As usual, @haxrob's reporting on Linux malware really is excellent:
* https://haxrob.net/bpfdoor-past-and-present-part-1/
* https://haxrob.net/bpfdoor-past-and-present-part-2/
More proof if it were needed that Linux targetting threat actors have been hanging around for the last decade or two but largely avoided the limelight.