Singularity Rootkit: Selinux Bypass And Netlink Filter... (2026)

Stealthy Linux Kernel Rootkit for modern kernels (6x)

Singularity is a powerful Linux Kernel Module (LKM) rootkit designed for modern 6.x kernels. It provides comprehensive stealth capabilities through advanced system call hooking via ftrace infrastructure.

Full Research Article (outdated version): Singularity: A Final Boss Linux Kernel Rootkit

EDR Evasion Case Study: Bypassing Elastic EDR with Singularity

Singularity is a sophisticated rootkit that operates at the kernel level, providing:

The module automatically hides itself after loading

There is no unload feature - reboot required to remove

Test in a VM first - cannot be removed without restarting

Default names like "singularity" are easily detected. For more stealth, you MUST randomize all identifiers before compiling.

Edit modules/clear_taint_dmesg.c - find and update line_contains_sensitive_info():

Source: HackerNews