Singularity Linux Kernel Rootkit Unveiled: Advanced Stealth Capabilities and Research Insights

1. Overview of Singularity Rootkit Features

First released on GitHub by MatheuZSecurity, Singularity targets Linux kernels 6.0 and newer. It is built as a Loadable Kernel Module (LKM) that leverages the ftrace infrastructure to hook system calls without leaving obvious traces. The rootkit’s feature set can be grouped into four MECE categories:

• Stealth & Self‑Hiding: Removes itself from lsmod, /proc/modules, and /sys/module; normalizes kernel taint flags.
• Process & Filesystem Concealment: Hides processes, child processes, and files/directories using pattern matching; filters /proc and cgroup listings.
• Network & Communication Masking: Suppresses TCP/UDP connections, conntrack entries, and raw socket packets; provides an ICMP‑triggered reverse shell with automatic SELinux bypass.
• Anti‑Detection & Evasion: Blocks eBPF loading, io_uring calls, audit messages, and disk‑forensics output; sanitizes kernel logs, dmesg, journalctl, and klogctl.

These capabilities make Singularity a “final‑boss” style rootkit that can survive on a system for months without detection, challenging even the most advanced Endpoint Detection and Response (EDR) solutions.

2. Technical Details and Capabilities

2.1 Kernel Hooking via ftrace

Singularity registers ftrace handlers for a curated list of syscalls (e.g., write, read, io_uring_enter, bpf). By intercepting these calls at the kernel level, it can:

• Drop or modify data before it reaches user‑space tools (e.g., hide hidden files from ls).
• Return ESRCH for hidden PIDs, making ps and top believe the process does not exist.
• Prevent attempts to disable ftrace itself, ensuring persistence.

2.2 eBPF and io_uring Countermeasures

Modern security tools often rely on eBPF programs for runtime tracing. Singularity blocks the following eBPF operations for any hidden PID:

• BPF_PROG_LOAD, BPF_ITER_CREATE, BPF_LINK_CREATE, and related queries.
• All attempts to load tracepoints, kprobes, or LSM hooks.

Similarly, the rootkit intercepts io_uring_enter to stop asynchronous I/O bypass techniques that could reveal hidden processes.

2.3 SELinux Bypass on ICMP Trigger

When an attacker sends a crafted ICMP packet to the infected host, Singularity’s icmp_rcv handler spawns a reverse shell and automatically toggles SELinux from enforcing to permissive for the current session, allowing root‑level commands without raising alarms.

2.4 File & Directory Hiding Mechanics

Hidden paths are defined via pattern strings in include/core.h. The rootkit’s getdents and stat hooks filter directory entries and metadata, ensuring that tools like find, locate, and even raw debugfs output never list the protected files.

2.5 Network Concealment

All network‑related syscalls (tcp4_seq_show, udp6_seq_show, tpacket_rcv) are patched to drop packets belonging to hidden ports. Netlink queries used by ss, netstat, and conntrack are also filtered, making the hidden service invisible to standard monitoring.

2.6 Log & Audit Sanitization

Singularity installs write‑hooks for dmesg, journalctl -k, and klogctl. Keywords such as “taint”, “singularity”, or the attacker’s IP are stripped in real time, preventing forensic analysts from spotting suspicious entries.

2.7 Memory & Disk Forensics Evasion

By filtering /proc/kcore, /proc/kallsyms, and /proc/vmallocinfo, the rootkit thwarts tools like Volatility, Crash, and GDB. Additionally, the write hook sanitizes raw block‑device reads (e.g., debugfs) so that hidden files remain invisible even when the disk is examined directly.

All of these mechanisms are implemented in a modular fashion, allowing the attacker to enable or disable specific evasion techniques at compile time.

3. Installation and Usage Notes

Because Singularity operates as a kernel module, it requires root privileges and a matching kernel header tree. Below is a concise, MECE‑styled installation checklist for security researchers testing in an isolated environment.

cd /dev/shm
git clone https://github.com/MatheuZSecurity/Singularity
cd Singularity
sudo bash setup.sh
sudo bash scripts/x.sh

Important operational notes:

• The module cannot be unloaded; a reboot is required to remove it.
• Always test inside a VM or disposable container—once loaded, detection without a reboot is extremely hard.
• Rootkit logs are suppressed, so use dmesg -T before loading to capture baseline messages.

For developers interested in rapid prototyping, the UBOS templates for quick start can be adapted to spin up a sandboxed environment that mirrors the target kernel version.

4. Security Implications and Ethical Considerations

Singularity’s breadth of evasion techniques raises several red‑team and blue‑team concerns.

4.1 Impact on Detection Frameworks

Traditional rootkit detectors (e.g., chkrootkit, rkhunter) rely on static module listings and known signatures. Singularity’s self‑hiding defeats these checks, while its ftrace protection blocks dynamic tracing tools such as bpftrace and perf. Consequently, security teams must adopt kernel‑level integrity monitoring (e.g., Enterprise AI platform by UBOS) that can compare in‑memory module hashes against a trusted baseline.

4.2 Forensic Challenges

• Memory analysis: /proc/kcore filtering removes hidden symbols, rendering Volatility plugins ineffective.
• Disk imaging: The write‑hook sanitizes raw block reads, so even a forensic image may lack evidence of hidden files.
• Log tampering: Real‑time log sanitization erases audit trails, forcing investigators to rely on external network telemetry.

4.3 Ethical Use and Legal Boundaries

Singularity is released under an MIT license explicitly for educational and research purposes only. Unauthorized deployment on production systems violates most jurisdictions’ computer‑misuse statutes. Researchers should:

1. Obtain written permission from system owners.
2. Document every step for auditability.
3. Ensure a clean removal plan (reboot or VM discard).

UBOS emphasizes responsible AI and security practices; see the About UBOS page for our commitment to ethical technology.

5. Conclusion and Call to Action

Singularity demonstrates how far kernel‑level stealth can evolve when modern Linux features—ftrace, eBPF, io_uring, and SELinux—are weaponized. For defenders, the lesson is clear: static signatures are no longer sufficient. Continuous, AI‑driven monitoring of kernel behavior, combined with strict change‑control on kernel modules, is essential.

If you are a security researcher looking to explore Singularity in a safe sandbox, start with the UBOS for startups environment, which offers pre‑configured containers and a Web app editor on UBOS to script automated analysis pipelines.

Enterprises can leverage the AI marketing agents and the Workflow automation studio to create alerts that trigger when unexpected kernel module loads are detected, effectively turning the same evasion techniques into detection triggers.

Stay ahead of the curve—subscribe to our UBOS partner program for early access to threat‑intel feeds, and explore the UBOS portfolio examples that showcase real‑world defenses against advanced rootkits.

6. Further Reading & Tools

Below are curated resources that complement the technical deep‑dive on Singularity:

• AI SEO Analyzer – a template that can be repurposed to scan kernel module metadata for anomalies.
• AI Article Copywriter – useful for generating documentation of security findings.
• ChatGPT and Telegram integration – set up real‑time alerts to your phone when suspicious kernel activity is logged.
• OpenAI ChatGPT integration – automate triage of rootkit alerts with large‑language‑model reasoning.
• Chroma DB integration – store and query historical kernel events for trend analysis.