New 2025 samples of eBPF-abusing malware show continued evolution: Symbiote uses UDP port-hopping on high ports for stealthy C2 while BPFDoor added IPv6 support and hides C2 in DNS (UDP/53). Fortinet detects these families (Linux/Symbiote.B!tr, Linux/BpfDoor.F!tr) and provides antivirus and IPS signatures to block reverse shells and C2 traffic. #Symbiote #BPFDoor
Keypoints
- FortiGuard Labs detected 151 new BPFDoor samples and three new Symbiote samples in 2025, indicating active development of eBPF malware.
- Symbiote’s recent variant attaches eBPF filters to sockets and accepts IPv4/IPv6 TCP, UDP, and SCTP on multiple high ports (port hopping) to evade detection.
- BPFDoor’s 2025 samples have enhanced filters: raw-socket BPF/ classic BPF structures that accept IPv4 and IPv6 and can restrict to UDP port 53 (DNS) to hide C2 traffic.
- Reverse engineering of BPF bytecode is harder due to a unique ISA, but tools like Radare2, bpftool, IDA plugins, and LLM-assisted analysis (MCP/Claude) speed interpretation.
- Some older BPFDoor features (process masquerading, hardcoded /dev/shm paths, timestomping, self-deletion, env clearing) are absent in newer samples, while reverse-shell capability remains.
- Fortinet provides detections: AV signatures (Linux/Symbiote.B!tr, Linux/BpfDoor.F!tr) and IPS rules (Backdoor.BPFDoor.TCP/UDP/ICMP) plus IP-reputation/Anti-Botnet blocking to protect customers.
MITRE Techniques
- [T1095 ] Non-Application Layer Protocol – eBPF/BPF-based C2 uses raw sockets, UDP/SCTP and non-standard high ports for covert communication (‘C2 communication over non-standard ports’ and ‘accepts IPv4 or IPv6 packets for protocols TCP, UDP, and SCTP on ports 54778, 58870, 59666, 54879, 57987, 64322, 45677, and 63227’)
- [T1071.004 ] Application Layer Protocol: DNS – BPFDoor restricts to DNS UDP/53 over IPv4 and IPv6 to camouflage C2 within common DNS traffic (‘It will keep only UDP port 53 (DNS) traffic, over IPv4 or IPv6. This is a subtle way for malware to hide its presence’)
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Malware retains a connect-back reverse shell using /bin/sh (‘Reverse Shell Yes (connect-back)’ and ‘Connects back using /bin/sh’)
- [T1036 ] Masquerading – Earlier BPFDoor variants used fake process names to masquerade as legitimate processes (‘Process Masquerading 10 fake process names’ listed in the comparison table)
- [T1070 ] Indicator Removal on Host – Older variants performed timestomping, binary self-deletion and environment wiping; these are noted as present historically and removed in the sample analyzed (‘Timestomping Yes (Oct 30, 2008 date)’, ‘Binary Self-Deletion Yes’, ‘Environment Wipe Yes (clears envp)’)
- [T1562 ] Impair Defenses / Firewall Bypass – Malware historically attempted firewall evasion via iptables redirect rules or other bypass techniques (‘Firewall Bypass iptables redirect rules’ noted in the 2022 feature list)
Indicators of Compromise
- [File Hash ] sample binaries – dcfbd5054bb6ea61b8f5a352a482e0cf7e8c5545bd88915d3e67f7ba01c2b3d4 (Linux/Symbiote.B!tr), 82ed617816453eba2d755642e3efebfcbd19705ac626f6bc8ed238f4fc111bb0 (Linux/BpfDoor.F!tr)
- [Ports ] C2 and filtering ports used by Symbiote – examples: 54778, 58870, 59666, and 5 more high ports used for port-hopping and stealthy C2
- [Network Port/Protocol ] BPFDoor DNS-based C2 – UDP port 53 over IPv4/IPv6 (keeps only DNS traffic to hide communications)
- [Detection Signatures ] FortiGuard detections – Linux/Symbiote.B!tr (SIGID: 171365647), Linux/BpfDoor.F!tr (SIGID: 171124526)
- [File Paths ] historical BPFDoor artifacts (removed in newer sample) – /dev/shm/kdmtmpflush, /var/run/haldrund.pid (previously referenced file locations)