The Reveal Platform
Intel Name: New ebpf filters for symbiote and bpfdoor malware
Date of Scan: December 4, 2025
Impact: High
Summary: eBPF is a modern kernel technology that allows small, sandboxed programs to run inside the Linux kernel to inspect or modify system activity. Introduced in 2015, it replaced the older 1992 BPF model, which no longer fit contemporary architectures like 64-bit systems. Its capabilities quickly drew the attention of malware developers, leading to threats such as Bvp47 and rootkits like Ebpfkit and TripleCross. Despite this interest, eBPF-based malware remains relatively uncommon due to the high technical skill required. Today, the threat landscape is still limited in volume but notable in sophistication. The two primary eBPF-linked malware families active since 2021 are Symbiote and BPFDoor.
