From Zero to ShadowMonarch: Reversing Advanced Linux BPF Backdoors with Marion Marschalek + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

The intersection of Linux kernel internals and advanced persistent threats has given rise to a new generation of nearly undetectable malware—BPF-based backdoors that operate below the visibility of traditional security tools. These implants leverage the extended Berkeley Packet Filter (eBPF), a legitimate Linux kernel technology introduced in 2015, to inspect and modify network packets and system calls at the kernel level. When a seasoned incident responder with years of experience spends four days in Marion Marschalek’s “Advanced Linux Malware Reverse Engineering” course and emerges with a “completely fried” brain, you know the material is both intense and invaluable. This article chronicles the journey from classroom theory to successfully solving Hack The Box’s ShadowMonarch challenge—a sophisticated Linux backdoor featuring BPF-based evasion mechanisms—and provides a practical roadmap for security professionals looking to develop similar reverse engineering capabilities.

Learning Objectives:

• Master the fundamentals of Linux binary analysis, including ELF file format, process execution, and system call tracing
• Develop proficiency in reversing eBPF bytecode using tools like bpftool, Radare2, and Binary Ninja
• Understand BPF-based evasion techniques used by state-sponsored malware families including BPFDoor and Symbiote
• Learn to reconstruct activation protocols and extract Indicators of Compromise from sophisticated Linux backdoors
• Apply AI-assisted reverse engineering workflows to accelerate binary analysis

You Should Know:

1. Understanding the BPF Threat Landscape

The extended Berkeley Packet Filter (eBPF) represents one of the most significant advancements in Linux kernel technology—and simultaneously one of the most dangerous attack vectors for modern enterprises. While eBPF serves legitimate purposes in network monitoring, performance tracing, and security observability, malware authors have weaponized it to create nearly undetectable backdoors.

The BPFDoor malware family, first identified in 2021 and linked to the China-1exus threat actor Red Menshen, exemplifies this evolution. Rather than opening visible network ports that tools like `netstat` can detect, BPFDoor loads a custom BPF filter that watches every incoming packet on an infected system. The backdoor waits silently for a specially crafted “magic packet”—a trigger packet containing specific authentication values—and only activates when that exact signal arrives. Firewalls see nothing unusual; standard port scans return clean results. This passive design has allowed BPFDoor to remain undetected on compromised networks for months or even years.

In 2025 alone, FortiGuard Labs detected 151 new samples of BPFDoor. The malware supports TCP, UDP, and ICMP protocols, and recent variants have introduced stateless command-and-control routing and ICMP relay capabilities. Perhaps most concerning is the ability to masquerade as legitimate DNS traffic on port 53, blending seamlessly into normal network activity.

Step‑by‑step guide for initial BPF threat detection:

1. List all loaded eBPF programs using bpftool:

sudo bpftool prog list

Look for programs with unknown or suspicious names, especially those not associated with known system utilities.

2. Examine loaded kernel modules for suspicious entries:

lsmod | grep -v -e "^Module" -e "ext4" -e "video" | less

Investigate unfamiliar modules using `modinfo `.

1. Monitor eBPF program loading events in system logs:

   sudo grep -i "bpf|ebpf" /var/log/syslog /var/log/kern.log 2>/dev/null
   

4. Use ebpfkit-monitor for runtime detection:

git clone https://github.com/Gui774ume/ebpfkit-monitor
cd ebpfkit-monitor
make
sudo ./ebpfkit-monitor

This utility statically analyzes eBPF bytecode and monitors suspicious eBPF activity at runtime.

2. Setting Up Your Reverse Engineering Environment

Marion Marschalek’s course emphasizes the importance of a properly configured analysis environment. Students are required to have a laptop with an Intel chip, a minimum of 30GB of free disk space, VirtualBox virtualization software, and permissions to install software. Prior knowledge of x86-64 reverse engineering at a basic or intermediate level is essential.

For the ShadowMonarch challenge, Stephan Berger used Binary Ninja—a modern reverse engineering platform that offers a more intuitive experience compared to traditional tools like IDA Pro. Binary Ninja’s recent improvements include automatic handling of anti-reversing techniques, such as the bogus big-endian flag for x86/x86-64 binaries. The platform also supports AI-assisted analysis through plugins like Sidekick, which automates reverse engineering tasks.

Step‑by‑step guide for environment setup:

1. Install Binary Ninja (commercial) or set up IDA Pro with the eBPF processor plugin. The eBPF processor for IDA Pro, developed by BlackBerry, enables disassembly and analysis of eBPF bytecode within the familiar IDA interface.

2. Install Radare2 for BPF bytecode analysis:

git clone https://github.com/radareorg/radare2
cd radare2
./sys/install.sh

Radare2 supports BPF bytecode natively.

3. Install Capstone engine for programmatic disassembly:

sudo apt-get install libcapstone-dev

Capstone can be used to build custom analysis scripts for BPF bytecode.

1. Set up a Linux analysis VM with the following:

– Ubuntu 22.04 LTS or later
– 4+ CPU cores, 8GB+ RAM
– Kernel version 5.15 or higher (for full eBPF support)
– Development tools: build-essential, linux-headers-$(uname -r), `bpftool`

5. Install AI-assisted analysis tools for Binary Ninja:

• Install the BinAssist plugin via Binary Ninja’s Plugin Manager
• Configure Sidekick for automated reverse engineering tasks

3. Reversing BPF Bytecode: Tools and Techniques

Reversing BPF bytecode presents unique challenges. BPF uses its own instruction set—fixed-size 64-bit instructions, intentionally minimal, and fundamentally different from x86 or ARM architectures. While the eBPF ISA is not “complex,” it adds another layer of difficulty to the reverse engineering process.

During Marion’s course, students learn to identify system calls, understand how to start analysis, and figure out which functions might correspond to which parts of the malware. The ShadowMonarch challenge specifically required understanding the backdoor’s BPF-based evasion mechanism and reconstructing the activation protocol.

Step‑by‑step guide for BPF bytecode reverse engineering:

1. Extract eBPF bytecode from the malware binary using Radare2:

   r2 -A malicious_sample
   

   Navigate to the section containing the BPF bytecode object.

2. Disassemble the BPF bytecode using Radare2’s BPF analysis capabilities:

   [bash]> e asm.bpf=1
   [bash]> pd 100
   

This displays the BPF instructions in human-readable format.

1. Use bpftool to dump BPF programs from a running system (for live analysis):

   sudo bpftool prog dump xlated id <program_id>
   sudo bpftool prog dump jited id <program_id>
   

   The `xlated` option shows the BPF bytecode; `jited` shows the JIT-compiled machine code.

2. Analyze BPF filter logic to identify trigger conditions. BPF programs typically use conditional jumps to match specific packet patterns—these are the “magic packet” authentication checks.

3. Reconstruct the activation protocol by tracing the BPF program’s logic:

– Identify which packet fields are inspected (source IP, destination port, payload patterns)
– Determine the authentication values (magic bytes, XOR keys)
– Map the actions triggered (bind shell, reverse shell, ICMP relay)

1. Leverage AI assistance for rapid analysis. As Berger noted, “manual reversing combined with some AI support is incredibly fast, especially when analyzing BPF bytecode”. Binary Ninja’s Sidekick or BinAssist plugins can provide real-time analysis suggestions.

4. Detection and Mitigation Strategies

Detecting BPF-based backdoors remains extraordinarily challenging because eBPF filters operate at the kernel level, below the visibility of standard security monitoring tools. However, several detection strategies have proven effective:

Step‑by‑step guide for detection and mitigation:

1. Monitor for bpftool execution that loads, attaches, or pins eBPF programs. Elastic’s detection rules identify these operations as they interact directly with the Linux eBPF subsystem. Look for:

   sudo auditctl -a always,exit -F path=/usr/sbin/bpftool -F perm=x -k ebpf_load
   

2. Implement strict privilege management for eBPF program loading. Only root and users with `CAP_BPF` capability should be able to load eBPF programs.

3. Use SELinux or AppArmor to restrict which users or processes can load eBPF programs.

4. If infection is confirmed, remove the malicious components:

   Unload the malicious kernel module
   sudo rmmod <malicious_module_name>
   
   Detach the eBPF program from its attachment point
   sudo bpftool prog detach id <program_id>
   
   Delete the eBPF program file
   sudo rm /path/to/malicious_program.o
   

5. Run a rootkit scanner to detect remaining traces:

   sudo rkhunter --checkall
   sudo chkrootkit
   

6. For deeply compromised systems, restore from a known good backup or re-image the machine.

5. The ShadowMonarch Challenge: From Theory to Practice

The ShadowMonarch challenge on Hack The Box presented a sophisticated Linux backdoor requiring full reverse engineering to understand its BPF-based evasion mechanism, reconstruct the activation protocol, and extract all indicators of compromise.

Berger’s approach combined the structured methodology learned in Marion’s course with Binary Ninja’s analysis capabilities. The “aha, I recognize this” moments came repeatedly—recognizing system call patterns, understanding how to start the analysis, and identifying which functions corresponded to which parts of the malware.

Key lessons from this experience:

• System calls are your roadmap: Understanding Linux system call interfaces provides critical context for malware behavior analysis
• Start with high-level structure: Identify the malware’s major functional components before diving into low-level details
• Leverage multiple tools: No single tool provides all answers; switching between Binary Ninja, command-line utilities, and AI assistance accelerates analysis
• Document everything: Extract and document IOCs including file hashes, process names, network indicators, and BPF filter signatures

What Undercode Say:

• Key Takeaway 1: BPF-based malware represents a paradigm shift in Linux threats—these backdoors operate at the kernel level, making them invisible to traditional security tools and requiring specialized reverse engineering skills to detect and analyze. The 151 new BPFDoor samples detected in 2025 alone demonstrate that this is not a theoretical threat but an active, evolving attack vector.

• Key Takeaway 2: The combination of formal training (like Marion Marschalek’s four-day course) with hands-on practice (like the ShadowMonarch HTB challenge) is the most effective path to developing advanced malware reverse engineering capabilities. The structured approach to Linux internals, binary analysis, and eBPF reversing provides a foundation that accelerates real-world analysis.

The emergence of eBPF-based malware reflects a strategic shift in offensive operations. Unlike mass-distributed ransomware or common botnets, eBPF rootkits require specialized technical expertise to develop and deploy. This exclusivity makes them the preferred choice for state-sponsored attackers seeking reliable, long-term access to critical infrastructure. The technical barrier to entry is high—but as Berger’s experience demonstrates, the skills are learnable through dedicated training and practice.

Prediction:

• +1 The growing awareness of BPF-based threats will drive significant investment in eBPF security monitoring and detection tools. Open-source projects like ebpfkit-monitor and commercial solutions will mature, providing defenders with better visibility into kernel-level activities.

• +1 AI-assisted reverse engineering will become increasingly mainstream, dramatically reducing the time required to analyze complex malware samples. Berger’s observation that “manual reversing combined with AI support is incredibly fast” points to a future where analysts can focus on strategic understanding rather than tedious manual analysis.

• -1 The sophistication of BPF-based malware will continue to evolve. Recent variants already support stateless C2, ICMP relaying, and port hopping across TCP, UDP, and ICMP. Future iterations will likely incorporate additional evasion techniques, making detection even more challenging.

• -1 The skills gap in Linux malware reverse engineering will persist. As Marion Marschalek’s course remains one of the few comprehensive offerings in this space, organizations will struggle to build internal capabilities, leaving many vulnerable to advanced BPF-based threats.

• +1 The cybersecurity community’s response—through platforms like Hack The Box, training courses, and open-source tools—will continue to democratize access to advanced reverse engineering knowledge. This will gradually erode the attacker’s advantage in the eBPF threat landscape.

▶️ Related Video (84% Match):

https://www.youtube.com/watch?v=7YQt6aWK3ys

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky