Yes. Linux rootkits are easily seen by Sandfly, even if they are trying to hide. We have a variety of methods for detecting and de-cloaking rootkits that are hiding processes, directories, files and users. We can also find extremely evasive malware frequently missed by other solutions. We wrote the first deep technical analysis of malware called BPFDoor that was evading detection for five years by some reports. Sandfly easily found it:
In the example below we have de-cloaked a Diamorphine rootkit module trying to hide. We have many mechanisms for finding common and not-so-common rootkit hiding methods.