New Linux EDR Evasion Tool Exploits io_uring Kernel Feature

A new tool named RingReaper is raising eyebrows among defenders and red teamers alike.

By leveraging the legitimate, high-performance Linux kernel feature known as io_uring, RingReaper demonstrates how advanced attackers can sidestep even modern Endpoint Detection and Response (EDR) systems.

The Rise of io_uring in Offensive Security

Introduced in Linux kernel 5.1, io_uring was designed to provide high-throughput, asynchronous I/O operations.

Instead of the traditional model—where each file or network operation triggers a separate, easily monitored syscall—io_uring enables a process to submit multiple I/O requests to a shared queue.

The kernel processes these requests as resources allow, returning results through a separate completion queue. This design eliminates the repetitive, blocking syscalls that most EDRs are built to monitor.

Key advantages of io_uring for attackers:

• Multiple operations (open, read, write, send, connect) are handled in batches.
• Fewer individual syscalls are visible to EDRs.
• Asynchronous operations reduce the “noise” typically generated by malware.

RingReaper is a backdoor agent that, while not persistent yet, is designed for stealth and flexibility.

It connects to an attacker-controlled server (C2), accepting commands and performing a range of post-exploitation tasks—all while evading traditional monitoring.

Core features include:

• Network communication via io_uring_prep_send and io_uring_prep_recv
• File operations using io_uring_prep_openat and io_uring_prep_read
• File upload/download without explicit read/write syscalls
• Remote command execution: listing users, processes, and connections
• Self-deletion using io_uring_prep_unlinkat

The agent’s C2 server, written in Python, allows operators to interactively send commands and receive responses, including file transfers.

How EDRs Are Bypassed

Traditional Linux EDR tools monitor syscalls like open, connect, read, and write—often using hooks or eBPF probes.

RingReaper sidesteps these by funneling all I/O through io_uring, which batches operations and exposes only minimal syscall activity (primarily io_uring_enter).

This drastically reduces the number of events visible to EDRs, making detection much harder.

Why this works:

• Most EDRs do not yet deeply monitor io_uring-related syscalls.
• Malicious traffic can be disguised as legitimate, especially over standard ports like 443.

While RingReaper currently enjoys a high degree of stealth, defenders are not powerless.

In theory, EDRs could hook io_uring_enter or use eBPF to trace io_uring operations, but few commercial products do so today.

As advanced attackers adopt these techniques, defenders must adapt—by updating detection logic and gaining familiarity with io_uring’s internals.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!