High Severity
Published: Jul 16, 2025
Linux post-exploitation agent that uses io_uring to stealthily bypass EDR detection by avoiding traditional syscalls.
# RingReaper
**RingReaper** is a simple post-exploitation agent for Linux designed for those who need to operate stealthily, minimizing the chances of being detected by EDR solutions. The idea behind this project was to leverage **io_uring**, the new asynchronous I/O interface in the Linux kernel, specifically to avoid traditional system calls that most EDRs tend to monitor or even hook.
In practice, RingReaper replaces calls such as `read`, `write`, `recv`, `send`, `connect`, among others, with asynchronous I/O operations (`io_uring_prep_*`), reducing exposure to hooks and event tracing typically collected in a standardized way by security products.
> **NOTE:** Some functions within RingReaper still rely on traditional calls, such as directory reading (`opendir`, `readdir`) or symbolic link resolution (`readlink`), because io_uring **does not yet fully support** these types of operations natively. Even so, during my tests, these calls did not trigger alerts on the tested EDRs, precisely because they fall outside the monitored network I/O paths.
In summary, RingReaper was built to **avoid traditional calls as much as possible**, and even in cases where it had to use them, it demonstrated excellent evasion capabilities, with no alerts or detections from common security agents.
See the full and detailed article at:
https://matheuzsecurity.github.io/hacking/evading-linux-edrs-with-io-uring/
Author: https://www.linkedin.com/in/mathsalves/
## Command Reference
| Command | Description | Backend |
|---------------|----------------------------------------------------------|----------------------|
| `get` | Look files from the target | 100% io_uring |
| `put` | Upload files (uses `recv` on the agent side) | 100% io_uring |
| `users` | List logged-in users by reading `utmp`