New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay The article analyzes BPFDoor-derived implants (icmpShell/httpShell and multiple Rapid7 variants) that use custom BPF filters, protocol sniffing, and protocol-tunneling C2 to achieve stealthy remote shells and persistence. It highlights key artifacts such as the RC4 key "icmp", hardcoded ICMP Sequence Number 1234, and active beaconing domains that masquerade as NTP-over-SSL. #BPFDoor #icmpShell

New whitepaper reveals stealthy BPFDoor variants using custom BPF filters, ICMP PTY tunnels with RC4 key “icmp”, and NTP-over-SSL beaconing domains for covert C2 and persistence. #BPFDoor #ProtocolTunneling #UnitedStates

Digitale Schläferzellen: Versteckte Linux-Malware in Telko-Netzwerken entdeckt - Golem.de Forscher haben Netze von Telko-Providern untersucht und eine versteckte Backdoor-Malware gefunden. Hacker sollen damit Spionage betreiben.

Versteckte Linux-Malware in Telko-Netzwerken entdeckt
glm.io/207004?n #Cybercrime #Malware #BPFDoor #Linux

Versteckte Linux-Malware in Telko-Netzwerken entdeckt
https://glm.io/207004?n #Cybercrime #Malware #BPFDoor #Linux

China-Linked A China-linked APT group, Red Menshen, is targeting telecommunications providers in the Middle East and Asia with a stealthy Linux backdoor called BPFDoor for long-term espionage.

🇨🇳 China-linked APT 'Red Menshen' is planting stealthy BPFDoor backdoors in global telecom networks. The malware creates 'digital sleeper cells' for long-term espionage. 📡 #APT #BPFDoor #CyberEspionage

China-linked hackers plant stealth malware deep in global telecom networks: Report - Yes Punjab News Report warns of China-linked hackers using stealth malware like BPFdoor to infiltrate global telecom networks for long-term espionage.

China-linked hackers plant stealth malware deep in global telecom networks: Report yespunjab.com?p=233499

#CyberSecurity #ChinaHackers #BPFdoor #TelecomSecurity #CyberThreat #Rapid7 #DataSecurity #GlobalTech #Hacking #DigitalEspionage #TechNews #BreakingNews

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks reconbee.com/china-linked...

#china #chinese #RedMenshen #BPFDoor #spy #telecomnetwork #potatoattack

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks occupy networks of interest read more about China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks reconbee.com/china-linked...

#china #chinese #RedMenshen #BPFDoor #spy #telecomnetwork #cyberattack

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks A long-running China-nexus campaign attributed to Red Menshen has implanted kernel-level sleeper cells inside telecom networks to conduct espionage against government and subscriber systems. The actor leverages stealthy tools—most notably the Linux backdoor BPFDoor that abuses Berkeley Packet Filter functionality, hides trigger packets in HTTPS, and supports SCTP to monitor telecom...

China-linked group Red Menshen uses BPFDoor, a stealthy Linux backdoor exploiting Berkeley Packet Filter, to implant sleeper cells in telecom networks for covert espionage on government and subscriber systems. #RedMenshen #BPFDoor #China

Original post on capalearning.com

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks A sophisticated and ongoing cyber espionage campaign linked to a Chinese threat actor has been discovered infiltr...

#Cyber #Security #BPFDoor #ChinaLinked #Implants […]

[Original post on capalearning.com]

Original post on securityweek.com

Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure The state-sponsored threat actor deployed kernel implants and passive backdoors enabling long-term, high-level espionage. The post...

#Nation-State #backdoor #BPFDoor #China #APT #malware […]

[Original post on securityweek.com]

Linux Systems Under Attack from BPFDoor and Symbiote Rootkits Exploiting eBPF Filters Linux systems are increasingly being targeted by advanced rootkits that exploit BPF and eBPF filters to hide th...

#Cyber #Security #News #Linux #BPFDoor #and #Symbiote #rootkits

Origin | Interest | Match

Original post on infosec.exchange

As usual, @haxrob's reporting on Linux malware really is excellent:

* https://haxrob.net/bpfdoor-past-and-present-part-1/
* https://haxrob.net/bpfdoor-past-and-present-part-2/

More proof if it were needed that Linux targetting threat actors have been hanging around for the last decade or two […]

Since we are taking a closer look at #BPFDoor, let's do a bit of digging. Remember this hard coded epoch timestamp used for tampering it's file modified time- October 30, 2008 ?

(6/21)

Newer variants of the #BPFDoor has an interesting modification made that avoids detections looking for processes with raw sockets. The kernel reports SOCK_DGRAM rather then rather loud "SOCK_RAW". Here we have a sample found in the recent SK telco breach.

(1/21)

BPFDoor is a Linux-based backdoor malware. AhnLab previously published their EDR detection information on this malware through the ASEC blog in October 2024. KISA recently shared threat information and warnings on BPFDoor, which has been exploited in hacking attacks. V3 detection information on the hash values shared by KISA in their first and second notices is as follows. * Previous ASEC Blog Post: BPFDoor Linux Malware Detected by AhnLab EDR * **Sample Hash Values Shared by KISA in Their First Notice (****link to KISA Bohonara first notice****)** No | File Name | Size | MD5 | SHA2 | V3 Detection Information ---|---|---|---|---|--- 1 | hpasmmld | 2,265KB | a47d96ffe446a431a46a3ea3d1ab4d6e | c7f693f7f85b01a8c0e561bd369845f40bff423b0743c7aa0f4c323d9133b5d4 | Backdoor/Linux.BPFDoor.2318528 (2025.04.24.00) 2 | smartadm | 2,067KB | 227fa46cf2a4517aa1870a011c79eb54 | 3f6f108db37d18519f47c5e4182e5e33cc795564f286ae770aa03372133d15c4 | Backdoor/Linux.BPFDoor.2116536 (2025.04.24.00) 3 | hald-addon-volume | 2,071KB | f4ae0f1204e25a17b2adbbab838097bd | 95fd8a70c4b18a9a669fec6eb82dac0ba6a9236ac42a5ecde270330b66f51595 | Backdoor/Linux.BPFDoor.2120632 (2025.04.24.00) 4 | dbus-srv-bin.txt | 34KB | 714165b06a462c9ed3d145bc56054566 | aa779e83ff5271d3f2d270eaed16751a109eb722fca61465d86317e03bbf49e4 | Backdoor/Linux.BPFDoor.34752 (2025.04.24.00) * **Sample Hash Values Shared by KISA in Their Second Notice (****link to KISA Bohonara second notice****)** No | File Name | Size | MD5 | SHA2 | V3 Detection Information ---|---|---|---|---|--- 1 | dbus-srv | 34KB | 3c54d788de1bf6bd2e7bc7af39270540 | 925ec4e617adc81d6fcee60876f6b878e0313a11f25526179716a90c3b743173 | Backdoor/Linux.BPFDoor.34752 (2025.04.24.00) 2 | inode262394 | 28KB | fbe4d008a79f09c2d46b0bcb1ba926b3 | 29564c19a15b06dd5be2a73d7543288f5b4e9e6668bbd5e48d3093fb6ddf1fdb | Backdoor/Linux.BPFDoor.XE254 (2025.04.29.02) 3 | dbus-srv | 34KB | c2415a464ce17d54b01fc91805f68967 | be7d952d37812b7482c1d770433a499372fde7254981ce2e8e974a67f6a088b5 | Backdoor/Linux.BPFDoor.34752 (2025.04.24.00) 4 | dbus-srv | 34KB | aba893ffb1179b2a0530fe4f0daf94da | 027b1fed1b8213b86d8faebf51879ccc9b1afec7176e31354fbac695e8daf416 | Backdoor/Linux.BPFDoor.34752 (2025.04.24.00) 5 | dbus-srv | 32KB | e2c2f1a1fbd66b4973c0373200130676 | a2ea82b3f5be30916c4a00a7759aa6ec1ae6ddadc4d82b3481640d8f6a325d59 | Backdoor/Linux.BPFDoor (2025.05.03.01) 6 | File_in_Inode_#1900667 | 28KB | dc3361ce344917da20f1b8cb4ae0b31d | e04586672874685b019e9120fcd1509d68af6f9bc513e739575fc73edefd511d | Backdoor/Linux.BPFDoor (2025.05.03.01) 7 | gm | 2,063KB | 5f6f79d276a2d84e74047358be4f7ee1 | adfdd11d69f4e971c87ca5b2073682d90118c0b3a3a9f5fbbda872ab1fb335c6 | Trojan/Linux.BPFControl (2025.05.03.01) 8 | rad | 22KB | 0bcd4f14e7d8a3dc908b5c17183269a4 | 7c39f3c3120e35b8ab89181f191f01e2556ca558475a2803cb1f02c05c830423 | Trojan/Linux.BPFControl (2025.05.03.01) As BPFDoor is open source, various malware strains can continue to be distributed. Therefore, defense through additional solutions such as EDR is necessary. The following are the detection names of AhnLab EDR and AIPS for BPFDoor. * **EDR Detection Information** DefenseEvasion/EDR.Event.M12190 (2024.10.08.02) Behavior/DETECT.Event.M12191 (2024.10.08.02) DefenseEvasion/DETECT.Firewall.M12192 (2024.10.08.02) DefenseEvasion/DETECT.Firewall.M12193 (2024.10.08.02) Execution/EDR.BPFDoor.M12195 (2025.05.05.02) Execution/EDR.BPFDoor.M12599 (2025.05.08.02) * **AIPS Detection Information** BPFDoor Malware CnC Communication-1 (427) BPFDoor Malware CnC Communication-2 (427) BPFDoor Malware CnC Communication-3 (427) BPFDoor Malware CnC Communication-4 (427) BPFDoor Malware CnC Communication-5 (427) BPFDoor Malware CnC Communication-6 (427) BPFDoor Malware CnC Communication-7 (427) BPFDoor Malware CnC Communication-8 (427) MD5 0bcd4f14e7d8a3dc908b5c17183269a4 227fa46cf2a4517aa1870a011c79eb54 3c54d788de1bf6bd2e7bc7af39270540 5f6f79d276a2d84e74047358be4f7ee1 714165b06a462c9ed3d145bc56054566 SHA2 027b1fed1b8213b86d8faebf51879ccc9b1afec7176e31354fbac695e8daf416 29564c19a15b06dd5be2a73d7543288f5b4e9e6668bbd5e48d3093fb6ddf1fdb 3f6f108db37d18519f47c5e4182e5e33cc795564f286ae770aa03372133d15c4 7c39f3c3120e35b8ab89181f191f01e2556ca558475a2803cb1f02c05c830423 925ec4e617adc81d6fcee60876f6b878e0313a11f25526179716a90c3b743173 #### Tags: backdoor BPF BPFDoor 리눅스 백도어 침해사고 해킹 Linux

AhnLab Detection Information on BPFDoor Exploited in Recent Hacking Attacks and KISA Hash Notice ...

https://asec.ahnlab.com/en/87863/

#Malware #Public #backdoor #BPF #BPFDoor #리눅스 #백도어 #침해사고 #해킹 #Linux

Result Details

SKT 해킹 실제 악성코드 사용? 중국 해커의 리눅스 백도어 BPFDoor 분석 오늘은 SKT 해킹에 사용된 백도어 것으로 추측되는 원본을 분석 BPFdoor 코드 분석을 해보겠습니다. 일단 해당 부분은 개인적으로도 공부하는 것이기 때문에 오류가 있을 수가 있습니다. BPFDoor (Backdoor.Linux.BPFDOOR로 감지됨)로 알려진 스텔스 루트킷과 같은 맬웨어는 강력한 스텔스 기능을 갖춘 백도어이며, 대부분은 BFF (Ber...

SKT 해킹 실제 악성코드 사용? 중국 해커의 리눅스 백도어 BPFDoor 분석
wezard4u.tistory.com/429473
#해킹 #SKT #it #보안 #BPFDoor #bpfdoor #리눅스 #백도어

New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks BPFDoor was initially discovered in 2022 read more about New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks

New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks reconbee.com/new-bpfdoor-...

#BPFDoor #linuxserverattacks #linuxservers #cyberattack #CyberSecurity #CyberSecurityAwareness

Awakari App

Enhanced Version of ‘BPFDoor’ Linux Backdoor Seen in the Wild In recent attacks, the state-sp...

www.securityweek.com/enhanced-version-of-bpfd...

#Malware #& #Threats #backdoor #BPFDoor #China #malware

Event Attributes

BPFDoors Hidden Controller Used Against Asia, Middle East Targets A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and r...

#BPFDoor malware's hidden controller targets Asia/Middle East—evades detection via BPF filters for stealthy C2.

Full analysis: www.trendmicro.com/en_us/resear... #CyberEspionage #APT

BPFDoor Malware Uses Reverse Shell to Expand Control Over Compromised Networks A new wave of cyber espionage attacks has brought BPFDoor malware into the spotlight as a stealthy and dangerous tool for compromising networks.

BPFDoor Malware Uses Reverse Shell to Expand Control Over Compromised Networks
gbhackers.com/bpfdoor-malw...

#Infosec #Security #Cybersecurity #CeptBiro #BPFDoor #Malware #ReverseShell #CompromisedNetworks

bpfdoor sfrutta filtri bpf nel kernel linux per eludere i controlli di rete in attacchi apt attribuiti a red menshen in asia e medio oriente

#apt #bpfdoor #cyberspionaggio #earthbluecrow #guerracibernetica #Linux #magicpacket #malware #redmenshen
www.matricedigitale.it/sicurezza-in...

BPFDoors Hidden Controller Used Against Asia, Middle East Targets A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and r...

In our latest research, we took a deep dive into how a #BPFDoor controller found in a recently targeted company operates. This threat actor has been active for years, targeting #Linux servers of interest (mostly from telcos, but also from other sectors). 🐧 www.trendmicro.com/en_us/resear...

BPFDoors Hidden Controller Used Against Asia, Middle East Targets A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.

Stealthy and persistent: #BPFdoor is back, slipping past defenses with almost no trace. Learn how this elusive Linux backdoor hides in plain sight and what it means for enterprise security. Full analysis by @TrendMicro: www.trendmicro.com/en_us/research/25/d/bpfd...