Researchers Develop Rootkit That Evades Detection by Exploiting Linux Kernel Interface

Researchers from ARMO have released Curing, a proof-of-concept rootkit that operates exclusively through the io_uring interface of the Linux kernel. By not invoking traditional system calls, this malware evades detection by most EDR solutions and monitoring tools based on syscalls, including Falco and Tetragon. This vulnerability renders many Linux security solutions blind.