Caracal – Rust eBPF Rootkit for Stealthy Post-Exploitation

Caracal is a new Rust-based eBPF (extended Berkeley Packet Filter) rootkit that provides a stealth layer for red team operators by hiding userland processes and kernel-level BPF programs from traditional monitoring tools. It is designed for advanced post-exploitation phases where persistence, evasion, and concealment are critical.

Overview

Caracal targets Linux environments by manipulating the eBPF subsystem, a powerful kernel-based packet filtering and tracing engine. By exploiting visibility gaps in BPF observability, it can cloak processes and kernel hooks from detection mechanisms such as ps, top, ls /proc, and BPF-specific tools like bpftool and bpftop.

The tool works by loading eBPF programs via privileged Rust binaries that directly interact with kernel internals. Once deployed, Caracal actively interferes with kernel telemetry and hides its artefacts from process listing and introspection tools. It complements staging tools like feroxbuster and post-exploitation payloads such as Sliver by enabling low-noise operator presence in hostile environments.

Key Features

• Written in Rust for safety, speed, and memory integrity
• Hides eBPF programs and maps from bpftool enumeration
• Conceals userland processes from ps, top, procfs queries
• Modular architecture for flexible deployment
• Open source under GPLv3

Red Team Relevance

Modern detection strategies increasingly rely on kernel-level telemetry and real-time monitoring using eBPF agents. Caracal targets that exact surface. It provides advanced evasion capability in post-compromise situations where traditional rootkits are too noisy or signatured. It can be deployed as a next-gen persistence mechanism or as an in-memory staging vector post shell access.

In red team operations simulating nation-state actors or advanced persistent threats (APTs), tools like Caracal provide realism by mimicking stealth techniques that evade both behavioural and signature-based endpoint detection. This is especially relevant in environments where defenders deploy eBPF-based observability platforms such as Cilium or Falco.

Detection and Mitigation Considerations

Currently, Caracal evades most standard detection techniques. However, defenders should monitor:

• Unusual kernel memory allocations not mapped to known processes
• Discrepancies between procfs and telemetry pipelines
• Hidden processes not correlated with auditd logs
• Changes in eBPF program counts or unverified program loading

Advanced monitoring using memory forensics tools or kernel patch integrity frameworks may eventually help uncover such stealth layers, but this remains an open problem in active defence.

Conclusion

Caracal represents a leap forward in stealth tooling for red teamers and adversary simulation. With its novel use of Rust and kernel eBPF manipulation, it operates well below the radar of most commercial endpoint detection systems. As defenders increase reliance on eBPF-based telemetry, offensive operators must adapt—and Caracal is a powerful step in that direction.

You can read more or download caracal here: github.com/adgaultier/caracal