top of page

BPFDoor: A previously undocumented and mostly undetected variant of a Linux backdoor

A new variant of the Linux backdoor BPFDoor has been discovered by cybersecurity firm Deep Instinct. This backdoor, first documented in May 2022, is associated with a Chinese threat actor called Red Menshen, which is known to single out telecom providers across the Middle East and Asia. The malware is specifically geared towards establishing persistent remote access to compromised target environments for extended periods of time, with evidence pointing to the hacking crew operating the backdoor undetected for years. The BPFDoor gets its name from the use of Berkeley Packet Filters (BPF) for network communications and process incoming commands. In doing so, threat actors can penetrate a victim's system and execute arbitrary code without being detected by firewalls, while simultaneously filtering out unnecessary data. The Deep Instinct's findings come from a BPFDoor artifact that was uploaded to VirusTotal on February 8, 2023. As of writing, only three security vendors have flagged the ELF binary as malicious.


bottom of page