Advanced rootkits BPFDoor and Symbiote are targeting Linux-based servers and network appliances by exploiting BPF and eBPF filters to conceal command-and-control traffic. In 2025, researchers detected 151 new BPFDoor samples and three Symbiote samples, highlighting ongoing evolution of these threats. These malware families enable stealthy remote access, evading traditional firewalls and detection tools.
BPFDoor and Symbiote, both originating in 2021, represent sophisticated Linux threats that leverage extended Berkeley Packet Filter (eBPF) technology, introduced in the Linux kernel in 2015 for sandboxed packet inspection and system call modification. These rootkits attach filters at the kernel or raw-socket level, processing malicious packets before standard firewall rules and allowing covert command-and-control (C2) over non-standard high ports. This approach minimizes network footprints and bypasses basic firewalls and legacy intrusion detection systems (IDS) focused on well-known services.
BPFDoor employs classic BPF (cBPF) filters on raw or packet sockets to monitor traffic and respond to specially crafted "magic packets." Earlier variants targeted IPv4 packets via ICMP, UDP, or TCP, performing authentication before opening a hidden reverse shell without visible listening ports in tools like netstat or lsof. Newer 2025 samples extend support to IPv6 EtherTypes, enabling operation in dual-stack environments where IPv6 monitoring remains immature. These variants also filter DNS traffic on port 53 over both IPv4 and IPv6, masquerading as legitimate queries to blend into routine network activity. The filter discards non-matching packets at a low level, limiting detection by signature- or anomaly-based tools until triggers arrive. Additional features include process masquerading, environment wiping, and selective firewall manipulation, establishing BPFDoor as a tool for long-term stealth access rather than noisy bots.
Symbiote abuses eBPF to inject logic into processes and intercept network activity, attaching filters to sockets that restrict traffic to TCP, UDP, and SCTP on predefined high ports. Its July 2025 variant supports IPv4 and IPv6 across these protocols on ports such as 54778, 58870, 59666, 54879, 57987, 64322, 45677, and 63227, facilitating port hopping to evade blocks. This flexibility exploits the tendency of security tools to overlook unknown high ports and UDP traffic, treating it as benign noise.
The eBPF bytecode, analyzed with tools like Radare2, reveals inspection routines that identify command packets via specific ports and protocols, passing them silently while dropping others. Detection challenges persist due to kernel-level operation below userspace visibility. Defenders must monitor eBPF and BPF usage, inspect raw and AF_PACKET sockets, and extend IDS/IPS to high ports and IPv6 flows. Fortinet's antivirus and IPS signatures now detect these via reverse shell monitoring and botnet activity patterns, underscoring the shift toward specialized, state-sponsored malware for critical infrastructure access.