Elastic Security Labs has detailed the evolution of Linux rootkits in a two-part research series published on March 5, 2026. These modern threats exploit kernel features like eBPF and io_uring to remain hidden in cloud, IoT, and server environments. The research highlights how such rootkits evade traditional detection methods.
Linux rootkits have emerged as a significant threat to modern infrastructure, particularly with the growing adoption of Linux in cloud environments, container orchestration, IoT devices, and high-performance computing. Traditionally focused on Windows systems, attackers have shifted attention to Linux, developing rootkits that manipulate the operating system to conceal processes, hide files, mask network connections, and suppress their presence in kernel module lists.
A rootkit's primary objective is stealth, allowing prolonged access to high-value targets such as government servers, telecom infrastructure, and cloud providers without triggering alerts. Elastic Security Labs' researchers traced this progression through generations: from early 2000s shared-object hijacking, to loadable kernel module (LKM) implants, and now to eBPF-based and io_uring-powered evasion techniques.
Real-world examples include TripleCross, Boopkit, and RingReaper, documented in 2025. eBPF, originally designed as a safe in-kernel virtual machine for packet filtering and tracing, enables attackers to hook syscalls and intercept kernel events without loading traditional modules. This bytecode passes through the kernel's verifier and is JIT-compiled, appearing legitimate. eBPF programs attach to syscall entry tracepoints or Linux Security Module (LSM) hooks for visibility into processes, files, and networks.
io_uring, introduced in Linux 5.1 for high-performance asynchronous I/O, allows batching of operations via shared memory rings, reducing observable syscall events. This blinds endpoint detection and response (EDR) tools reliant on syscall monitoring.
Traditional tools like rkhunter and chkrootkit fail against these, as eBPF implants do not appear in /proc/modules and bypass Secure Boot. Elastic recommends monitoring anomalous io_uring_enter and io_uring_register syscalls, auditing loaded eBPF programs, using memory forensics, kernel integrity checks, and sub-OS telemetry. Organizations should enforce kernel lockdown, module signing, and updates beyond version 6.9, which disrupts older hooking methods.
