BPFDoor
BPFDoor is a stealth Linux backdoor that abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic inside the kernel and activate only when it receives specially crafted trigger or “magic” packets. It typically does not expose listening ports or maintain visible command-and-control channels, which makes it difficult to detect with traditional endpoint and network monitoring. Reported capabilities include spawning bind or reverse shells, passive packet-triggered activation, ICMP-based control and relay messaging, and in newer variants, concealment of triggers inside legitimate HTTPS traffic after TLS termination. Rapid7 reported multiple newer variants with expanded functionality, including stateless command-and-control routing, HTTP-based and ICMP-based shell variants, multi-protocol trigger monitoring over TCP/UDP/ICMP, active outbound beaconing over port 443 using RC4-MD5, SCTP-aware packet inspection, and protocol-specific magic-byte activation. Some variants use RC4 encryption, UDP/ICMP hole-punching, hardcoded ICMP sequence number 1234, TCP port 9999 reverse shell logic, and masquerading as legitimate HPE ProLiant management or container-related processes. Anti-forensics and evasion behaviors directly mentioned include changing the executable timestamp via utimes(), clearing /proc/<PID>/environ to remove process environment variables, full file descriptor wiping, hiding under paths such as /var/run/user/0, avoiding chmod to reduce audit logging, and process masquerading. The malware has been associated in the content primarily with the China-linked threat actor Red Menshen, also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18, in long-running espionage campaigns active since at least 2021. Reported targeting includes telecommunications providers across the Middle East, Asia, Africa, Europe, and other regions, with additional reporting of impacts to government, defense, critical infrastructure, finance, and retail sectors. The content states that attackers commonly gained initial access through exposed edge services and compromised internet-facing infrastructure such as VPNs, firewalls, virtualization hosts, and devices from vendors including Ivanti, Cisco, Juniper, Fortinet, VMware, and Palo Alto Networks, as well as via valid accounts. Telecom-focused reporting notes that some BPFDoor samples inspect SCTP traffic and may provide access adjacent to signaling and subscriber-related data in 4G/5G environments. Mentioned indicators and artifacts include execution from /var/run/user/0, creation of known lockfiles, process names such as hpasmlited, hpaslimited, cmathreshd, and Docker/containerd-like arguments, domains including ntpussl.instanthq.com, ntpupdate.ddnsgeek.com, ntpupdate.ygto.com, and ntpd.casacam.net, magic marker string "9999" at fixed offsets in HTTPS requests, ICMP marker value 0xFFFFFFFF, magic bytes 0xA9F205C3, and hardcoded password dP7sRa3XwLm29E in one variant.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We first discovered this actor in 2021, when we detected a sample of a Linux backdoor we track as BPFDoor. We will briefly highlight some of the functionality of BPFDoor, and the ways in which Red Menshen uses it to maintain stealthy persistence and move laterally within victim environments.
Dubbed "BPFdoor," the backdoor operates without opening ports or generating typical beaconing activity, which the cybersecurity firm said allowed the Chinese-linked actors to avoid detection across traditional endpoint and network monitoring tools.
One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor. "Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels. Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."
One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor. "Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels. Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesAttacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts.
Attacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts.
Execution
2 techniquesInstead, it installs a custom BPF filter inside the kernel that silently inspects incoming traffic, activating only when it receives a specially crafted “magic packet” containing a predefined byte sequence. | At the center of this campaign is BPFdoor, a stealth Linux backdoor engineered to operate within the operating system kernel by abusing Berkeley Packet Filter (BPF) functionality.
MITRE ATT&CK Matrix Mapping Tactic: Execution T1059.004: Unix Shell Implementation details: Hijacks a pseudo-terminal (PTY) utilizing fork() and dup2().
Persistence
4 techniquesAttacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts.
Malware families like BPFDoor are engineered for exactly this setting with activation on “magic” packets, kernel-level stealth, and long dwell in Linux-based environments common to telcos.
A key tool is BPFdoor, a stealthy Linux backdoor that hides in the kernel and activates only when it receives a specially crafted “magic” packet.
When an adversary implants a persistent backdoor at the kernel level within these environments, they are not simply compromising a server, they are positioning themselves adjacent to subscriber data, signaling flows, and the mechanisms that authenticate and route national and international communications.
Privilege Escalation
1 techniqueStealth
11 techniquesDescription Generated datasets for Linux Evidence of BPFdoor implant - creation of known lockfiles in attack range.
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
So nowadays BPFdoor disguises itself using legitimate service names and process behaviors associated with HPE ProLiant servers, or Kubernetes, as applicable.
T1036.004: Masquerading Implementation details: Alters process arguments to mimic benign daemons like qmgr.
T1070.003: Clear History Implementation details: Injects HISTFILE=/dev/null into environment variables.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Attacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts.
Malware families like BPFDoor are engineered for exactly this setting with activation on “magic” packets, kernel-level stealth, and long dwell in Linux-based environments common to telcos.
When an adversary implants a persistent backdoor at the kernel level within these environments, they are not simply compromising a server, they are positioning themselves adjacent to subscriber data, signaling flows, and the mechanisms that authenticate and route national and international communications.
T1564: Hide Artifacts Implementation details: Uses AF_PACKET sniffing to remain invisible to local netstat/ss.
Credential Access
2 techniquesWe found custom sniffers, custom tooling to intercept usernames and passwords — very highly sophisticated operations.
We found custom sniffers, custom tooling to intercept usernames and passwords — very highly sophisticated operations.
Discovery
1 techniqueCommand and Control
7 techniquesNow, instead of looking for a magic packet in any sort of network packet, the malware only looks for its trigger phrase in innocuous Hypertext Transfer Protocol Secure (HTTPS) requests.
httpShell, which prioritizes C2 concealment within HTTP traffic to allow BPF logic to view for certain magic markers in inner packets | Most critical of the novel BPFDoor versions are httpShell, which prioritizes C2 concealment within HTTP traffic to allow BPF logic to view for certain magic markers in inner packets, and icmpShell, which creates an interactive shell to impede static firewall rules while also supporting bidirectional ICMP tunnels, RC4 encryption, and UDP/ICMP hole-punching | the "H" variant including an active beacon performing NTP-themed domain resolution and opening encrypted sessions under the guise of IoT telemetry or time synchronization
T1090: Proxy Implementation details: Uses ICMP relay to bounce traffic through internal segments.
icmpShell, which creates an interactive shell to impede static firewall rules while also supporting bidirectional ICMP tunnels, RC4 encryption, and UDP/ICMP hole-punching
Malware families like BPFDoor are engineered for exactly this setting with activation on “magic” packets, kernel-level stealth, and long dwell in Linux-based environments common to telcos.
icmpShell, which creates an interactive shell to impede static firewall rules while also supporting bidirectional ICMP tunnels, RC4 encryption, and UDP/ICMP hole-punching
icmpShell, which creates an interactive shell to impede static firewall rules while also supporting bidirectional ICMP tunnels, RC4 encryption, and UDP/ICMP hole-punching
Other
1 techniqueIOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
52 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A stealthy Linux backdoor designed for long-term persistence, activated by magic packets and associated with kernel-level stealth in telecom-like environments.
BPFdoor is a Linux backdoor implant associated with stealthy persistence and evasion on compromised systems.
A stealthy backdoor used to compromise major telecommunication networks, with new variants adding stateless command-and-control routing, HTTP traffic concealment, interactive shell access, bidirectional ICMP tunneling, RC4 encryption, UDP/ICMP hole-punching, and covert beaconing disguised as IoT telemetry or time synchronization.
A stealthy Linux backdoor that uses BPF filters and raw/packet sockets to listen for magic packets over TCP, UDP, and ICMP, spawn shells, relay traffic, evade host visibility, masquerade as legitimate processes, and in some variants actively beacon to C2 over port 443 using disguised NTP-themed domains.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.