diff --git a/details/rkduck.md b/details/rkduck.md
index 0d18142..7f0bd3b 100644
--- a/details/rkduck.md
+++ b/details/rkduck.md
@@ -6,7 +6,33 @@ https://github.com/QuokkaLight/rkduck
 
 - x86, x86_64
 - Linux kernel 4.x
+- Debian/Ubuntu, RHEL/CentOS/Fedora
 
 ## Persistency
 
+Boot-time module loading using OS-specific startup files:
+ - /etc/modules (debian/ubuntu)
+   - https://github.com/linux-rootkits/rkduck/blob/master/forever.sh#L29
+ - /etc/rc.modules (redhat/centos/fedora)
+   - https://github.com/linux-rootkits/rkduck/blob/master/forever.sh#L32
+
+Rootkit module runs `forever.sh` helper script at the moment of module unloading:
+ - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/duck.c#L47
+
+## Detection evasion
+
+Rootkit is trying to evade from detection by:
+ - hiding rootkit files by name
+
+## Management interface
+
+Implemented via in-kernel `netlink` server (`NETLINK_USER`) :
+ - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L142
+
+Supported commands are:
+ - hiding/unhiding files
+   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L22
+ - hiding/unhiding processes
+   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L32
+
 ...