Full Report
FortiGuard Labs discovered new Symbiote and BPFDoor variants exploiting eBPF filters to enhance stealth through IPv6 support, UDP traffic, and dynamic port hopping for covert C2 communication.
Analysis Summary
# Tool/Technique: Symbiote and BPFDoor eBPF Variants
## Overview
New variants of the Symbiote and BPFDoor malware families have been discovered that leverage enhanced Extended Berkeley Packet Filter (eBPF) mechanisms within the Linux kernel. The primary goal of these updates is to increase stealth and evade detection by incorporating new network communication techniques, specifically robust IPv6 support and dynamic UDP communication.
## Technical Details
- Type: Malware family (Symbiote, BPFDoor) employing a Kernel-level technique (eBPF filtering)
- Platform: Linux (Affecting Linux-based network appliances or servers)
- Capabilities: Stealthy command and control (C2) communication, network packet inspection/modification via eBPF, evasion of security controls.
- First Seen: The base families date to 2021; the enhanced variants described are from 2025 (based on the article date).
## MITRE ATT&CK Mapping
Since the core mechanism is kernel interception for covert communication, the mapping focuses on stealth and defense evasion.
- **TA0005 - Defense Evasion**
- T1548 - Abuse Elevation Control Mechanism
- T1548.003 - Exploitation for Privilege Escalation (Implied by kernel interaction)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (If used for C2)
- T1071.004 - Custom Protocols (Likely used for new protocol implementations)
- **TA0003 - Persistence** (eBPF rootkits are typically used for persistence)
## Functionality
### Core Capabilities
* **Kernel-Level Hooking:** Utilizing eBPF programs loaded into the Linux kernel to filter and potentially modify network traffic and system calls.
* **Covert C2 Communication:** Establishing command and control channels designed to be inconspicuous.
* **Malware Families:** BPFDoor (151 new samples detected in 2025) and Symbiote (3 new samples detected in 2025).
### Advanced Features
* **IPv6 Support (BPFDoor):** Implementation of native IPv6 filtering/communication within the BPF bytecode, expanding its operational scope beyond IPv4.
* **UDP Traffic Manipulation (Symbiote):** Use of dynamic port hopping specifically over UDP high ports to obscure C2 communications.
* **Stealth Enhancement:** Both families focus on enhancing their stealth capabilities by utilizing less scrutinized kernel technology (eBPF) and obfuscating network patterns.
* **BPF Bytecode Reversing:** Analysis involved understanding the platform's unique, fixed-size 64-bit instruction set.
## Indicators of Compromise
* File Hashes:
* `dcfbd5054bb6ea61b8f5a352a482e0cf7e8c5545bd88915d3e67f7ba01c2b3d4` (Symbiote.B!tr)
* `82ed617816453eba2d755642e3efebfcbd19705ac626f6bc8ed238f4fc111bb0` (BpfDoor.F!tr)
* File Names: Not explicitly listed, but associated signatures suggest file components.
* Registry Keys: N/A (Linux kernel/eBPF focus).
* Network Indicators: Communication occurs over dynamically hopped UDP high ports (Symbiote) and via enhanced IPv6 channels (BPFDoor). Specific C2 addresses are not provided in the summary context.
* Behavioral Indicators: Loading and executing custom eBPF programs into the kernel; creation of C2 reverse shells utilizing protocols like UDP or potentially ICMP/TCP (based on associated signatures).
## Associated Threat Actors
* State-sponsored malware authors (allegedly associated with BPFDoor development).
* Developers specializing in high-skill kernel exploitation, sufficient to develop BPF bytecode.
## Detection Methods
* Signature-based detection (FortiGuard Antivirus):
* `Linux/Symbiote.B!tr` (SIGID: 171365647)
* `Linux/BpfDoor.F!tr` (SIGID: 171124526)
* Signatured detections for associated reverse shell communications: `Backdoor.BPFDoor.TCP`, `Backdoor.BPFDoor.TCP2`, `Backdoor.BPFDoor.ICMP`, `Backdoor.BPFDoor.UDP`.
* Network/Behavioral detection: FortiGuard IP Reputation and Anti-Botnet Security Service to block associated hostile sources.
* General eBPF Malware Detection: Monitoring for the loading and execution of malicious BPF bytecode programs in the kernel.
## Mitigation Strategies
* Ensure all Fortinet security products (FortiGate, FortiMail, FortiClient, FortiEDR) have up-to-date FortiGuard AntiVirus protection.
* Utilize FortiGuard IP Reputation and Anti-Botnet services to block known malicious infrastructure.
* **Hardening:** Focus on minimizing privileges and monitoring kernel module loading/eBPF program attachment events, as these technologies require specific permissions.
## Related Tools/Techniques
* **Historical/Related Malware:** Bvp47, Ebpfkit, TripleCross (all use eBPF technology).
* **Techniques:** General use of BPF/eBPF rootkits for persistence and evasion.