BPFDoor
BPFDoor is a stealth Linux backdoor used for long-term cyberespionage and widely associated in the provided reporting with the China-linked threat actor Red Menshen, also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. It is described as state-sponsored malware centered on covert persistence in telecommunications infrastructure, with additional reported targeting of government, defense, critical infrastructure, finance, and retail organizations. Reported victim geographies include South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and broader activity across the Middle East, Asia-Pacific, Europe, Asia, the Middle East, and Africa.
Its core tradecraft is abuse of Berkeley Packet Filter functionality to inspect network traffic inside the kernel and activate only when it receives specially crafted trigger or “magic” packets. Because it does not expose listening ports or maintain normal beaconing, it can evade casual port scans and many traditional endpoint and network monitoring approaches. Multiple sources in the content describe BPFDoor as operating at or within the kernel level and having rootkit-like stealth characteristics. Reported capabilities include spawning bind shells or reverse shells, changing process names, clearing /proc/<PID>/environ to remove process environment variables, and using utimes() to timestomp the executable.
The content describes substantial evolution in newer BPFDoor variants. Rapid7 reported seven new variants with expanded stealth, persistence, and command-and-control flexibility. These include variants that hide activation triggers inside legitimate HTTPS traffic, using fixed-offset markers such as the string "9999" with 26-byte or 40-byte padding schemes to survive proxy or TLS termination behavior; variants that use ICMP-based control or relay channels, including a terminal marker value of 0xFFFFFFFF; and variants with active outbound beaconing over port 443 using statically linked OpenSSL and RC4-MD5. Additional reported features include stateless command-and-control routing, multi-protocol trigger detection across TCP, UDP, and ICMP raw sockets, SCTP-aware packet inspection relevant to telecom signaling environments, and specialized shells such as httpShell and icmpShell. The icmpShell variant is reported to use cleartext attacker commands prefixed with "X:", RC4-encrypted victim responses with the hardcoded key "icmp", a hardcoded ICMP sequence number of 1234, and heartbeat traffic for hole-punching.
BPFDoor variants are also reported to masquerade as legitimate services and infrastructure components common in telecom and server environments. Examples in the content include spoofed process names such as hpasmlited, hpaslimited, cmathreshd, and Docker-like command lines, as well as impersonation of HPE ProLiant management agents and container or Kubernetes-related services. One HPE-focused variant reportedly checks for /var/run/cma.lock and kills the legitimate HP agent if present. Another variant was observed hiding under /var/run/user/0 and performing full file descriptor wiping while avoiding chmod to reduce audit logging.
The malware is repeatedly linked to telecom-focused espionage. Reporting in the content states that some samples inspect SCTP traffic and may provide visibility into telecom-native protocols and data such as signaling, subscriber activity, location tracking, authentication exchanges, IMSI identifiers, SMS contents, and 4G/5G-related metadata. The broader intrusion set described alongside BPFDoor includes exploitation of exposed edge infrastructure and valid accounts for initial access, followed by use of tools such as CrossC2, TinyShell, Sliver, keyloggers, brute-force utilities, and custom sniffers for credential theft, lateral movement, and deeper access.
Known artifacts and indicators directly mentioned in the content include malware paths such as /tmp/zabbix_agent.log, /bin/vmtoolsdsrv, and /etc/sysconfig/rhn/rhnsd.conf; lockfile creation associated with Linux evidence of the implant; execution from /var/run/user/0; domains used by an active-beacon variant including ntpussl.instanthq.com, ntpupdate.ddnsgeek.com, ntpupdate.ygto.com, and ntpd.casacam.net; variant I magic bytes 0xA9F205C3 and hardcoded password dP7sRa3XwLm29E; and anti-forensics behaviors including timestomping and environment clearing. The malware is also referenced under detections such as Backdoor.Linux.BPFDOOR.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BPFDoor is a state-sponsored backdoor designed for cyberespionage activities. Through our investigation of BPFDoor attacks, we unearthed a controller that hasn’t been observed being used anywhere else.
BPFDoor is a state-sponsored backdoor designed for cyberespionage activities. Through our investigation of BPFDoor attacks, we unearthed a controller that hasn’t been observed being used anywhere else.
Dubbed "BPFdoor," the backdoor operates without opening ports or generating typical beaconing activity, which the cybersecurity firm said allowed the Chinese-linked actors to avoid detection across traditional endpoint and network monitoring tools.
One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor. "Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels. Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
Persistence
3 techniques
Persistence
Malware families like BPFDoor are engineered for exactly this setting with activation on “magic” packets, kernel-level stealth, and long dwell in Linux-based environments common to telcos.
A key tool is BPFdoor, a stealthy Linux backdoor that hides in the kernel and activates only when it receives a specially crafted “magic” packet.
When an adversary implants a persistent backdoor at the kernel level within these environments, they are not simply compromising a server, they are positioning themselves adjacent to subscriber data, signaling flows, and the mechanisms that authenticate and route national and international communications.
Stealth
10 techniques
Stealth
Description Generated datasets for Linux Evidence of BPFdoor implant - creation of known lockfiles in attack range.
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
It also has evasion techniques, such as how it can change process names and how the backdoor does not listen to any port
T1036.004: Masquerading Implementation details: Alters process arguments to mimic benign daemons like qmgr.
T1070.003: Clear History Implementation details: Injects HISTFILE=/dev/null into environment variables.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
APT28 has performed timestomping on victim files. APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory. APT32 has used scheduled task raw XML with a backdated timestamp... APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.
Malware families like BPFDoor are engineered for exactly this setting with activation on “magic” packets, kernel-level stealth, and long dwell in Linux-based environments common to telcos.
When an adversary implants a persistent backdoor at the kernel level within these environments, they are not simply compromising a server, they are positioning themselves adjacent to subscriber data, signaling flows, and the mechanisms that authenticate and route national and international communications.
Credential Access
2 techniques
Credential Access
Discovery
1 technique
Discovery
Lateral Movement
1 technique
Lateral Movement
Among the targeted servers, we found a malware controller used to access other affected hosts in the same network after lateral movement. | The controller could open a reverse shell. This could allow lateral movement, enabling attackers to enter deeper into compromised networks
Command and Control
8 techniques
Command and Control
Now, instead of looking for a magic packet in any sort of network packet, the malware only looks for its trigger phrase in innocuous Hypertext Transfer Protocol Secure (HTTPS) requests.
The filter loaded by BPFDoor enables the malware to be activated by network packets containing “magic sequences”
T1090: Proxy Implementation details: Uses ICMP relay to bounce traffic through internal segments.
Depending on the password provided and the command-line options used, the controller asks the infected machine to perform one of these actions: Open a reverse shell ... Confirm the backdoor is active
This shows that Earth Bluecrow is actively controlling BPFDoor-infected hosts and uploading additional tools for later use.
Malware families like BPFDoor are engineered for exactly this setting with activation on “magic” packets, kernel-level stealth, and long dwell in Linux-based environments common to telcos.
IOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
54 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware family referenced as the subject of threat research on activity in telecom networks; the article does not provide further functional detail beyond indicating it is used in adversary activity analyzed for ATT&CK technique extraction.
A stealthy Linux backdoor designed for long-term persistence, activated by magic packets and associated with kernel-level stealth in telecom-like environments.
BPFdoor is a Linux backdoor implant associated with stealthy persistence and evasion on compromised systems.
A stealthy backdoor used to compromise major telecommunication networks, with new variants adding stateless command-and-control routing, HTTP traffic concealment, interactive shell access, bidirectional ICMP tunneling, RC4 encryption, UDP/ICMP hole-punching, and covert beaconing disguised as IoT telemetry or time synchronization.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.