These threats focus on Linux-based servers and network appliances, using packet filters at the kernel or raw-socket level so that malicious packets are processed before standard firewall rules, allowing attackers to maintain stealthy remote access with minimal network footprint.
This technique enables covert C2 over non-standard, high ports while essentially evading basic firewalls and legacy IDS that focus on well-known services.
BPFDoor is a long-lived Linux backdoor known for attaching classic BPF (cBPF) filters to raw or packet sockets, enabling it to monitor all passing traffic and respond only to specially crafted “magic packets.”
Earlier variants mainly inspected IPv4 packets, checking protocol fields and payload values to decide when to activate and open a hidden reverse shell, often without exposing any listening port in netstat or lsof output.
Newer samples reported in 2025 upgrade these filters to recognize both IPv4 and IPv6 EtherTypes, allowing BPFDoor to keep working reliably in dual-stack environments and making detection harder where IPv6 monitoring is still immature.
The malware’s activation logic typically involves matching specific values in ICMP, UDP, or TCP traffic, then performing authentication before launching a reverse shell back to an attacker-controlled host.
Because the BPF filter discards all non-matching packets at a very low level, host-based tools see almost no artifacts until the exact trigger arrives, which severely limits signature- and anomaly-based detection focused on open ports or blatant connection attempts.
This architecture, combined with features like process masquerading, environment wiping, and selective firewall manipulation, underpins BPFDoor’s reputation as a stealthy, long-term access tool rather than a noisy commodity bot.
Symbiote represents another sophisticated Linux threat that abuses eBPF to inject its logic into running processes and intercept network activity. In recent variants, Symbiote attaches BPF filters to sockets.
It restricts accepted traffic to selected TCP, UDP, and SCTP flows on a predefined list of high, non-standard ports, enabling flexible port hopping when some ports are blocked or flagged.
By expanding support to both IPv4 and IPv6 and by adding UDP alongside TCP and SCTP, Symbiote gains more resilient C2 channels that can quickly shift across ports without the constraints of connection-oriented handshakes.
This design leverages the fact that many network security tools pay less attention to unknown high ports and to UDP traffic, often logging it generically or treating it as benign background noise.
In practice, Symbiote’s combination of eBPF-based packet filtering, high-port selection, and protocol flexibility allows it to blend into standard traffic patterns while still reliably reaching its controllers.
For defenders, these developments highlight the need to monitor eBPF and BPF usage on Linux hosts, inspect raw and AF_PACKET sockets, and extend IDS/IPS coverage to high ports and IPv6 flows, rather than relying solely on traditional service ports and IPv4-centric rules.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Linux Systems Under Attack from BPFDoor and Symbiote Rootkits Exploiting eBPF Filters appeared first on Cyber Security News.
The Winnebago County Coroner's Office has identified a man who was found in a wooded…
The second Bucks County Punk Rock Flea Market will be held Saturday to celebrate and…
Popeyes and One Piece have collaborated on a special menu and range of collectibles that…
WEST LAFAYETTE, Ind. (WOWO) — A graduate of Purdue University stepped into an important role…
INDIANAPOLIS, Ind. (WOWO) — The 110th Indianapolis 500 is getting close, and you can already…
Elmer, a street vendor from Honduras, said he saw three immigrants arrested by federal agents…
This website uses cookies.