Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Sıla Özeren Hacıoğlu | 6 MIN READ

CREATED ON August 14, 2025

RingReaper Linux Malware: EDR Evasion Tactics and Technical Analysis

RingReaper Malware Overview 

RingReaper is a sophisticated post-exploitation agent designed for Linux environments, built to facilitate covert operations while evading Endpoint Detection and Response (EDR) solutions. It exploits the Linux kernel’s modern asynchronous I/O interface, io_uring, to minimize reliance on conventional system calls that security tools frequently monitor or hook.

Instead of invoking standard functions such as read, write, recv, send, or connect, RingReaper employs io_uringprimitives (e.g., io_uring_prep_*) to execute equivalent operations asynchronously. This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in telemetry commonly gathered by EDR platforms.

This blog examines the RingReaper malware campaign in depth, detailing its techniques, evasion strategies, and implications for Linux security.

Tactics, Techniques, and Procedures of the RingReaper Malware

Discovery (ATT&CK TA0007)

T1057 - Process Discovery

This technique focuses on identifying currently running processes and active user sessions on a system. 

In this case, the discovery is performed using io_uring, a modern Linux asynchronous I/O interface that allows malware to interact with the kernel efficiently and stealthily. It has been observed that the RingReaper malware family leverages this method to enumerate system processes and user sessions while minimizing its footprint and avoiding detection.

Discovering Current Process Information via io_uring

#Payload 1
"$WORKDIR"/cmdMe

The first payload, "$WORKDIR"/cmdMe, is designed to enumerate current process information. 

It leverages io_uring to asynchronously query the /proc filesystem, retrieving process IDs, names, and owners without relying on traditional commands like ps or synchronous filesystem reads. This approach minimizes system call overhead and reduces the likelihood of detection by security monitoring tools.

Listing Currently Running Processes via io_uring

The second payload, "$WORKDIR"/executePs, extends this functionality by listing all currently running processes. 

Acting like an asynchronous, low-footprint version of the ps command, it can gather full process details, including hierarchical relationships, metadata, and ownership information, again using io_uring to avoid triggering standard process monitoring alerts.

#Payload 2
"$WORKDIR"/executePs

Enumerating Active PTS Sessions via io_uring

The third payload, "$WORKDIR"/loggedUsers, enumerates active pseudo-terminal (PTS) sessions. 

By querying /dev/pts and relevant /proc entries asynchronously via io_uring, RingReaper malware identifies logged-in users and remote sessions, such as SSH or local terminal connections. This allows the attacker to map user activity and identify potential targets for lateral movement or privilege escalation.

#Payload 3
"$WORKDIR"/loggedUsers

T1049 - System Network Connections Discovery

Discovering Active Network Connections via io_uring

This payload, "$WORKDIR"/netstatConnections, is designed to enumerate active network connections on the system. It has been observed that RingReaper Malware uses this technique.

#Payload
"$WORKDIR"/netstatConnections

It leverages io_uring to asynchronously query kernel network tables and socket information. This is similar to how traditional tools like netstat operate, but with lower overhead and reduced visibility. 

By avoiding synchronous system calls, it efficiently collects details such as local and remote IP addresses, ports, connection states, and associated processes. This approach minimizes the risk of detection by monitoring tools.

T1033 - System Owner/User Discovery

Enumerate Logged-in Users Information via io_uring

The payload, "$WORKDIR"/loggedUsers, is designed to enumerate information about users currently logged into the system. 

#Payload 

"$WORKDIR"/loggedUsers

The RingReaper malware leverages io_uring to asynchronously query /dev/pts and relevant /proc entries. It retrieves details such as active sessions, user names, and terminal assignments. 

This method allows the malware to efficiently gather user session data without relying on traditional synchronous commands like who or w. By doing so, it reduces system call overhead and minimizes the likelihood of detection by security monitoring tools.

Collection (ATT&CK TA0009)

T1005 - Data from Local System

Collecting User Information from "/etc/passwd" File via io_uring

This payload, "$WORKDIR"/fileRead, is designed to collect user account information from the /etc/passwd file. It has been observed that RingReaper Malware leverages this technique.

#Payload
"$WORKDIR"/fileRead

It uses io_uring to asynchronously read the /etc/passwd file, retrieving details such as user names, UIDs, GIDs, and default shells. By performing the read asynchronously, it minimizes system call overhead and avoids detection by security monitoring tools that might flag synchronous file access. 

This method allows the malware to efficiently gather user information while maintaining stealth.

Privilege Escalation (ATT&CK TA0004)

T1068 - Exploitation for Privilege Escalation

Discovering Abusable SUID Binaries for Privilege Escalation via io_uring

This payload, "$WORKDIR"/privescChecker, is designed to attempt privilege escalation on the target system. RingReaper has been observed using this payload to probe for exploitable vulnerabilities and elevate its access.

#Payload
"$WORKDIR"/privescChecker

The payload checks for known kernel or system vulnerabilities that can be exploited to gain elevated privileges. By automating these checks, it allows the malware to determine potential escalation paths without manual intervention. 

This approach helps RingReaper efficiently identify opportunities to increase its access level while minimizing detection by security monitoring tools.

Defense Evasion (ATT&CKTA0005)

T1564 - Hide Artifacts

Executing Self-Deleting Binary via io_uring

This payload, "$WORKDIR"/selfDestruct, is designed to remove traces of the malware after execution. RingReaper Malware has been observed using this technique to erase its binaries and reduce forensic visibility.

It leverages io_uring to asynchronously delete its own executable, avoiding standard file operations that might trigger security monitoring.

By performing these actions asynchronously, the malware can efficiently hide artifacts while minimizing system call overhead.

#Payload 1

"$WORKDIR"/selfDestruct

The auxiliary command, ls -l "$WORKDIR"/selfDestruct, is used to verify the presence or removal of the file, allowing RingReaper to confirm that the cleanup was successful without leaving obvious traces.

#Payload 2
ls -l "$WORKDIR"/selfDestruct

Detection Opportunities

Process Discovery (T1057)

  • Monitor abnormal asynchronous reads of /proc using io_uring.

  • Flag processes that enumerate PTS sessions or logged-in users outside normal admin tools.

  • Look for unexpected binaries in user directories ($WORKDIR/cmdMe, $WORKDIR/executePs, $WORKDIR/loggedUsers).

System Network Connections Discovery (T1049)

  • Detect io_uring access to kernel network tables, which bypasses standard netstat and ss calls.

  • Monitor unusual processes gathering connection info without invoking standard network tools.

  • Correlate low-overhead network enumeration with suspicious process activity in $WORKDIR/netstatConnections.

System Owner/User Discovery (T1033)

  • Monitor asynchronous reads of /dev/pts or /proc user entries.

  • Identify scripts or binaries that enumerate logged-in users without calling standard commands like who or w.

  • Track executions of $WORKDIR/loggedUsers for behavioral anomalies.

Collection (T1005)

  • Alert on asynchronous reads of sensitive files, e.g., /etc/passwd, especially by non-standard binaries.

  • Monitor processes reading /etc/passwd without invoking standard commands like cat or getent.

  • Look for $WORKDIR/fileRead executions in unusual user contexts or outside maintenance windows.

Privilege Escalation (T1068)

  • Track processes checking SUID binaries or kernel vulnerabilities asynchronously.

  • Alert on the execution of $WORKDIR/privescChecker or similar self-probing scripts.

  • Correlate privilege-checking activity with non-privileged processes accessing sensitive files.

Defense Evasion (T1564)

  • Detect self-deleting binaries, particularly when io_uring is used to remove files asynchronously.

  • Monitor $WORKDIR/selfDestruct execution and auxiliary verification commands (e.g., ls -l).

  • Flag sequences where files disappear immediately after execution in user directories.

General Behavioral Indicators

  • Binaries leveraging io_uring primitives (io_uring_prep_*) for read/write/connect operations instead of standard syscalls.

  • Low-overhead, asynchronous operations on /proc, /dev/pts, and kernel tables by non-system binaries.

  • Patterns of multiple specialized payloads executing from the same working directory ($WORKDIR).

  • Absence of normal tool invocation (ps, who, netstat) despite evidence of enumeration or collection activity.

How Picus Helps Defend Against RingReaper Malware Attacks?

The Picus Security Validation Platform safely simulates RingReaper Malware’s techniques using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them. 

You can also test your defenses against hundreds of other Linux malware variants, such as UNC3886, APT31, Melofee malware campaigns within minutes with a 14-day free trial of the Picus Platform.

Threat ID

Threat Name

Attack Module

46672

RingReaper Malware Campaign

Network Infiltration

 

Table of Contents

Interlock Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-203A
Emerging Threat Interlock Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-203A
Learn More
Inside the Shadows: Understanding Active Iranian APT Groups
Emerging Threat Inside the Shadows: Understanding Active Iranian APT Groups
Learn More
Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM
Emerging Threat Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM
Learn More
Russian Unit 26165 Targets Western Logistics and Technology Companies
Emerging Threat Russian Unit 26165 Targets Western Logistics and Technology Companies
Learn More
Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Emerging Threat Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Learn More
CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained
Emerging Threat CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained
Learn More
cve-2025-32433-erlang
Emerging Threat CVE-2025-32433: Erlang/OTP SSH Remote Code Execution Vulnerability Explained
Learn More
CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained
Emerging Threat CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained
Learn More
IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Emerging Threat IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Learn More