Dear Telcos Around the World, Please Beware of BPFDoor Malware and Its Leaked Source Code on GitHub

Dear Telcos Around the World, Please Beware of BPFDoor Malware and Its Leaked Source Code on GitHub

BPFDoor is a Linux-based backdoor developed by a China-sponsored threat group known as Red Menshen or Earth Bluecrow to maintain stealthy, long-term access in compromised networks. It was first documented in 2021 by researchers who attributed it to the Red Menshen APT group and observed it targeting telecommunications, government, logistics, and education sectors in the Middle East and Asia. Evidence suggests that BPFDoor had already been active for several years, with samples seen in various phases of development and complexity over the past five years. The name “BPFDoor” reflects its novel use of the Berkeley Packet Filter (BPF) engine: instead of opening network ports or running visible listeners, BPFDoor implants a custom BPF filter into the Linux kernel to intercept specially crafted network packets containing secret “magic” sequences. These packets trigger the backdoor, allowing attackers to execute commands or establish shells while bypassing normal firewall restrictions. This design makes BPFDoor a highly covert espionage tool, capable of lying dormant on high-uptime servers or network appliances, surviving for months or even indefinitely without exposing any obvious indicators.

Technical Operation and Functionality

BPFDoor installs itself as a kernel-layer packet sniffer using BPF filters. After initial compromise via another payload, the BPFDoor binary typically copies itself into a temporary location, often /dev/shm/ or a similarly ephemeral directory, and forks into a background process, renaming itself (for example to kdmtmpflush) and deleting its original copy. It then creates a raw socket and attaches a carefully crafted BPF filter to it, so that only packets matching specific criteria will be passed to the backdoor logic. In practice, BPFDoor’s filter is configured to inspect incoming TCP, UDP, and ICMP traffic, especially on common ports like 22, 80, and 443, and to look for a secret “magic” byte sequence buried in a packet. Packets with this sequence bypass normal firewall rules because the filter operates inside the kernel’s networking stack. When a magic packet is detected, BPFDoor forks again and processes the payload. Depending on the contents of the packet and a hardcoded password, the malware can either provide a shell back to the attacker, as a reverse shell or a bind shell, or simply respond with a benign-looking packet to confirm that it is active.

Conceptually, BPFDoor’s method of packet filtering can be visualized as a network-level trap that only springs when encountering an attacker-defined signature. The backdoor does not listen on any open port or socket in the usual way; instead, its BPF filter quietly scans all incoming packets for hidden trigger bytes. This allows the malware to hide in plain sight inside the kernel’s networking stack, where ordinary monitoring tools cannot easily detect it. Once activated, BPFDoor can spawn a shell or redirect connections. For instance, one controller variant could issue iptables commands on the compromised machine to temporarily reroute a legitimate service’s port, such as SSH (22/TCP), to a random high port where BPFDoor would serve a shell. In other cases, the controller simply commands the infected host to initiate a reverse shell back to the attacker. All these communication modes are protected by the exchange of passwords and the use of the same BPF activation packet, ensuring that only attackers with knowledge of the secret can access the backdoor.

Importantly, BPFDoor’s use of BPF makes it firewall-agnostic: even if a firewall blocks the malicious packet from progressing further up the network stack, the act of checking for the magic sequence occurs directly in the kernel. This allows the backdoor to be triggered without needing an open, listening port or any visible service, making BPFDoor exceptionally difficult to detect using conventional network security tools.

Evasion and Persistence Mechanisms

BPFDoor employs multiple stealth techniques to effectively evade detection. It typically disguises itself by renaming its processes to innocuous-looking names, such as kdmtmpflush, or by mimicking legitimate system daemons. Additionally, it closes its standard input, output, and error streams, making its presence even less noticeable. The malware does not open any visible network service ports that an administrator could detect through basic scanning. Instead, it remains dormant until specifically triggered by maliciously crafted network packets. Its deep placement within the Linux kernel means that traditional user-space monitoring tools cannot observe any unusual behavior, as the inspection of packets happens before they reach the normal networking stack.

BPFDoor’s communication with its controller can also be encrypted. Some variants implement encryption methods such as RC4 or other stronger ciphers to obfuscate the traffic further, depending on the version in use. In at least one major evolution, attackers removed almost all hardcoded elements like file names, commands, and magic sequences, choosing instead to rely on runtime parameters. This made signature-based detection methods significantly less effective against newer versions of the malware.

Persistence mechanisms in BPFDoor are deliberately subtle. The malware typically runs from volatile memory and temporary directories like /dev/shm/ or /var/run/, meaning it does not survive a system reboot. Analysts have observed that once a machine is restarted or shut down, the BPFDoor implant is lost. This behavior suggests that BPFDoor is intended for high-uptime environments or for systems where attackers maintain enough control to avoid reboots. The discovery of BPFDoor on a machine is often a sign that initial access tools or additional payloads may still exist elsewhere within the compromised network. To further minimize forensic traces, BPFDoor manipulates its own file timestamps and PID files upon execution, a technique commonly referred to as timestomping. Combined with its in-memory execution, lack of persistent service registration, dynamic renaming, and stealthy activation by hidden network packets, these features make BPFDoor extremely difficult for defenders to discover using conventional scanning or log analysis.

Evolution and Variants

Since its initial disclosure in 2021, BPFDoor has undergone notable evolution. Researchers have tracked the development of multiple variants, including adaptations designed for Unix-based systems like Solaris. Over time, developers behind BPFDoor have significantly enhanced its stealth features and modularity. In a newer variant discovered in early 2023, attackers removed most hardcoded elements, making filenames, commands, and activation sequences dynamic rather than static. This version also incorporated a compiled cryptographic library, libtomcrypt, to provide stronger encryption, replacing the older and less robust RC4 encryption previously used.

This 2023 variant became significantly stealthier compared to earlier versions. It only provided a reverse shell capability, moving away from previous methods that utilized iptables tricks to reroute network ports. Furthermore, it abandoned hardcoded commands, instead delivering all instructions through encrypted reverse-shell communications, making static detection even more challenging.

Further analysis showed that BPFDoor variants began compiling slightly altered BPF bytecode for each sample. Although certain key "magic" constants used to trigger the backdoor remained consistent (such as 0x7255 for UDP/ICMP and 0x5293 or sequences of "9" for TCP), the way instructions were ordered or duplicated varied between samples. This intentional shuffling meant that defenders could not rely solely on simple static signatures to detect BPFDoor, and instead had to scan at a deeper kernel or memory level for evidence of these magic constants.

In 2025, researchers identified yet another significant advancement: a controller program specifically designed to interact with BPFDoor-infected hosts. This new controller, attributed with medium confidence to the same Earth Bluecrow group, allowed attackers to input a password and then send a customized magic packet to the infected system. With this new tool, attackers could instruct the malware to open a reverse shell, redirect legitimate connections to a shell, or perform other actions without requiring the infected host to initiate outbound connections. This capability significantly broadened the operational flexibility of BPFDoor, enabling direct connection modes and further complicating detection efforts.

The new controller also introduced the ability to modify key parameters on the fly, such as changing magic sequences or communication protocols, making BPFDoor even more adaptive and resistant to static detection techniques.

Impact on Telecommunications and Other Sectors

BPFDoor has been repeatedly observed in intrusions targeting telecommunications companies, signifying its serious national security implications. Telecommunications networks are essential for carrying sensitive communications and operate critical, high-value infrastructure, making them prime targets for cyberespionage. Multiple investigations have documented how the group behind BPFDoor, known as Red Menshen, used the malware to infiltrate telecom providers across the United States, Asia, and the Middle East, as well as various government, postal, and logistics networks.

In these operations, attackers typically compromised Linux servers within telecom data centers or their network management systems, securing footholds that allowed them to monitor or manipulate network traffic without raising immediate suspicion. By leveraging BPFDoor’s stealthy design, attackers could exfiltrate sensitive customer information, intercept communications such as calls or messages, and even prepare the ground for future disruptive operations, all while remaining invisible to standard security monitoring.

The year 2024 provided concrete examples of BPFDoor’s widespread deployment. Telecommunications companies in South Korea and Myanmar were attacked in December 2024, while a major retailer in Malaysia faced a similar intrusion in October. Earlier incidents involved an Egyptian financial services firm in September 2024, another South Korean telecom in July, and a Hong Kong-based telecommunications provider in January. In each case, BPFDoor’s deep hiding capabilities allowed it to operate undetected for extended periods. Security teams did not observe any abnormal open ports or easily identifiable anomalies; only thorough forensic or memory-level investigations revealed the backdoor’s presence.

The rapid succession of attacks across multiple sectors and countries strongly suggests that attackers actively used BPFDoor to establish persistent access and move laterally within carrier networks. This means a significant risk for telecommunications companies: even if perimeter defenses appear intact, BPFDoor could quietly reside within internal servers, awaiting a trigger to act. Its stealthy nature renders it a nearly perfect tool for long-term espionage operations against high-value networks, allowing attackers to maintain a hidden presence for months or longer without obvious signs of compromise.

Notable Incidents in 2024

Several significant BPFDoor campaigns were documented throughout 2024, mainly targeting telecommunications and related industries across Asia and the Middle East. Although the names of specific affected companies have generally not been disclosed, the attack patterns observed in these incidents reveal consistent tactics. Typically, attackers would breach a Linux-based server—often through vulnerabilities in web-facing applications or VPN systems—then install BPFDoor into a concealed location within the filesystem. Common hiding places included directories like /tmp/zabbix_agent.log, /bin/vmtoolsdsrv, or /etc/sysconfig/rhn/rhnsd.conf.

In some cases, forensic investigations found that two or more servers within the same network had been infected simultaneously, indicating that BPFDoor was used not only to maintain access but also to pivot laterally and deploy additional tools inside the victim’s infrastructure after initial compromise. In all documented cases, the backdoor remained functional for days or even weeks, providing attackers ample opportunity to gather intelligence, move deeper within the networks, and potentially disrupt operations.

The use of a newly discovered controller tool by the attackers further enhanced their operational capabilities. This tool allowed operators to issue interactive commands across multiple compromised hosts seamlessly. Analysts consistently emphasized that BPFDoor’s activities were effectively invisible to ordinary network security defenses. Its reliance on kernel-level packet inspection and covert triggering mechanisms meant that traditional monitoring, firewalls, or antivirus software failed to detect its presence without in-depth memory forensics or highly specialized detection measures.

The incidents of 2024 demonstrated not only the advanced capabilities of BPFDoor but also the real and ongoing threat it poses to critical sectors. These attacks revealed how even highly protected industries could be silently compromised over extended periods without any clear signs of intrusion, indicating the urgent need for organizations to adopt more advanced threat detection and response strategies.

Source Code Exposure

A significant development occurred in 2022 when the source code for BPFDoor was publicly leaked. Reports indicated that a GitHub repository appeared containing the original C code of BPFDoor, which had been previously attributed to the Red Menshen group. This leak fundamentally changed the threat landscape, as it meant that any adversary—not just the original developers—could study, modify, and recompile the malware.

The public availability of BPFDoor’s source code significantly complicates the process of attribution. Once a malware’s code is freely accessible, it becomes difficult to determine whether a new attack is conducted by the original group or by entirely different actors using the same toolset. This erosion of attribution clarity introduces serious challenges for cybersecurity investigations and incident response efforts.

The leak also likely accelerated BPFDoor’s evolution. Rival hacking groups, independent cybercriminals, and even opportunistic individuals could alter the backdoor—modifying its magic sequences, adjusting stealth mechanisms, or introducing new evasion features—without having to build their tools from scratch. While this poses a greater threat to potential targets, defenders gained some advantages as well. With access to the leaked code, security researchers have been able to analyze BPFDoor’s inner workings in greater detail, develop specific detection methods, and improve defensive strategies. BPFDoor is now cataloged in security frameworks such as MITRE ATT&CK, where it is listed under software ID S1161, reflecting its support for multi-protocol command-and-control and its ability to bypass firewall protections.

Nevertheless, the leak shows a troubling trend: state-developed cyber tools are increasingly escaping their original operators and becoming commodities in the global cyber threat ecosystem. As noted by multiple security experts, the public availability of BPFDoor's code has the potential to spawn numerous variants, potentially used by different hacking groups for purposes ranging from espionage to financial crime.

Future Threat Landscape and Conclusions

The emergence and proliferation of BPFDoor represent a new frontier in cyberespionage, where attackers exploit built-in operating system components, such as the Berkeley Packet Filter (BPF) and its more advanced successor eBPF, to achieve near-complete invisibility. BPF, although originally designed for legitimate network traffic filtering and performance optimization, has opened an unexplored avenue for malware authors to inject malicious code into the operating system’s kernel space, well beneath the layers where traditional security tools operate.

Security experts warn that unless defenders adapt, kernel-level threats like BPFDoor could become increasingly common. If attackers can reliably hide their implants within core components like BPF, many endpoint detection and response (EDR) systems, intrusion detection systems (IDS), and antivirus programs will fail to spot them. Beyond BPFDoor, researchers have already observed other malware prototypes, such as Symbiote and TripleCross, leveraging BPF hooks to manipulate or intercept network traffic at the kernel level.

As cloud computing platforms, telecommunications infrastructure, and edge routers increasingly rely on Linux-based systems, the surface area vulnerable to BPF-based attacks is expanding. This makes critical infrastructure, national telecommunications networks, and cloud data centers attractive and increasingly accessible targets for sophisticated threat actors.

For national security, BPFDoor raises substantial concerns. Telecommunications networks, being vital for economic activity, governance, and security, are particularly susceptible to espionage operations that use covert implants like BPFDoor. The malware’s ability to persist undetected, execute complex remote commands, and exfiltrate sensitive information poses a direct risk to sovereignty, privacy, and stability.

To mitigate these threats, defenders must adopt new strategies. This includes monitoring for unusual BPF programs, performing kernel auditing, scanning memory for magic packet constants, and conducting frequent integrity checks on system binaries. Traditional perimeter defenses are no longer sufficient; a deeper visibility into kernel-space activities is becoming essential.

Given the public availability of BPFDoor’s source code, it is highly likely that new variants—or entirely new backdoors inspired by its techniques—will appear in the coming years. BPFDoor’s design philosophy, which blends stealth, persistence, and flexibility, is likely to influence the next generation of advanced persistent threats.

In conclusion, BPFDoor’s discovery and subsequent evolution show the growing sophistication of modern APT toolkits. Its innovative use of the BPF facility as a command-and-control mechanism makes it exceptionally stealthy and resilient. Organizations, especially those in telecommunications and critical infrastructure sectors, must remain vigilant against this emerging class of threats—malware that operates not in plain view, but deep within the foundational layers of their systems.