Kevin BeaumontMay 11, 2023

Cat is bagless - there’s a new version of #BPFDoor https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

I’ve found it on orgs in Taiwan and Hong Kong so far.

BPFDoor Malware Evolves – Stealthy Sniffing Backdoor ups its Game | Deep Instinct

BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise. The malware gets its name from its usage of a Berkley Packet Filter – a fairly unique way of receiving its instructions and evading detection, which bypasses firewall restrictions on incoming traffic.

Deep Instinct
Show threadKevin BeaumontMay 11, 2023
Previously on #BPFDoor https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
BPFDoor — an active Chinese global surveillance tool

Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to Red Menshen, a Chinese threat actor group. BPFDoor is interesting. It…

DoublePulsar
Show threadKevin BeaumontMay 11, 2023

Still zero detections on Virustotal (and real world AV and EDR) 🥳

Vendors should aim to have robust detection for this, as it's a real world nation state implant used in a global surveillance operation used for SIGINT for about a decade (including inside and against the US).. which still nobody can be arsed to investigate.

Show threadKevin BeaumontMay 15, 2023

VirusTotal behaviour search for latest BPFDoor variant (which has been around since last year but nobody noticed again):

(attack_technique:T1027.005 attack_technique:T1027 behaviour_files:/var/run segment:.eh_frame_hdr) NOT attack_technique:T1543.002

Show threadKevin BeaumontApr 14, 2025

Trend Micro have spotted more new versions of BPFDoor, great work by them here.

If you run Linux infrastructure and your org has customers in Asia, particularly minority groups of interest to China, I’d suggest investigating.

Also other anti malware vendors need to look at their detection as again it’s basically zero detections except for Trend now.

https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html

BPFDoors Hidden Controller Used Against Asia, Middle East Targets

A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.

Trend Micro
Show threadKevin BeaumontMay 29, 2025

Multiple Korean telcos are dealing with BPFDoor incidents

Linux anti malware and EDR performance for BPFDoor detection is still shockingly poor. Orgs in Asia or with customers of interest to China (eg Uyghurs) should hunt forward for this. There’s other hints in the thread.

https://www.koreatimes.co.kr/business/companies/20250526/investigation-into-sk-telecom-data-breach-expands-to-kt-lg-uplus-sources

Investigation into SK Telecom data breach expands to KT, LG Uplus: sources

A joint government-private investigation team looking into SK Telecom's recent large-scale data breach has extended its probe to the servers of two other major mobile carriers, KT and LG Uplus, but fo...

Show threadHilko Bengen

@GossiTheDog On a technical level, it's really rather simple to detect unusual BPF usage if you are doing any kind of Linux host-based security monitoring. Without EDR, even for a heterogeneous fleet of 10k+ systems, and with a reasonably low false positive rate.

I'm astonished that EDR vendors still seem to struggle in this area. (It's been about 3 years since I last looked.)

May 29, 2025 at 1:15pmWeb