Two sophisticated Linux rootkits are posing increasingly serious threats to network security by exploiting eBPF technology to hide their presence from traditional detection systems.
BPFDoor and Symbiote, both originating from 2021, represent a dangerous class of malware that combines advanced kernel-level access with powerful evasion capabilities.
In 2025 alone, security researchers detected 151 new samples of BPFDoor and three samples of Symbiote, demonstrating that these threats remain actively developed and deployed against critical infrastructure.
These rootkits leverage eBPF (extended Berkeley Packet Filter), a Linux kernel technology introduced in 2015 that allows users to load sandboxed programs directly into the kernel for inspecting and modifying network packets and system calls.
While eBPF serves legitimate purposes in network monitoring and security, malware authors have weaponized it to create nearly undetectable backdoors that can intercept communications and maintain persistent access without triggering traditional security alerts.
The emergence of these threats reflects a strategic shift in malware development. Unlike mass-distributed ransomware or common botnets, eBPF-based rootkits require specialized technical expertise to develop and deploy.
.webp "BPFDoor and Symbiote Rootkits Attacking Linux Systems Exploiting eBPF Filters 3")
This exclusivity makes them the preferred choice for state-sponsored attackers seeking reliable, long-term access to critical systems.
Fortinet security analysts identified that both malware families continue to evolve with increasingly sophisticated filtering mechanisms designed to bypass modern security defenses.
The recent variants demonstrate notable tactical improvements. Symbiote’s latest version from July 2025 now accepts IPv4 and IPv6 packets across TCP, UDP, and SCTP protocols on non-standard ports including 54778, 58870, 59666, 54879, 57987, 64322, 45677, and 63227.
This expanded port range allows the malware to conduct command and control communications through port hopping, making it difficult for network administrators to block malicious traffic without creating false positives.
Evolution of Evasion Tactics
The most concerning advancement lies in how these rootkits hide their command and control communications. BPFDoor’s 2025 variants now support IPv6 traffic and cleverly filter DNS traffic on port 53 over both IPv4 and IPv6 protocols.
.webp "BPFDoor and Symbiote Rootkits Attacking Linux Systems Exploiting eBPF Filters 4")
By masquerading as legitimate DNS queries, the malware blends seamlessly into normal network activity that security teams typically consider harmless and routine.
The technical implementation uses eBPF bytecode that attaches directly to network sockets, functioning as a kernel-level packet filter invisible to userspace tools.
When analyzed using specialized reverse engineering tools like Radare2, the bytecode reveals carefully constructed inspection routines that identify command packets through specific port numbers and protocol combinations, then silently passes them to command servers while dropping all other traffic.
.webp "BPFDoor and Symbiote Rootkits Attacking Linux Systems Exploiting eBPF Filters 5")
Detection remains extraordinarily challenging because eBPF filters operate at the kernel level, below the visibility of standard security monitoring tools.
Fortinet protection mechanisms now detect these threats through signature-based antivirus engines and specialized IPS signatures that monitor reverse shell communications and botnet activity.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
