Two sophisticated Linux rootkits, BPFDoor and Symbiote, are increasingly threatening network security by exploiting eBPF technology to evade traditional detection methods. First identified in 2021, these advanced malware variants are designed to operate at the kernel level, offering near-undetectable persistent access and communication interception capabilities. Security researchers observed a concerning surge in their activity, with 151 new BPFDoor samples and three Symbiote samples detected in 2025 alone, indicating ongoing development and deployment against critical infrastructure.
BPFDoor and Symbiote’s effectiveness stems from their exploitation of eBPF (extended Berkeley Packet Filter). This Linux kernel technology, introduced in 2015, allows authorized users to load sandboxed programs directly into the kernel for tasks like inspecting and modifying network packets and system calls. However, malicious actors have repurposed this legitimate technology to create stealthy backdoors. These rootkits can intercept communications and maintain unauthorized access without triggering common security alerts, posing a significant challenge to network administrators.
The rise of eBPF-based rootkits like BPFDoor and Symbiote signifies a strategic evolution in malware development. Unlike widespread ransomware or botnets, these sophisticated threats require specialized technical expertise, making them the preferred tools for state-sponsored actors seeking covert and persistent access to sensitive systems. Fortinet security analysts have noted that both malware families are continuously evolving, incorporating increasingly advanced filtering mechanisms to bypass modern security defenses.
BPFDoor and Symbiote: Advanced Evasion Tactics
Recent analyses reveal notable tactical improvements in the latest variants of these rootkits. Symbiote’s updated version, observed in July 2025, now supports both IPv4 and IPv6 packets across TCP, UDP, and SCTP protocols on a wide range of non-standard ports. These include ports such as 54778, 58870, 59666, 54879, 57987, 64322, 45677, and 63227. This expanded port range facilitates command and control communications through port hopping, making it considerably more difficult for network administrators to identify and block malicious traffic without inadvertently disrupting legitimate network operations.
The most alarming advancement in these eBPF rootkits is their sophisticated method of concealing command and control (C2) communications. BPFDoor’s 2025 variants now support IPv6 traffic and exhibit a clever filtering of DNS traffic on port 53, operating over both IPv4 and IPv6 protocols. By masquerading as legitimate DNS queries, the malware effectively blends into the normal network activity that security teams typically regard as harmless and routine.
The technical implementation involves eBPF bytecode that attaches directly to network sockets. This operates as a kernel-level packet filter, rendering it invisible to standard userspace monitoring tools. When subjected to analysis using specialized reverse engineering tools, such as Radare2, the bytecode reveals meticulously designed inspection routines. These routines identify command packets based on specific port numbers and protocol combinations, silently forwarding them to command servers while discarding all other traffic. The deep kernel-level operation makes detection extraordinarily challenging as eBPF filters function below the visibility threshold of conventional security monitoring software.
Fortinet has implemented protection mechanisms that detect these threats through signature-based antivirus engines and specialized Intrusion Prevention System (IPS) signatures. These signatures are designed to monitor for reverse shell communications and botnet activity, offering some defense against these sophisticated Linux threats.
The ongoing evolution of BPFDoor and Symbiote highlights the persistent arms race between malware developers and cybersecurity professionals. As attackers leverage advanced kernel features like eBPF for stealth, defenders must continually adapt their detection and response strategies to counter these increasingly sophisticated threats. Future developments will likely focus on enhancing kernel-level visibility and developing more nuanced approaches to identifying malicious eBPF programs. Organizations operating critical Linux infrastructure should remain vigilant and ensure their security postures are adapted to address these advanced persistent threats.