Cybersecurity researchers at ARMO have uncovered a new proof-of-concept (PoC) rootkit named Curing, which exploits a Linux feature called io_uring to bypass traditional system call-based security monitoring. The rootkit’s novel method creates a severe blind spot in Linux runtime protection tools, leaving many systems vulnerable to stealth attacks.
According to ARMO’s report shared with The Hacker News, the rootkit communicates with a command-and-control (C2) server, executes malicious instructions, and avoids detection — all without making traditional system calls. This breakthrough tactic allows malicious actions to occur in complete invisibility from standard runtime security tools that rely on tracking system calls.
Understanding io_uring and Its Security Loophole
io_uring is a Linux kernel feature introduced in version 5.1 in March 2019. It improves input/output (I/O) performance by enabling asynchronous operations through a pair of circular buffers: the submission queue (SQ) and the completion queue (CQ). These buffers allow applications to interact directly with the kernel, sending and receiving I/O requests without needing multiple system calls.
While io_uring offers efficiency and speed, it also opens the door to dangerous evasion techniques. The Curing rootkit exploits this exact feature. Instead of relying on system calls to execute commands or download payloads from a C2 server, it uses io_uring to perform these actions in the background — entirely off the radar of conventional monitoring tools.
“This mechanism allows a user application to perform various actions without using system calls,” ARMO noted. “As a result, security tools relying on system call monitoring are blind to rootkits working solely on io_uring.”
Popular Security Tools Left in the Dark
ARMO’s analysis revealed that top Linux runtime monitoring tools like Falco and Tetragon are ineffective against rootkits like Curing. These tools depend heavily on system call hooking to detect threats, and since io_uring circumvents those calls, malicious operations can go undetected.
The discovery underlines a serious challenge in the Linux security space. “On one hand, you need visibility into system calls; on the other, you need access to kernel structures and sufficient context to detect threats effectively,” said Amit Schendel, ARMO’s Head of Security Research.
Schendel criticized the industry’s reliance on simple system call hooking, calling it a shortcut that fails in the face of evolving threats. “Most notably, system calls aren’t always guaranteed to be invoked. io_uring, which can bypass them entirely, is a great example,” he added.
This isn’t the first time io_uring has been flagged as a security risk. In June 2023, Google publicly stated that it was limiting the use of io_uring across Android, ChromeOS, and production servers. The company cited its potential for exploitation as a major concern.
The Curing rootkit now confirms that these concerns were valid. It also highlights a growing need for Linux security solutions to evolve beyond their current reliance on system call tracing.
Call for Stronger Detection Strategies
The emergence of rootkits like Curing signals a new era of stealth malware that can operate entirely outside traditional detection frameworks. To counter this, experts suggest security vendors must build tools with deeper kernel-level visibility and dynamic behavior analysis capabilities.
Until runtime tools adapt to track asynchronous operations like those enabled by io_uring, systems remain at risk of undetectable compromise.
