Sandfly Blog

Below is our presentation from the Oslo Cold Incident Response Conference 2025 that covered hunting for Linux stealth rootkits with command line tools:

Linux Stealth Rootkit Hunting Presentation

This presentation covers techniques for rapidly investigating a host to see if it is running particular types of Loadable Kernel Module (LKM) rootkits trying to evade detection. This presentation covered the recently disclosed China/Korean rootkit by Phrack magazine that we discuss below, but applies to other rootkit styles as well:

Leaked China/North Korean Stealth Rootkit Analysis

This presentation covers general advice on hunting for threats hiding on Linux by focusing on three critical areas:

1) Data leaks

2) Inconsistent answers

3) System impacts

Applying these principles with simple command line tools on Linux can reveal a wide variety of rootkits and evasive malware.

While these methods work great for one-off investigations, we recommend you use Sandfly to do this at scale and also to get access to much deeper malware decloaking tools. Please contact us to find out more or get a license today.

Links

https://phrack.org/issues/72/7_md#article

https://sandflysecurity.com/blog/leaked-north-korean-linux-stealth-rootkit-analysis

https://github.com/sandflysecurity

https://docs.kernel.org/admin-guide/tainted-kernels.html