Codeine

September 1, 2025 · View on GitHub

 .o88b.  .d88b.  d8888b. d88888b d888888b d8b   db d88888b 
d8P  Y8 .8P  Y8. 88  `8D 88'       `88'   888o  88 88'     
8P      88    88 88   88 88ooooo    88    88V8o 88 88ooooo 
8b      88    88 88   88 88~~~~~    88    88 V8o88 88~~~~~ 
Y8b  d8 `8b  d8' 88  .8D 88.       .88.   88  V888 88.     
 `Y88P'  `Y88P'  Y8888D' Y88888P Y888888P VP   V8P Y88888P

Codeine is a Linux LKM Rootkit aimed at ensuring the attacker’s persistence through a reverse shell and remaining completely hidden in the system. It hides itself from the modules list and sysfs.

Tested on kernel version:

  • 6.x
  • 5.15

    • Install

    make
insmod codeine.ko

    Uninstall

    kill -59 0 //if CANBEHIDE var is TRUE
rmmod codeine

    To do

  • Hide TCP connections
  • Hide PIDs
  • Create config file with network information