FlipSwitch: a Novel Syscall Hooking Technique

Sept. 30, 2025, 8:12 p.m.

Description

FlipSwitch introduces a new syscall hooking technique for Linux kernel 6.9+, bypassing traditional methods rendered obsolete by changes in the syscall dispatch mechanism. The technique locates the original syscall function, scans the x64_sys_call function's machine code for a specific call instruction, and modifies its offset to redirect to a malicious function. This precise method leaves minimal traces and can be fully reverted. FlipSwitch demonstrates the ongoing evolution of attack techniques in response to kernel hardening efforts, highlighting the cat-and-mouse game between attackers and defenders in cybersecurity.

External References

https://www.elastic.co/security-labs/flipswitch-linux-rootkit
https://otx.alienvault.com/pulse/68dbd4d29f6ebf19ffe79f50
Tags
rootkit
yara
syscall hooking
2025-09-30
linux kernel
kernel security
flipswitch
x86-64

Date

  • Created: Sept. 30, 2025, 1:02 p.m.
  • Published: Sept. 30, 2025, 1:02 p.m.
  • Modified: Sept. 30, 2025, 8:12 p.m.

Indicators

  • 7c87127c1abcbda6bf3a9872a0ca49406d564dc2
Download all indicators here!

Attack Patterns