Kevin BeaumontMay 11, 2023

Cat is bagless - there’s a new version of #BPFDoor https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

I’ve found it on orgs in Taiwan and Hong Kong so far.

BPFDoor Malware Evolves – Stealthy Sniffing Backdoor ups its Game | Deep Instinct

BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise. The malware gets its name from its usage of a Berkley Packet Filter – a fairly unique way of receiving its instructions and evading detection, which bypasses firewall restrictions on incoming traffic.

Deep Instinct
Show threadKevin BeaumontMay 11, 2023
Previously on #BPFDoor https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
BPFDoor — an active Chinese global surveillance tool

Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to Red Menshen, a Chinese threat actor group. BPFDoor is interesting. It…

DoublePulsar
Show threadKevin BeaumontMay 11, 2023

Still zero detections on Virustotal (and real world AV and EDR) 🥳

Vendors should aim to have robust detection for this, as it's a real world nation state implant used in a global surveillance operation used for SIGINT for about a decade (including inside and against the US).. which still nobody can be arsed to investigate.

Show threadKevin BeaumontMay 15, 2023

VirusTotal behaviour search for latest BPFDoor variant (which has been around since last year but nobody noticed again):

(attack_technique:T1027.005 attack_technique:T1027 behaviour_files:/var/run segment:.eh_frame_hdr) NOT attack_technique:T1543.002

Show threadKevin BeaumontApr 14, 2025

Trend Micro have spotted more new versions of BPFDoor, great work by them here.

If you run Linux infrastructure and your org has customers in Asia, particularly minority groups of interest to China, I’d suggest investigating.

Also other anti malware vendors need to look at their detection as again it’s basically zero detections except for Trend now.

https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html

BPFDoors Hidden Controller Used Against Asia, Middle East Targets

A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.

Trend Micro
Show threadKevin BeaumontMay 29, 2025

Multiple Korean telcos are dealing with BPFDoor incidents

Linux anti malware and EDR performance for BPFDoor detection is still shockingly poor. Orgs in Asia or with customers of interest to China (eg Uyghurs) should hunt forward for this. There’s other hints in the thread.

https://www.koreatimes.co.kr/business/companies/20250526/investigation-into-sk-telecom-data-breach-expands-to-kt-lg-uplus-sources

Investigation into SK Telecom data breach expands to KT, LG Uplus: sources

A joint government-private investigation team looking into SK Telecom's recent large-scale data breach has extended its probe to the servers of two other major mobile carriers, KT and LG Uplus, but fo...

Show threadKevin Beaumont

Really good research from Rapid7 here, where they’ve found multiple new versions of BPFdoor which do things like listen and backdoor on extremely uncommon 4G and 5G signaling protocols - it strongly suggests BPFDoor has been placed far inside telcos for surveillance.

They provide a tool to check for the new implant - I would strongly suggest telcos look for this on their Linux systems, including call infrastructure.

https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/

BPFdoor in Telecom Networks: Sleeper Cells in the backbone

A months-long investigation by Rapid7 Labs has uncovered evidence of an advanced China-nexus threat actor placing stealthy digital sleeper cells in telecommunications networks, in order to carry out high-level espionage – including against government networks. Read more in a new blog.

Rapid7
Mar 27 at 7:17pmWeb
Show threadKevin Beaumont21h ago
I don’t know if the US has any effective telco regulation available btw but I’d strongly suggest US telcos are required to investigate and report back findings on this. When I did the OG research on this back in 2021 I found them inside in a US telco and US postal services.
Show threadRobert [KJ5ELX] 21h ago
@GossiTheDog just assume we don't. That's the safest bet.
Show threadpeter7h ago
@StGebert das bezieht sich auf welche geopolitischen Bereiche? Hälst du das für ein ernstes Risiko was europäische Netzbetreiber betrifft? Oder, überinterpretiere ich den Post?