New RingReaper Malware Evades Linux Security Software Using io_uring Interface

New York – A sophisticated malware known as RingReaper has emerged, posing a significant threat to Linux environments. A technical analysis released in September 2025 by Picus Security details how this post-exploitation agent utilizes the Linux kernel's modern asynchronous I/O interface, io_uring, to evade detection by Endpoint Detection and Response (EDR) solutions.

RingReaper is designed for covert operations. Instead of relying on conventional system calls that are frequently monitored by security tools, it employs io_uring primitives. This allows the malware to perform actions such as reading files, managing network connections, and identifying processes through asynchronous operations, thereby reducing its visibility in system telemetry and bypassing hook-based detection mechanisms.

The analysis by Picus Security highlights several tactics used by RingReaper. For discovery, it leverages io_uring to enumerate running processes by querying the /proc filesystem, listing active network connections similar to 'netstat', and identifying logged-in users by analyzing /dev/pts and relevant /proc entries. The malware also demonstrates capabilities in collecting data from local system files, such as reading the /etc/passwd file, all through the io_uring interface.

By minimizing its reliance on traditional system calls, RingReaper significantly reduces its footprint in system logs and the data security platforms collect. This evasion technique allows attackers to gather intelligence and maintain access within Linux systems with a lower likelihood of triggering security alerts, presenting new challenges for cybersecurity defenses.