransom payments is linked to Satoshi Nakamoto. The development of AI-driven ransomware presents new challenges for cybersecurity defenders. The ransomware strain was discovered by Anton Cherepanov and Peter Strycek, who shared their findings on social media 18 hours after detecting samples on VirusTotal. The use of AI in ransomware introduces variability in indicators of compromise (IoCs), making detection more difficult. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine. The attacker can establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model.

Transparent Tribe Targets Indian Government with Dual-Platform Malware Campaign

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since August 1, 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated.

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

The FileFix social engineering attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Previously, threat actors tracked as UNC5518 leveraged a social engineering tactic called ClickFix to deploy the CORNFLAKE.V3 backdoor. The campaign used fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, providing initial access to systems. This access was then monetized by other threat groups, including UNC5774 and UNC4108, which deployed additional payloads. The attack began with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users were then tricked into running a malicious PowerShell command, which downloaded and executed the CORNFLAKE.V3 backdoor. This backdoor supported various payload types and could collect system information, which was transmitted via Cloudflare tunnels to evade detection. CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and additional payload support. The campaign also involved the deployment of WINDYTWIST.SEA, a backdoor that supports lateral movement within infected networks.

QuirkyLoader Malware Distributes Multiple Payloads via Email Spam Campaigns

A new malware loader, QuirkyLoader, has been observed in email spam campaigns since November 2024. It delivers various payloads, including Agent Tesla, AsyncRAT, and Snake Keylogger. The loader uses DLL side-loading and process hollowing techniques to inject malware into legitimate processes. Two recent campaigns targeted Taiwan and Mexico, focusing on specific organizations and random infections, respectively. The malware employs advanced evasion tactics, such as .NET AOT compilation, and has been used in limited campaigns since July 2025. Additionally, new phishing trends, including QR code phishing and precision-validated phishing, have been observed, highlighting the evolving tactics of threat actors.