ELASTIC Security Labs’ Hooked on Linux: Rootkit Taxonomy, Hooking Techniques and Tradecraft is the first part of a two‑part series, exploring Linux rootkit taxonomy, evolution and hooking techniques, with part two focusing on detection engineering. The piece traces rootkits from userland shared object hijacking to kernel‑space implants powered by eBPF and io_uring, noting that 25 minutes is the intended read time.
It covers loader and payload components, and details a range of kernel hooking methods, such as IDT, syscall table patches, inline patching, VFS, ftrace, kprobes, and kernel frameworks like KHOOK, alongside userspace interposition via LD_PRELOAD. Real‑world samples cited include Diamorphine, Reptile, JynxKit, Azazel, FlipSwitch, PUMAKIT, and others, illustrating how attackers combine multiple techniques to achieve stealth and persistence.
The article also highlights io_uring as a newer evasion vector and explains that modern Linux rootkits increasingly rely on legitimate kernel instrumentation to hide their activity.