RingReaper is a new malware family targeting Linux systems that stands out for its ability to evade conventional endpoint defenses. Using asynchronous I/O techniques, this post-intrusion agent performs covert tasks with a minimal footprint for monitoring systems.
The key to its stealth is in the use of io_uring, a modern kernel interface that allows you to replace conventional system calls with high-performance asynchronous operations, leaving hook-based EDR solutions and syscall filtering in the dark.
What is RingReaper and why it matters
Identified by Picus Security analysts As a post-exploitation agent, RingReaper does not focus on the initial intrusion, but on the silent work that follows: recognition, data collection and persistence, all with a methodical approach that complicates detection.
The impact goes beyond an isolated case of malware: its success demonstrates a Systemic gap in strategies that rely on intercepting syscalls, since activities channeled through io_uring are largely outside the scope of traditional telemetry.
How RingReaper evades detection with io_uring
Instead of invoking typical functions like read, write, recv, send o connect, RingReaper resorts to io_uring primitives (for example, io_uring_prep_*()), reducing syscall noise and avoiding EDR hooks.
This substitution of execution paths creates a blind zone for tools expecting synchronous patterns and leaves fewer forensic traces, especially when operations affect kernel structures or the virtual file system /proc.
Capacities observed in the post-exploitation phase
During process reconnaissance (MITRE ATT&CK T1057), RingReaper lists processes and ownership details through asynchronous queries to /proc, emulating utilities such as ps without triggering common alerts.
For mapping active users and sessions (ATT&CK T1033), analyzes /dev/pts and tickets from /proc in order to identify terminal activity and potential surfaces for lateral movement or climbing.
In the connection inventory (ATT&CK T1049), interrogates kernel network tables and sockets asynchronously, replicating functions of netstat/ss without resorting to synchronous calls, which reduces their visibility.
For data collection (ATT&CK T1005), can extract sensitive information from files such as /etc/passwd without using visible tools (cat, getent), and to elevate privileges (ATT&CK T1068) automates the search for SUID binaries and exploitable vulnerabilities.
Payloads and mode of operation
The operator sets a working directory ($WORKDIR) from which you run specialized modules that encapsulate discrete tasks, channeling all operations through io_uring to stay under the radar.
"$WORKDIR"/cmdMey"$WORKDIR"/executePs: enumeration of processes and system metadata via queries to/proc."$WORKDIR"/netstatConnections: inventory of connections and sockets from kernel network tables, stealth alternative anetstat."$WORKDIR"/loggedUsers: correlation of PTS sessions y Active users through/dev/ptsy/proc."$WORKDIR"/fileRead: asynchronous reading of sensitive files such as/etc/passwd."$WORKDIR"/privescChecker: SUID binary check and scaling conditions."$WORKDIR"/selfDestruct: asynchronous deletion of their own artifacts to make it difficult forensic analysis.
Special mention should be made of the mechanism of self-preservation: Asynchronous binary and trace erasure avoids conventional file operation monitors and verifies file cleanliness to minimize footprint.
Implications for defense
Architectures that rely on syscall interception and standard tool patterns encounter notable gaps: if activity flows through io_uring, much of the expected signal does not reach the EDR telemetry.
This approach marks a inflection point in the use of legitimate kernel interfaces to evade control, and anticipates further adoption by resourceful actors in server environments Linux and uploads to the cloud.
Indicators of compromise and detection strategies
Security teams should prioritize io_uring audit: calls like io_uring_setup or patterns of io_uring_prep_*() in non-standard binaries, especially if they reside in user directories or temporary paths.
It is worth alerting about anomalous readings de /proc, /dev/pts o /etc/passwd performed by processes that do not invoke common utilities (ps, who, netstat) but exhibit equivalent results.
Other clues include network enumeration with low syscall noise, self-deleting executables, and repeated sequences of modules from the same $WORKDIR, correlated in small time windows.
As mitigation measures, it is advisable strengthen monitoring At kernel runtime, correlate process-level behaviors and, where feasible, restrict or disable io_uring on systems where it is not essential.
The appearance of RingReaper confirms that the abuse of io_uring has moved from theory to practice: a post-exploitation agent capable of recognizing, collecting, and hiding with asynchronous operations, which requires reviewing EDR visibility, expanding kernel observability, and adjusting controls in Linux to close the gaps it currently exploits.
