January 5, 2026
Ping to ghost mode
Singularity Rootkit: SELinux bypass and netlink filter (ss/conntrack hidden)
Ghost-mode Linux tool flips the safety switch; panic, jokes, and ban calls
TLDR: A new Linux rootkit called Singularity can hide activity and even turn off SELinux when triggered by a secret ping. Commenters are split between research value, calls for GitHub to remove it, and skeptics saying it’s lab-only, while defenders trade counter ideas and joke about “ghost mode.”
Meet Singularity, a ‘final boss’ rootkit that goes full ghost on Linux servers, hiding processes, files, and network connections. The jaw-dropper: it can flip SELinux off on demand—Linux’s built‑in security guard—when a secret ping arrives, and the author brags it leaves “zero audit logs.” In plain terms: push a quiet button, the alarms stop, and your tracks vanish. Researchers call it a showcase in stealth and evasion.
The community reaction? Split and spicy. Some begged for clear defense playbooks, while cynics said “Be a researcher, not a criminal” is wishful thinking. Platform drama erupted fast, with calls for GitHub to remove the repo. Skeptics downplayed the fear, noting there’s no persistence (a reboot wipes it), and argued it’s more lab trophy than real‑world nightmare.
Defenders floated counter‑ideas—like comparing files from a clean machine—while ultra‑nerds debated memory hunts. Meme lords dubbed it a “cheat code”: ping to unlock god mode. Red teamers brought popcorn; anxious admins clutched coffee. The bigger fight: does publishing advanced stealth help defenders prepare, or simply hand bad actors a shiny new toy? The line between research and chaos has rarely looked thinner.
Key Points
- •Singularity is a Linux kernel module rootkit for 6.x kernels that hides processes, files, and network activity and provides privilege escalation and log sanitization.
- •It implements advanced netlink filtering (SOCK_DIAG and NETFILTER/conntrack) to conceal TCP/UDP connections from tools like netstat, ss, and conntrack.
- •The rootkit includes broad audit and forensic evasion, filtering dmesg, journalctl -k, klogctl, /proc interfaces, debugfs outputs, and blocking eBPF/io_uring-based detection.
- •It offers remote access via an ICMP-triggered reverse shell with an SELinux enforcing mode bypass capability and automatic self-hiding from module lists.
- •Installation requires kernel headers, GCC, Make, and root access; it auto-hides, cannot be unloaded (reboot needed), and has been tested on multiple 6.x kernel versions.