This report details how advanced eBPF-based rootkits like BPFDoor and Symbiote embed stealthy backdoor logic in the Linux kernel’s packet path, enabling long-term, low-noise access to high-value infrastructure while evading traditional monitoring and leaving few host artifacts. It highlights active 2025 development, targeted use by state-linked and competent actors, and the resulting visibility gap for enterprises, stressing the need for improved Linux telemetry, eBPF governance, and kernel-aware detection and response practices.

CYBER INSIGHTS CYBER INSIGHTS OCT 10, 2025 OCT 10, 2025

Overview

eBPF-based rootkits BPFDoor and Symbiote represent an advanced class of Linux malware that embeds packet-filtering logic directly into the kernel’s networking layer, providing long-term, low-noise command-and-control and stealthy backdoor access on critical servers. Recent 2025 reporting confirms both rootkit families remain very active, with at least 151 new BPFDoor samples and multiple Symbiote variants identified, proving this is ongoing APT tooling rather than legacy noise. Symbiote’s latest builds expand BPF filters, enabling port hopping and evasion of monitoring that focuses on traditional service ports. BPFDoor’s newer variants attach classic BPF filters to raw sockets and integrate into routine DNS noise at the kernel level. These implants rely on magic packets, kernel-resident filters, and the absence of any listening userland ports, giving operators strong firewall evasion and excellent persistence for long-term espionage operations. Attribution analysis continues to place BPFDoor in the orbit of state-sponsored operators, with recent campaigns targeting telecommunications, finance, and retail infrastructure. BPFDoor and Symbiote are persistent blind spots for enterprises, underscoring the need for improved Linux telemetry, tighter eBPF governance, and proactive detection strategies before these implants are activated in real-world intrusions.

Key Findings:

  • eBPF-based rootkits such as BPFDoor and Symbiote now operate entirely within the Linux kernel’s packet-filtering layer, giving attackers long-term, stealthy access that evades nearly all traditional monitoring tools.
  • 2025 variants show active development, including IPv6-aware DNS triggering, high-port activation paths, protocol expansion, and refined filtering logic—clear indicators of ongoing use by advanced, state-linked operators.
  • These implants require prior privileged compromise, meaning they appear only in targeted, high-value intrusions where attackers intend to maintain durable access to critical infrastructure systems.
  • Most enterprises lack sufficient visibility into kernel-level activity, DNS patterns, or high-port traffic on Linux systems, creating a significant blind spot that allows these rootkits to persist for months or years undetected.
  • Immediate Actions: Prioritize enhanced monitoring for Linux servers, including DNS logging, outbound high-port traffic reviews, and configuration baseline checks to detect subtle signs of hidden persistence. Restrict privileged access pathways, enforce least-privilege controls, and limit outbound communication from critical Linux systems to reduce the opportunities for rootkit activation or remote command execution.

1.0 Threat Overview

BPFDoor and Symbiote are among the most advanced Linux threats currently in operation, using eBPF and classic BPF filters to embed stealthy backdoor logic directly into the kernel’s packet-processing layer, allowing them to inspect traffic before userland tools or security sensors can see it. This kernel-level placement eliminates telltale signs such as open ports, active listeners, or detectable userland processes, leaving the implants dormant until activated by precisely crafted “magic packets” that trigger backdoor functions, reverse shells, or covert C2 channels. The 2025 variants demonstrate clear ongoing development: Symbiote now filters IPv4 and IPv6 traffic across TCP, UDP, and SCTP on multiple high ports to enable port hopping and traffic evasion, while BPFDoor integrates IPv6-aware DNS filtering on port 53 to blend activation signals into routine DNS noise. These improvements reflect sustained investment by skilled operators—consistent with past attribution of BPFDoor to state-sponsored espionage campaigns targeting telecom, finance, and regional infrastructure—and collectively create a significant blind spot for enterprise and government networks that lack deep visibility into BPF activity or high-port, DNS, and IPv6 traffic flows.

1.1 Historical Context

BPFDoor and Symbiote first emerged in 2021 as the earliest widely documented malware families to weaponize BPF and eBPF filtering for stealthy, kernel-level command-and-control—a concept previously seen only in rare proof-of-concepts such as Bvp47, Ebpfkit, and TripleCross. eBPF, introduced in 2015 to modernize Linux observability, quickly drew the attention of advanced operators for its ability to execute sandboxed programs in the kernel, bypassing conventional monitoring and firewall logic. Since their appearance, both BPFDoor and Symbiote have evolved through low-volume but highly tailored deployments tied to espionage-motivated threat actors, with BPFDoor in particular linked to Earth Bluecrow (Red Menshen) campaigns targeting telecommunications, finance, and regional infrastructure across Asia and the Middle East. Newer variants incorporate IPv6 support, DNS-based activation, expanded protocol handling, and increasingly refined BPF bytecode, confirming active development rather than residual activity. These rootkits are deployed sparingly, only after attackers have achieved privileged access, enabling durable, covert footholds on high-value Linux systems. This trend reflects a broader strategic shift toward kernel-level evasion techniques that outpace traditional enterprise detection models.

1.2 Technique Breakdown

BPFDoor and Symbiote rely on kernel-level packet filtering via classic BPF and eBPF programs, enabling them to observe and react to network traffic before it reaches userland tools. This placement gives attackers a powerful advantage, enabling activation, command execution, and long-term control without exposing services or behaviors that security products typically monitor. Their 2025 variants expand these capabilities with more flexible activation paths, deeper concealment inside normal network activity, and refined evasion techniques tailored for modern enterprise environments.

Kernel-Level Filtering for Invisible Activation
Kernel-Level Filtering for Invisible Activation
Both implants install custom BPF programs that cause the kernel to silently inspect incoming packets and determine when to activate the backdoor.
No open ports, running listeners, or obvious processes appear on the system, making traditional monitoring tools ineffective.
Activation occurs only when highly-specific patterns in network packets are observed, preventing noisy authentication attempts and suspicious traffic spikes.
This in-kernel decision-making allows the malware to operate fully outside typical detection surfaces.
Custom BPF Programs Kernel-Level Inspection No Open Ports No Running Listeners Pattern-Based Activation Evades Traditional Monitoring
Flexible Command and Control Paths
The implants support multiple network protocols, giving attackers alternative activation and communication channels when one is restricted.
Activation can occur through a variety of traffic types including high-port traffic, DNS packets, or even ICMP pings, providing resilience in tightly monitored networks.
After activation, the malware can open covert shells or redirect traffic without leaving a persistent footprint on the host.
This flexibility allows operators to maintain access despite segmentation, firewalls, or restrictive network architectures.
Multiple Protocols High-Port Traffic DNS Packets ICMP Pings Covert Shells Bypasses Segmentation
Stealth Through Normal Traffic and Continuous Refinement
New variants increasingly hide their triggers within routine network activity, making malicious signals blend into the background noise of enterprise systems.
Symbiote distributes its activation logic across multiple, shifting high ports, while BPFDoor conceals its triggers inside everyday DNS traffic, both patterns that commonly escape scrutiny.
At the same time, both families show regular updates that refine their activation logic, expand supported protocols, and improve the subtlety of their kernel-level filters.
These advancements signal active, ongoing development and reinforce that eBPF-based rootkits are strategic espionage tools, not outdated or abandoned malware.
Symbiote BPFDoor Routine Traffic Camouflage Shifting High Ports DNS Traffic Concealment eBPF-Based Rootkits Active Development
Minimal Footprint and Strong Host-Level Evasion
BPFDoor hides its components in temporary or system-like directories, blending in with legitimate files and minimizing investigative suspicion.
Symbiote loads as a shared object and quietly alters how system tools report processes or network activity, making administrative checks unreliable.
By avoiding persistent services, modifying visibility of key utilities, and leaving almost no userland artifacts, both implants can remain hidden for extended periods.
This design ensures that even manual inspections often fail to uncover the compromise.
BPFDoor Symbiote System-Like Directories Shared Object Loading Modified System Tools No Userland Artifacts Evades Manual Inspection

2.0 Preconditions for Exploitation

BPFDoor and Symbiote require a set of environmental and operational conditions that allow attackers to plant kernel-level filtering logic and maintain covert access over time. These rootkits are not initial access tools; they are deployed only after an adversary has gained elevated control on a Linux host. Their effectiveness depends on the ability to load BPF programs, blend with normal network traffic, and operate in environments where BPF activity is not routinely monitored. The following conditions outline what must be true for these threats to function reliably inside an enterprise.

Kernel-Level Attack Preconditions
Prior Compromise With Elevated Privileges
Requirement
Attackers must already have root or near-root access to install BPF filters, modify kernel-accessible components, or load shared objects. BPFDoor and Symbiote are used after the attacker has achieved a stable foothold.
Root Access Required Elevated Privileges BPF Filter Installation Kernel Component Modification Shared Object Loading Post-Compromise Tool
Linux Hosts With Unmonitored or Misconfigured BPF Controls
Environment Weakness
Most enterprises do not log or restrict BPF program loading. Environments lacking controls such as LSM (SELinux/AppArmor), BPF LSM hooks, or syscall auditing expose ideal conditions for stealthy kernel injection.
Unmonitored BPF Loading Missing LSM Controls No SELinux No AppArmor No BPF LSM Hooks No Syscall Auditing Kernel Injection Risk
Dual-Stack or High-Port Network Environments
Network Configuration
Environments with IPv4/IPv6 enabled, loosely monitored high ports, or permissive internal DNS traffic offer attackers more opportunities to hide activation packets without raising alerts.
IPv4/IPv6 Dual-Stack Unmonitored High Ports Permissive DNS Traffic Hidden Activation Packets Low Alert Threshold
Long-Lived, Privileged Infrastructure Systems
Target Environment
Telecom nodes, financial back-end servers, monitoring appliances, and other Linux systems that rarely reboot provide stable persistence for rootkits designed for extended espionage operations.
Telecom Nodes Financial Servers Monitoring Appliances Rarely Rebooted Systems Stable Persistence Extended Espionage
Lack of Visibility Across Kernel-Level Network Activity
Detection Gap
Organizations focused solely on userland logging, port scanning, or traditional EDR leave a blind spot in the kernel's packet path where these backdoors operate undetected.
Userland-Only Logging Port Scanning Focus Traditional EDR Gaps Kernel Blind Spot Packet Path Invisibility Undetected Operation

3.0 Threat Actor Utilization

eBPF-based rootkits are not commodity crimeware. Current evidence shows they are deployed sparingly by capable operators in support of long-term espionage and high-value access, primarily after attackers already control Linux infrastructure. BPFDoor is clearly associated with a Chinese state-linked APT, while Symbiote has been used against Latin American financial and law-enforcement targets by an unattributed but technically skilled actor. New tooling, such as the LinkPro rootkit, indicates that additional groups are starting to adopt similar kernel-resident techniques, including in cloud environments.

eBPF-Based Malware Comparison
BPFDoor
Attribution
Chinese state-linked APT group commonly tracked as Earth Bluecrow or Red Menshen.
Motivation & Targets
Long-term cyber-espionage, credential access, internal monitoring, and covert lateral movement. Targets telecommunications providers, financial institutions, retail infrastructure, and high-value Linux servers.
Operational Usage
Deployed after initial compromise to maintain durable, stealthy access. Uses magic packets over TCP/UDP/ICMP to open hidden reverse shells or redirect connections. Functions without listeners, userland artifacts, enabling multi-year persistence.
Chinese State-Linked APT Earth Bluecrow Red Menshen Cyber-Espionage Credential Access Telecommunications Financial Institutions Retail Infrastructure Magic Packets TCP/UDP/ICMP Multi-Year Persistence
Symbiote
Attribution
Unattributed but highly capable operator targeting Latin American financial and public-sector entities.
Motivation & Targets
Credential theft at scale, identity impersonation, covert remote access, and internal data harvesting. Targets Latin American banks, financial services, and law-enforcement networks.
Operational Usage
Loaded via LD_PRELOAD to hook processes, mask network activity, and intercept credentials. Filters network captures through BPF logic, exfiltrates data through site-specific or DNS-based channels. Used sparingly for high-value operations rather than widespread deployment.
Unattributed Highly Capable Operator Credential Theft Identity Impersonation Data Harvesting Latin American Banks Financial Services Law Enforcement LD_PRELOAD Process Hooking BPF Network Filtering
LinkPro (example of emerging eBPF)
Attribution
Unattributed cloud-focused operator(s) adopting BPF-based persistence techniques.
Motivation & Targets
Cloud persistence, post-exploitation footholds in containerized and Kubernetes environments. Targets AWS EKS clusters, CI/CD pipelines, and Linux cloud images.
Operational Usage
Uses eBPF modules to hide malicious activity, activate magic TCP packets, and exfiltrate via legitimate system services. Demonstrates eBPF adoption beyond traditional APTs into cloud-focused intrusion operators.
Unattributed Cloud-Focused Operator Cloud Persistence Post-Exploitation AWS EKS Clusters CI/CD Pipelines Linux Cloud Images eBPF Modules Magic TCP Packets Container Environments Kubernetes

4.0 Historical Exploit Timeline

The evolution of eBPF-based rootkits reflects a steady progression from early experimental malware into mature, operational tools used by highly capable threat actors. Although initially rare due to the specialized skill required to manipulate kernel-level packet filtering, these implants have advanced consistently over the past decade, gaining stealth, protocol coverage, and activation flexibility. Their trajectory shows a clear pattern: once niche research artifacts, BPFDoor, Symbiote, and newer eBPF variants are now actively maintained platforms leveraged in long-term espionage campaigns and cloud intrusions. Understanding this timeline illustrates how quickly adversaries have adapted eBPF to bypass traditional Linux defenses—and why organizations relying heavily on Linux infrastructure face increasing strategic exposure.

eBPF-Based Malware Evolution Timeline
2015
Event
First documented malicious use of eBPF (e.g., early prototypes such as Bvp47).
Significance
Demonstrates rapid adoption of eBPF by advanced actors shortly after introduction of the technology.
Bvp47 First Malicious eBPF Early Adoption Advanced Actors
2018-2020
Event
Early eBPF-enabled rootkits (EbpfKit, TripleCross) appear in small-volume intrusions.
Significance
Confirms actor experimentation with kernel-resident filtering on stealth techniques.
EbpfKit TripleCross Small-Volume Intrusions Kernel-Resident Filtering Experimentation Phase
2021
Event
BPFDoor and Symbiote publicly emerge as the first stable, fully operationalized BPF/eBPF rootkits.
Significance
Marks the shift from proof-of-concept malware to dependable tools used in targeted campaigns.
BPFDoor Symbiote Public Emergence Stable Rootkits Targeted Campaigns
2022-2023
Event
BPFDoor widely linked to espionage operations across telecom and finance sectors; Symbiote observed in Latin American financial intrusions.
Significance
Confirms both families as active APT toolset rather than isolated incidents.
BPFDoor Symbiote Espionage Operations Telecom Targeting Financial Intrusions Active APT Toolset
2024
Event
Surge in BPFDoor activity targeting telecom and financial infrastructure in Asia, Middle East, and Africa.
Significance
Indicates sustained investment by sponsors and coordinated deployment across global critical infrastructure.
BPFDoor Activity Surge Asia Middle East Africa Critical Infrastructure Global Deployment
Early 2025
Event
Symbiote variants appear with expanded protocol support, additional high-port ranges, and improved stealth features.
Significance
Shows ongoing technical evolution aimed at reducing detection by enterprise monitoring.
Symbiote New Variants Expanded Protocols High-Port Ranges Improved Stealth Detection Evasion
Mid-Late 2025
Event
BPFDoor variants incorporate IPv6-aware DNS filtering and simplified reverse-shell logic; new eBPF-based rootkits (e.g., LinkPro) discovered in cloud-focused intrusions.
Significance
Demonstrates broader adoption of kernel-level persistence across both state-linked APTs and cloud-focused intruders.
BPFDoor LinkPro IPv6-Aware DNS Filtering Cloud-Focused Broader Adoption State-Linked APTs

5.0 Risk and Impact

eBPF-based rootkits pose a strategic risk because they operate below the visibility line of most enterprise security controls, granting attackers long-term, uninterrupted access to critical Linux infrastructure. Once implanted, BPFDoor and Symbiote can silently observe, activate, and execute commands without exposing open ports, suspicious processes, or conventional indicators—making containment significantly harder than with typical backdoors. Their use of kernel-level packet filtering allows operators to blend command-and-control traffic into routine DNS or high-port noise, reducing the likelihood of detection during incident response or routine auditing. In environments where Linux underpins telecom, financial, cloud, or identity systems, these rootkits create a durable foothold that can be leveraged for credential theft, data exfiltration, lateral movement, and strategic espionage. The operational impact of a successful deployment is therefore substantial: attackers can persist for months or years, shape network behavior, and compromise downstream systems while remaining effectively invisible to defenders unless specialized Linux telemetry and eBPF monitoring are in place.

6.0 Recommendations for Mitigation

6.1 Strengthen Visibility Into Linux Systems

Enhance monitoring and baselining to surface abnormal behavior early: Organizations should improve visibility across Linux workloads by monitoring for unusual outbound traffic—especially unexpected DNS activity or use of high, uncommon ports—while enforcing centralized logging so attackers cannot hide traces on compromised servers. Leadership should require periodic configuration baselines to identify deviations such as new binaries, altered services, or unexpected trust relationships. These measures create an early-warning system that exposes hidden persistence before it becomes entrenched.

6.2 Reduce the Ability for Attackers to Install Hidden Components

Restrict administrative access and enforce controlled, monitored pathways for all privileged activity: Limiting elevated access to only essential personnel reduces opportunities for attackers to install rootkits using stolen credentials. Executives should mandate the use of bastion hosts or privileged access gateways to ensure all administrative sessions are logged and auditable. Additionally, removing unnecessary internal “default trust” between Linux systems prevents attackers from pivoting freely once they gain a foothold, sharply reducing the chance of a widespread compromise.

6.3 Harden How Linux Servers Communicate With the Outside World

Control and monitor outbound communication to prevent covert activation channels: Rootkits such as BPFDoor and Symbiote rely on blending commands into normal outbound traffic—DNS queries, high-port connections, or other seldom-monitored paths. To counter this, executives should require strict outbound filtering on Linux servers, ensuring they communicate externally only when a business need exists. DNS logging and analysis must be treated as a priority, with leadership mandating investigation of unusual or algorithmic domain requests. Clear policies defining which servers may use high ports simplify anomaly detection and make covert channels easier to flag.

6.4 Prepare for Hard-to-Detect Intrusions With Linux-Specific Response Capabilities

Equip response teams with the tools and processes needed to investigate hidden compromises: Because these rootkits are designed to evade standard tools, organizations must ensure their responders can capture full forensic images—disk and memory—for offline analysis when visibility is impaired. Leadership should approve clear escalation criteria for Linux anomalies, ensuring issues like unexplained DNS traffic, privilege changes, or logging gaps are treated with urgency. Regular Linux-focused incident response exercises help teams validate their playbooks and understand how to respond when kernel-level tampering is suspected.

6.5 Increase Governance Around Modern Features Like eBPF

Establish oversight of eBPF usage and kernel-level changes to prevent silent misuse: Executives should require a formal inventory of where eBPF is intentionally used, treating any unapproved program loading as a security event. Governance processes must incorporate review of kernel modifications, ensuring unexpected changes cannot go unnoticed. Alerts for system-level alterations help create an environment where deviations are investigated immediately rather than dismissed, reducing the likelihood that attackers can leverage powerful kernel features undetected.

7.0 Hunter Insights

eBPF-based rootkits such as BPFDoor, Symbiote, and emerging families like LinkPro are likely to proliferate across both on‑prem and cloud-native Linux estates over the next 12–24 months, driven by their proven ability to embed stealthy C2 directly in the kernel’s packet path and evade traditional monitoring focused on userland processes, open ports, and known services. Expect continued refinement of IPv6-aware triggers, DNS-based activation, and high-port protocol diversity, along with broader threat actor adoption beyond the original state-linked groups into cloud-focused and financially motivated operators that can repurpose publicly documented techniques into turnkey toolchains for long-term, low-noise persistence on critical infrastructure and Kubernetes workloads.

For defenders, the strategic implication is a shift from treating eBPF rootkits as rare, exotic malware to planning for them as a baseline intrusion scenario on high-value Linux systems, forcing enterprises to invest in kernel-aware telemetry, eBPF governance, and Linux-specific response playbooks that include memory capture, BPF program inventory, and DNS/high-port anomaly analysis as standard practice. Organizations that continue to rely on userland-centric EDR and coarse network controls will face a widening detection gap, where privileged compromises on telecom, financial, identity, and cloud platforms can persist for months or years, enabling quiet credential theft, lateral movement, and staging for destructive or disruptive operations under the cover of “normal” DNS and high-port traffic.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.