What Is Symbiote? Inside the New Highly Evasive Linux Rootkit

Intezer and BlackBerry research teams recently discovered a new Linux malware that operates parasitically, infecting all running processes on an infected system and providing rootkit capabilities, credential theft, and remote access.

The malware, named Symbiote , is described as “a new, almost undetectable Linux threat.” It was first observed in November 2021 and appears to have been crafted for the Latin American financial sector.

Symbiote is not a typical executable; it is a shared object (SO) library that is loaded into running processes using the LD_PRELOAD directive, allowing it to parasitically infect the machine. It leverages Berkeley Packet Filter (BPF) hooking to conceal malicious network traffic.

When injected into a process, the malware can control what results are shown. For example, if an administrator starts packet capture to investigate suspicious traffic, Symbiote injects itself into the capture tool and uses BPF hooking to filter out evidence of its activity.

The rootkit hooks functions in libc and libpcap, enabling it to hide parasitic processes, conceal files deployed alongside the malware, and clean connection entries. It performs packet filtering via BPF and removes UDP traffic to domains it wishes to hide.

In addition to hiding its own presence, Symbiote also obscures other files that may be deployed with it.

Researchers conclude that Symbiote is a highly evasive malware whose primary goals are credential harvesting and facilitating backdoor access. Because it runs as a user‑level rootkit, detection is challenging. Network telemetry can help detect abnormal DNS requests, and security tools such as AV and EDR should be statically linked to prevent infection.