This article explains a C++23 tool called Klint for incident response on Linux systems. It detects hidden kernel modules, rootkits, and other threats through multiple self-registering scanners. The tool runs in isolated processes and produces machine-readable JSON output for easy integration into automated workflows.

VoidLink is a sophisticated malware framework targeting Linux systems, designed for stealthy, long-term access in cloud environments. It features a flexible architecture with over 30 plugins, capable of adapting its behavior based on the detected environment and employing various evasion techniques. The framework is linked to Chinese-affiliated developers and shows signs of rapid evolution.

This article details the architecture and techniques of Singularity, a Loadable Kernel Module rootkit for Linux 6.x. It covers methods for process concealment, file system stealth, and privilege escalation, highlighting how it evades detection through advanced hooking and anti-forensic tactics.

A new rootkit leveraging the io_uring interface has been discovered, capable of bypassing traditional Linux security measures. This malicious software operates at a low level, allowing it to evade detection and maintain persistence on infected systems, raising significant concerns for system administrators and security professionals.

FlipSwitch is a novel syscall hooking technique developed to bypass the changes introduced in Linux kernel 6.9 that neutralized traditional hooking methods. By directly patching the syscall dispatcher's machine code, FlipSwitch allows rootkits to redirect syscalls while remaining stealthy, posing ongoing challenges for kernel security. Detection methods, including YARA rules, have been devised to identify this rootkit in memory or on disk.

A Rust-based Linux kernel module for rootkit detection was developed during an internship at Thalium to enhance malware detection capabilities in various Linux environments. The article discusses the importance of detecting kernel rootkits and outlines the tools and techniques used for this purpose, including leveraging the Linux kernel's tracing APIs and the limitations of existing malware detection solutions.

KoviD is an open-source Loadable Kernel Module designed for educational and defensive security research, providing a platform for security professionals to understand and combat rootkit techniques within Linux systems. It enables users to analyze rootkit behavior, develop detection methods, and improve security strategies in a controlled environment. The project emphasizes responsible usage and compliance with legal regulations to ensure ethical testing practices.