{
  "name": "FlipSwitch: a Novel Syscall Hooking Technique",
  "slug": "flipswitch-a-novel-syscall-hooking-technique",
  "description": "FlipSwitch introduces a new syscall hooking technique for Linux kernel 6.9+, bypassing traditional methods rendered obsolete by changes in the syscall dispatch mechanism. The technique locates the original syscall function, scans the x64_sys_call function's machine code for a specific call instruction, and modifies its offset to redirect to a malicious function. This precise method leaves minimal traces and can be fully reverted. FlipSwitch demonstrates the ongoing evolution of attack techniques in response to kernel hardening efforts, highlighting the cat-and-mouse game between attackers and defenders in cybersecurity.",
  "published": "2025-09-30T11:02:10+00:00",
  "created_at": "2025-09-30T11:02:10+00:00",
  "modified_at": "2025-09-30T18:12:42+00:00",
  "created_at_opencti": "2025-09-30T11:02:10+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-30",
    "flipswitch",
    "kernel security",
    "linux kernel",
    "rootkit",
    "syscall hooking",
    "x86-64",
    "yara"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "7c87127c1abcbda6bf3a9872a0ca49406d564dc2"
      }
    ],
    "attack_patterns": [
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      }
    ]
  },
  "external_refs": [
    "https://www.elastic.co/security-labs/flipswitch-linux-rootkit",
    "https://otx.alienvault.com/pulse/68dbd4d29f6ebf19ffe79f50"
  ]
}