Friday 26 September 10:00 - 10:30, Green room
Ruben Groenewoud & Remco Sprooten (Elastic)
While Windows malware research has long dominated security discussions, Linux threats often remain overlooked – despite their increasing sophistication and real-world impact. Among these, Linux rootkits are one of the most elusive and technically complex classes of malware, enabling deep system compromise and stealthy persistence.
This talk provides a comprehensive overview of the current landscape of Linux rootkits, from traditional Loadable Kernel Module (LKM) rootkits to implementations using shared objects (SO) and, more recently, eBPF.
We dissect the core structure of Linux rootkits, focusing on syscall hooking techniques and direct syscall table manipulation. By analysing real-world samples, we present a statistical breakdown of contemporary Linux rootkit development, highlighting shifts in attacker methodologies and the prevalence of different hooking techniques.
As a case study, we examine PUMAKIT – alongside other notable samples – to illustrate their architectures, hooking mechanisms, evasion strategies, and impact on compromised systems. Finally, we discuss key detection strategies, offering actionable insights for defenders and threat hunters to uncover and mitigate these threats.
As Linux continues to power critical infrastructure, cloud workloads, and enterprise systems, understanding these rootkits is essential for modern defenders. This session is designed for security researchers, malware analysts, and blue teamers looking to deepen their knowledge of stealthy Linux threats and effective countermeasures.
![]() |
Ruben Groenewoud Ruben Groenewoud is a security research engineer at Elastic Security Labs, specializing in Linux threat detection, SIEM, malware analysis, and YARA rule development. With a background in SOC operations, penetration testing, and machine learning for cybersecurity, he focuses on advancing detection engineering and malware research. His work has been published in the field of Linux security, covering everything from deep-dive malware analysis to innovative detection strategies.
|
![]() |
Remco Sprooten Remco Sprooten is a principal security researcher at Elastic Security Labs, specializing in reverse engineering, digital forensics, and threat intelligence. As a former forensic investigator for the Dutch Police, he has a deep expertise in dissecting malware families and developing innovative security solutions. His research focuses on uncovering advanced threats and enhancing cybersecurity defences. |
Back to VB2025 conference page