Linux Stealth Rootkit Hunting Video Presentation
03 November 2025
This is a video of the presentation on Linux Stealth Rootkit Hunting from the FIRST conference in Oslo. See below for link to the presentation and additional resources.
The PDF of the full presentation is below:
Linux Stealth Rootkit Hunting Presentation
This presentation covers techniques for rapidly investigating a host to see if it is running particular types of Loadable Kernel Module (LKM) rootkits trying to evade detection. This presentation covered the recently disclosed China/Korean rootkit by Phrack magazine that we discuss below, but applies to other rootkit styles as well:
Leaked China/North Korean Stealth Rootkit Analysis
This presentation covers general advice on hunting for threats hiding on Linux by focusing on three critical areas:
1) Data leaks
2) Inconsistent answers
3) System impacts
Applying these principles with simple command line tools on Linux can reveal a wide variety of rootkits and evasive malware.
While these methods work great for one-off investigations, we recommend you use Sandfly to do this at scale and also to get access to much deeper malware decloaking tools. Please contact us to find out more or get a license today.
Links
https://phrack.org/issues/72/7_md#article
https://sandflysecurity.com/blog/leaked-north-korean-linux-stealth-rootkit-analysis
https://github.com/sandflysecurity
https://docs.kernel.org/admin-guide/tainted-kernels.html