Fortinet Identifies New Symbiote, BPFdoor Variants

Researchers at FortiGuard Labs, Fortinet's threat intelligence and research organization, have discovered new malware variants from the Symbiote and BPFdoor families. In its report, FortiGuard Labs identified 151 new BPFdoor variants and three new Symbiote variants this year. 

These threats target Linux-based enterprise systems. Using kernel-level techniques, they remain undetected for extended periods. These new variants pose a major security concern, as Linux now runs most cloud workloads, containers, and core backend services. 

Cybercriminals continue to move deeper into the Linux operating system. As such, security teams need better visibility into Linux and stronger detection capabilities. This is where Fortinet training is especially important.

What Fortinet Found

FortiGuard Labs found that the latest Symbiote and BPFdoor variants abuse extended Berkeley Packet Filter (eBPF) technology. eBPF runs small monitoring programs inside the Linux kernel. Malware authors are now using that same feature to hide command-and-control traffic inside normal network activity.

The new samples support both IPv4 and IPv6. They also use uncommon TCP and UDP ports. This helps them slip past basic firewall rules. Because the malware runs in kernel mode, many security tools fail to detect it.

Exposing the Weaknesses

The report offers insight into what current security playbooks are lacking. Too many teams still focus on user-space monitoring and signature matching. That approach may not be as effective with these new threats.

Other industry research supports this. Kernel-level threats are becoming increasingly sophisticated. They hide inside system processes and intercept traffic before it reaches applications. 

Modern threats do not behave as they did years ago, and teams need to adapt with new skills.

Skills for Security Teams

As Linux malware continues to evolve, security teams need to develop their skills in several areas, including the following:

• Understand how Linux and the kernel really work

• Inspect network traffic beyond standard ports

• Know how eBPF works and how attackers misuse it

• Improve visibility across cloud and container systems

With CBT Nuggets training, you can learn how Linux and networking work at a deeper level and how to spot activity that doesn’t belong. 

What to Do Next

If you feel your team needs the upgrade, start by reviewing the level of visibility your current tools provide into Linux kernel activity. Update monitoring and detection tactics to better align with how modern threats behave.

Most importantly, invest in training. Fortinet training, combined with hands-on Linux and security education, helps you close the gap between today’s threats and yesterday’s defenses.

Now is the time to build those skills. CBT Nuggets offers comprehensive Fortinet training. Become a FortiGate firewall expert and earn the NSE skills you need to level up your career. Sign up today for your first 7 days free.