Hackers can now bypass Linux security thanks to terrifying new Curing rootkit

Most Linux users assume their security tools will catch bad actors before damage is done -- but sadly, new research suggests that confidence may be misplaced. You see, ARMO, the company behind Kubescape, has uncovered what could be one of the biggest blind spots in Linux security today. The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market.

At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity vendors. The problem? Attackers can completely sidestep these monitored calls by leaning on io_uring instead. This clever method could let bad actors quietly make network connections or tamper with files without triggering the usual alarms.

The findings from ARMO are especially troubling for fans of eBPF-based security tools. While eBPF is often celebrated for its power and flexibility, it turns out that looking only at system calls leaves a dangerous blind spot when io_uring is in play. With Linux dominating the cloud-native space, this vulnerability could have serious consequences for countless businesses relying on these detection systems.

What makes this situation even more concerning is that io_uring has been part of the Linux kernel for years. The fact that no one developed a fully functional rootkit to exploit it until now is downright surprising. But with Curing available to the public, security teams can finally test whether their own defenses are vulnerable.

ARMO says its Cloud Application Detection & Response (CADR) solution can block this kind of stealth attack. The company’s automatic Seccomp Profile management lets users disable system calls like io_uring if they’re not needed, closing the door on this sneaky exploit.

The big takeaway here? If your Linux security setup is still stuck relying on traditional system call monitoring, you might be leaving the back door wide open. Thanks to ARMO’s research, that door is now in plain sight -- and attackers might already know how to walk right through it.