Date: 12/04/2025
Severity: High
Summary
eBPF is a modern kernel technology that allows small, sandboxed programs to run inside the Linux kernel to inspect or modify system activity. Introduced in 2015, it replaced the older 1992 BPF model, which no longer fit contemporary architectures like 64-bit systems. Its capabilities quickly drew the attention of malware developers, leading to threats such as Bvp47 and rootkits like Ebpfkit and TripleCross. Despite this interest, eBPF-based malware remains relatively uncommon due to the high technical skill required. Today, the threat landscape is still limited in volume but notable in sophistication. The two primary eBPF-linked malware families active since 2021 are Symbiote and BPFDoor.
Indicators of Compromise (IOC) List
Hash : | 82ed617816453eba2d755642e3efebfcbd19705ac626f6bc8ed238f4fc111bb0
dcfbd5054bb6ea61b8f5a352a482e0cf7e8c5545bd88915d3e67f7ba01c2b3d4
8673d9dce8c8d558a8598edb2aca3087
fd9394751d86b17d22a498094b4c3a73
e130fea44bd66d13e6727bf1eca7fcca597b3842
fa4c09166b3650c4d5465369735653c9eb243a1d
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | md5hash IN ("fd9394751d86b17d22a498094b4c3a73","8673d9dce8c8d558a8598edb2aca3087")
|
Detection Query 2 : | sha1hash IN ("e130fea44bd66d13e6727bf1eca7fcca597b3842","fa4c09166b3650c4d5465369735653c9eb243a1d")
|
Detection Query 3 : | sha256hash IN ("82ed617816453eba2d755642e3efebfcbd19705ac626f6bc8ed238f4fc111bb0","dcfbd5054bb6ea61b8f5a352a482e0cf7e8c5545bd88915d3e67f7ba01c2b3d4")
|
Reference:
https://www.fortinet.com/blog/threat-research/new-ebpf-filters-for-symbiote-and-bpfdoor-malware