RingReaper: New Linux EDR Evasion Tool Exploits io_uring Kernel Feature

A new tool named RingReaper is raising eyebrows among defenders and red teamers alike.

By leveraging the legitimate, high-performance Linux kernel feature known as io_uring, RingReaper demonstrates how advanced attackers can sidestep even modern Endpoint Detection and Response (EDR) systems.

The Rise of io_uring in Offensive Security

Introduced in Linux kernel 5.1, io_uring was designed to provide high-throughput, asynchronous I/O operations.

Instead of the traditional model—where each file or network operation triggers a separate, easily monitored syscall—io_uring enables a process to submit multiple I/O requests to a shared queue.

The kernel processes these requests as resources allow, returning results through a separate completion queue. This design eliminates the repetitive, blocking syscalls that most EDRs are built to monitor.

Key advantages of io_uring for attackers:

• Multiple operations (open, read, write, send, connect) are handled in batches.
• Fewer individual syscalls are visible to EDRs.
• Asynchronous operations reduce ...