Singularity rootkit targets modern Linux kernels with SELinux bypass

TL;DR

Singularity is a kernel module published on GitHub that advertises extensive stealth and persistence capabilities for Linux 6.x kernels, including process, file and network hiding plus log and memory sanitization. The project includes build and install instructions, configuration options, and an ICMP-triggered reverse shell that the README says can bypass SELinux enforcing mode.

What happened

A public repository for a Linux kernel module named Singularity documents a comprehensive, kernel-level rootkit designed for 6.x kernels. The codebase claims to hook into ftrace and various syscalls to conceal processes, files, directories, TCP/UDP sockets and conntrack entries, and to intercept netlink queries (SOCK_DIAG and NETFILTER) used by tools like ss and conntrack. The README details mechanisms for sanitizing kernel logs and journals, filtering memory and debug interfaces used by forensic tools, blocking eBPF and io_uring operations, and preventing new module loading. It provides configuration options—server IP, hidden filename patterns, port, magic words and ICMP sequence—and step-by-step compile/insmod instructions. The module is said to auto-hide after loading, has no unload feature (requiring reboot to remove), and the author warns users to randomize identifiers for better stealth. Several 6.x kernel versions are listed as test targets.

Why it matters

• Kernel-level stealth can prevent detection by user-space security tools and complicate incident response.
• Netlink and conntrack filtering would allow network connections to be concealed from common utilities and forensic queries.
• Log and memory sanitization obstructs forensic analysis, hampering root cause investigations and evidence collection.
• An advertised SELinux enforcing mode bypass could reduce the effectiveness of mandatory access controls on affected systems.

Key facts

• Singularity is distributed as a Linux kernel module (LKM) with source on GitHub.
• The project targets Linux 6.x kernels and lists specific tested kernels (6.8.0-79-generic, 6.17.8-300.fc43.x86_64, 6.12).
• Core capabilities described include process, file/directory, network (sockets, ports, conntrack) hiding, and kernel log/memory filtering.
• Netlink-level filtering is implemented for SOCK_DIAG and NETFILTER/conntrack messages to hide connections from tools like ss and conntrack.
• An ICMP-triggered reverse shell is described; the README states it can automatically hide spawned processes and bypass SELinux enforcing mode.
• Installation requires root, kernel headers, and typical build tools; instructions show compiling and inserting singularity.ko with insmod.
• The module reportedly self-hides from lsmod, /proc/modules and /sys/module and clears kernel taint flags; there is no unload option—reboot required to remove.
• Configuration files let operators set server IPs, ports, hidden filename patterns, environment magic words and ICMP sequences; the README urges randomizing identifiers.
• The code claims protections against detection vectors including blocking eBPF, preventing io_uring operations, and intercepting attempts to disable ftrace.

What to watch next

• Whether the code is compiled and deployed in active attacks: not confirmed in the source
• Whether Linux kernel maintainers or distributors issue advisories or mitigations: not confirmed in the source
• Whether security vendors add detections for this specific module or its behaviors: not confirmed in the source

Quick glossary

• Kernel module (LKM): A loadable piece of code that runs in kernel space and can extend or modify kernel functionality.
• Rootkit: Software designed to conceal its presence and that of other objects on a system, often to maintain unauthorized access.
• Netlink: A communication mechanism between kernel and user space commonly used for network configuration and diagnostics.
• SELinux: Security-Enhanced Linux, a kernel security module that enforces mandatory access control policies.
• ftrace: A Linux kernel tracing framework used to monitor and hook kernel function calls and events.

Reader FAQ

Which kernels does Singularity target?
The repository targets Linux 6.x kernels and lists several tested versions (e.g., 6.8.0-79-generic, 6.17.8-300.fc43.x86_64, 6.12).

Can the module be unloaded after installation?
The README states there is no unload feature and that a system reboot is required to remove the module.

Does the repository provide installation steps?
Yes. The project includes build and insmod instructions and notes prerequisites such as kernel headers, GCC, Make and root access.

Is there confirmation this code has been used in real attacks?
not confirmed in the source

Are vendor patches or mitigations described in the repository?
not confirmed in the source

Singularity – Stealthy Linux Kernel Rootkit "Shall we give forensics a little work?" Singularity is a powerful Linux Kernel Module (LKM) rootkit designed for modern 6.x kernels. It provides comprehensive…

Sources

• Singularity Rootkit: SELinux bypass and netlink filter (ss/conntrack hidden)
• gavz/Singularity_rootkit: Linux Kernel Rootkit for modern …
• Singularity Linux Kernel Rootkit with klogctl Detection …
• Kernel-Level Stealth A New Approach to Avoiding klogctl …

Related posts

• Imagine 130 Million Washing Machines: Why Output, Not Just Profits, Matters
• YC-backed RevisionDojo accused of coordinated astroturfing aimed at students
• Anna’s Archive .org Domain Suspended; Operators Point to Alternatives