MatheuZ

github.com/MatheuZSecurit… Hey guys, I posted a really cool zine in pure TXT about Unhooking Linux EDR, attacking the cleanup_module function, to be able to remove any hook from an EDR for example. Feel free to read.

@lnxsec I recommend looking at the new commit of the Singularity rootkit, which literally disables spica even in an NMI context github.com/MatheuZSecurit…

SPiCa’s interesting point is not “replace eBPF,” it is “verify it.” The research compares kernel telemetry with an independent signal to catch tampering. That matters for operators because same-privilege monitoring can be manipulated by same-privilege malware. Cross-view checks are a useful design pattern for higher-trust Linux monitoring. linuxsecurity.com/features/ebpf-… #LinuxSecurity #OpenSourceSecurity #Cybersecurity

Solomun unleashing this hypnotic techno anthem on the Tomorrowland Freedom stage 💣💯 1001recordings.lnk.to/Machines

Spread the word! @phrack CFP with demoscene cracktro is live. Turn up the volume and enjoy the awesome stylings of @PiotrBania with some hopefully inspiring text from phrack staff :) phrack.org

We’re having a Linux rootkit competition for tmp.out #5! tmpout.sh/rootkitcomp.txt

Linux Rootkit Competition — tmp.out #5 Rootkits may target userland, kernel space, or use hybrid approaches. Categories: * Stealth / Detection Evasion * Persistence * Complexity * Obfuscation * Novelty / Ingenuity #linux #rootkits #tmpout

Singularity rootkit bypassing AVML/LiME (memory dump evasion modules) #linux #rootkits

New post of Stealthy Singularity Rootkit Singularity in a brief commit will intercepts the scheduler and OOM reporting paths used by Magic SysRq, closing the gaps that leave rootkits like Kovid and diamorphine exposes. blog.kyntra.io/Hiding-from-th… #Linux #rootkits #infosec

“Numa Ilha”, de Marina Sena, ultrapassou 60 MILHÕES de streams no Spotify.

I just released ksentinel - a Kernel Syscalls Integrity Monitor. It continuously verifies critical syscall paths, function, the syscall table, and LSTAR MSR to detect common kernel hooking techniques targeted by rootkits github.com/MatheuZSecurit… #rootkit #linux #forensics

🤟THC RELEASE: Guest author @MatheuzSecurity excellent work on eBPF. #keephacking iq.thc.org/breaking-ebpf-…

New blog post: eBPF security has blind spots at the kernel level. When the kernel is compromised, telemetry can lie. matheuzsecurity.github.io/hacking/ebpf-s… #linux #rootkit #singularity #evasion #ebpf #malware #infosec

@5mukx Thanks for sharing!

Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools matheuzsecurity.github.io/hacking/ebpf-s… #linux

@quesadilla_exe You're part of this, hahahah

@MatheuzSecurity Can't recommend this community enough ^^

My community, Rootkit Researchers, has just reached 11K members! Come be part of this journey and learn alongside us. Join a community focused on research, collaboration, and shared knowledge. The link to join is: discord.gg/66N5ZQppU7 #linux #malware #infosec #windows

This week, I had so much fun providing onsite, private "Practical Linux Attack Paths, Detection and Hunting for Red and Blue Teams" dedicated training in Germany, expanded with a dedicated technical workshop day on Linux hardening, logging, and the commercial Linux EDR engine. I see an increasing adoption of EDR solutions for Linux and the accompanying need to understand how these engines work, which is great! This is where there is a huge need to understand the true Linux threat ecosystem and the knowledge of Linux internals. How do I provide such value? By delivering advanced, low-level Purple Team-style hands-on and contextual true stories that connect the dots, based on my almost 25 years of experience with Linux, whoooa! You should be aware that the Linux EDR area still has a long way to go, and you cannot be certain that malicious activities will be automatically blocked (they probably won't be). However, if you know your baseline profile, understand the context, can query telemetry (independently of alerts and detections, often based partly on signatures), and have external DFIR/hunting/decloakers processing tools or great @SandflySecurity + network visibility, I am convinced that you have a chance to achieve a faster time to intruder detection and better incident handling. As usual, it all comes down to tiny details, and it's a process. And to boil this post down to a technical example => remember that the point isn't to detect "process creation" based on a matching command, e.g., modprobe execution. The point is to detect corresponding init_module/finit_module, which events will point to modprobe, or rather kmod, as the source execution event. And so, continuing the example thread, you can load LKM modules remotely, fileless, using custom LKM loaders, which can also be launched directly from memory, e.g., with the help of memfd_create(). Does your EDR provide this visibility? Can you reconstruct the course of offensive events based on raw telemetry? This is the essence of my workshops/training I provide. And the coolest thing is that people with certifications like OSCP/SANS usually have the most fun using PurpleLabs, EDRmetry Linux Matrix, and the course materials of Linux Attack, Detection and Forensics v2.0 - Hands-on Purple Teaming Playbook. I am super happy about this! Check out the links below:

@eversinc33 @CraigHRowland Mb i got confused, but its cool that there are things related to compiling rootkits remotely. That’s something I had been thinking about doing in the cloud, and then I saw CaaS come along

@MatheuzSecurity @CraigHRowland lmao I dont see how that related to remote compilation of rootkits but yea sure

Not sure I should be encouraging Linux rootkit deployments, but this is a hilarious service offering.

@eversinc33 @CraigHRowland One of the big differences is that Voidlink was AI Vibe coded and is very easy to detect, Singularity is not 😅

@MatheuzSecurity @CraigHRowland VoidLink also did this : sysdig.com/blog/voidlink-…

@C2IRIS @CraigHRowland Np

@MatheuzSecurity @CraigHRowland Ah, okay. Got it. Good explanation.