{ "id": "c9cb91f7-cd3f-4f12-b905-7b5630b480ef", "created_at": "2026-04-06T00:06:54.083732Z", "updated_at": "2026-04-10T03:33:12.107949Z", "deleted_at": null, "sha1_hash": "4bf7d837a4bd64a77b02bba0d4e84fb0082f9eeb", "title": "Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1955213, "plain_text": "Here’s a Simple Script to Detect the Stealthy Nation-State\r\nBPFDoor\r\nBy Qualys\r\nPublished: 2022-08-01 · Archived: 2026-04-05 18:47:33 UTC\r\nIn this blog, the Qualys Research Team explains the mechanics of a Linux malware variant named BPFdoor. We\r\nthen demonstrate the efficacy of Qualys Custom Assessment and Remediation to detect it, and Qualys Multi-Vector\r\nEDR to protect against it.\r\nBPFDoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete\r\naccess to a compromised device. It supports multiple protocols for communicating with a command \u0026 control\r\nserver (C2) including TCP, UDP, and ICMP. It notably utilizes Berkeley Packet Filters (BPF) along with several\r\nother techniques to achieve these goals. BPF is a hooking function that allows a user-space program to attach a\r\nnetwork filter onto any socket, and then allows or disallows certain types of data to come through that socket.\r\nBPFDoor has been attributed to a Chinese threat actor group named Red Menshen (aka DecisiveArchitect), where\r\nthe attackers have used it to gain stealthy remote access to compromised devices starting back in 2018 to the\r\npresent day. Systems have been compromised across the US, South Korea, Hong Kong, Turkey, India, Vietnam,\r\nand Myanmar. Targets have included telecommunications, government, education, and logistics organizations. The\r\ngroup has been seen sending commands to BPFDoor victims via Virtual Private Servers (VPS) hosted at a well-known provider. In turn, these VPSs are administered via compromised routers based in Taiwan that the threat\r\nactor uses as VPN tunnels.\r\nTarget Geographies: Middle East, Asia\r\nTarget Sectors: Logistics, Education, Government\r\nMalware Tools: Mangzamel, Gh0st, Gh0st, Metasploit, BPFDoor\r\nTechnical Analysis of BPFDoor\r\nExecution\r\nThe threat actor leverages a custom implant tracked by the name “JustForFun”. When executed, the implant\r\noverwrites the process command line within the process environment by randomly selecting a new binary name\r\nfrom one of ten hard-coded options (shown in Figure 1). This masquerading technique is used to evade security\r\nsolutions.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 1 of 10\n\nFigure 1: List of process names for Masquerading\r\nThe attacker interacts with the implant through the bash process to establish an interactive shell on a system. The\r\ncommand indicates the usage of Postfix queue manager (shown in Fig. 2).\r\nqmgr -l -t fifo -u\r\nFigure 2: Encoded shell and qmgr commands\r\nMasquerading (Rename the process)\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 2 of 10\n\nFigure 3: Code uses prctl to rename the malware process\r\nThe malware will rename itself using the prctl function with the argument PR_SET_NAME, and a random\r\nlegitimate-looking name (Fig. 3). These names are hardcoded in the binary and vary between the samples.\r\nTimestomping\r\nFigure 4: Code for Timestomping\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 3 of 10\n\nThe implant sets a fake time to timestomp the binary before deletion. A function dubbed set_time was called to\r\nalter the access and modification timestamp of the binary using the utimes function (Fig. 4). The timestamp used\r\nwas always set to Thursday, October 30, 2008 7:17:16 PM (GMT).\r\nPID File\r\nThe implant creates a zero-byte PID file at /var/run/haldrund.pid (Fig. 5). The file has two conditions:\r\nThis file is deleted if the implant terminates normally,\r\nThe file is not deleted, if there is a problem like hard shutdown or crash.\r\nThe implant will not resume if this file is present as it describes the running state for the backdoor.\r\nFigure 5: Encoded command for creating PID file\r\nQualys Custom Assessment and Remediation can be leveraged to create and execute custom detection logics for\r\nzero-day threats. This cloud service supports multiple scripting languages including Perl, Shell, Python, Lua,\r\nPowerShell, and VBScript with no vendor-specific syntax or restrictions. Select the language of your choice and\r\nstart by leveraging out-of-the-box scripts or creating your own scripts for custom detection, validation, and\r\nremediation.  \r\nWe created the Shell script as part of our detection logic via the Qualys scripting service and executed it across the\r\nnetwork.\r\nUsing this script, we are looking for packet sniffing processes under the entire process stack and checking if an\r\nexisting process has opened a raw socket using the default Linux utility lsof. Refer the following screenshots of\r\nthe script (Fig. 6) and its output (Fig. 7).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 4 of 10\n\nFigure 6: Script to detect BPFdoor\r\nFigure 7: BPFdoor detection\r\nBPFDoor Detection using Qualys Multi-Vector EDR\r\nQualys Multi-Vector EDR, armed with YARA scanning techniques, detects the BPFdoor RAT with a threat score\r\nof 5/10 (Fig. 8).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 5 of 10\n\nFigure 8: Qualys Multi-Vector EDR detection for BPFdoor\r\nAfter execution, the binary masquerades its name by selecting from one of 10 names randomly:\r\n/sbin/udevd -d\r\n/sbin/mingetty /dev/tty7\r\n/usr/sbin/console-kit-daemon --no-daemon\r\nhald-addon-acpi: listening on acpi kernel interface /proc/acpi/event\r\ndbus-daemon --system\r\nhald-runnerpickup -l -t fifo -u\r\navahi-daemon: chroot helper\r\n/sbin/auditd -n\r\n/usr/lib/systemd/systemd-journald\r\nThe highlighted name was used during the execution. The names are made to look like common Linux system\r\ndaemons. The implant overwrites the argv[0] value which is used by the Linux /proc filesystem to determine the\r\ncommand line and command name to show for each process. By doing this, when a run command like ps is\r\nexecuted, it shows the fake name.\r\nThe renamed binary is dropped to the /dev/shm directory and runs itself as /dev/shm/kdmtmpflush (Figs. 9 and\r\n10). The masqueraded process with a “–init” flag tells itself to execute secondary clean-up operations and go\r\nresident.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 6 of 10\n\nFigure 9: Qualys Multi-Vector EDR telemetry for detecting Masquerading\r\nFigure 10: BPFdoor Process Tree\r\nThe implant creates a zero-byte PID file at /var/run/haldrund.pid (Fig. 11).\r\nFigure 11: Creation of PID file by BPFdoor\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 7 of 10\n\nAs shown in figure 12, The original execution process deletes /dev/shm/kdmtmpflush with the following\r\ncommand:\r\n/bin/rm -f /dev/sfm/kdmtmpflush\r\nFigure 12: Deletion of /dev/shm/kdmtmpflush directory\r\nConclusion\r\nAs with most remote access tools, BPFDoor is visible during the post-exploitation phase of an attack. It is\r\nexpected that the authors behind BPFdoor will be upgrading its functionality over time, including different\r\ncommands, processes, or files. This malware has a vast arsenal at its disposal. Therefore, we recommend that\r\norganizations have a robust EDR solution to both detect its signatures and adequately respond to the threat.\r\nMITRE ATT\u0026CK Techniques\r\nT1036.005- Masquerading: Match Legitimate Name or Location\r\nT1070.004- Indicator Removal on Host: File Deletion\r\nT1070.006- Indicator Removal on Host: Time Stomp\r\nT1059.004- Command and Scripting Interpreter: Unix Shell\r\nT1106- Native API\r\nT1548.001- Abuse Elevation Control Mechanism: Setuid and Setgid\r\nT1095- Non-Application Layer Protocol\r\nIoC (Indicators of Compromise)\r\nHashes (SHA256)\r\n07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d\r\n1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345\r\n4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d\r\n591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 8 of 10\n\n599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683\r\n5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9\r\n5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3\r\n76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925\r\n93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c\r\n96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9\r\n97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc\r\nc796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276\r\nc80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c\r\nf47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72\r\nf8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27\r\nfa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73\r\nfd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a\r\n144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3\r\nfa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73\r\n76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925\r\n96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9\r\nc80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c\r\nf47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72\r\n07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d\r\n4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d\r\n599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683\r\n5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9\r\n5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3\r\n93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c\r\n97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc\r\nc796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276\r\nf8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27\r\nfd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a\r\nFilenames\r\n/dev/shm/kdmtmpflush\r\n/dev/shm/kdumpflush\r\n/dev/shm/kdumpdb\r\n/var/run/xinetd.lock\r\n/var/run/kdevrund.pid\r\n/var/run/haldrund.pid\r\n/var/run/syslogd.reboot\r\nProcess names\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 9 of 10\n\n/sbin/udevd -d\r\n/sbin/mingetty /dev/tty7\r\n/usr/sbin/console-kit-daemon –no-daemon\r\nhald-addon-acpi: listening on acpi kernel interface /proc/acpi/event\r\ndbus-daemon –system\r\nhald-runner\r\npickup -l -t fifo -u\r\navahi-daemon: chroot helper\r\n/sbin/auditd -n\r\n/usr/lib/systemd/systemd-journald\r\n/usr/libexec/postfix/master\r\nqmgr -l -t fifo -u\r\nContributors:\r\nViren Chaudhary (Senior Engineer, Threat Research, Qualys)\r\nMukesh Choudhary (Compliance Research Analyst, Qualys)\r\nLavish Jhamb (Solutions Architect, Compliance Solutions, Qualys)\r\nMohd Anas Khan (Compliance Research Analyst, Qualys)\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor" ], "report_names": [ "heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor" ], "threat_actors": [ { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "9c8a7541-1ce3-450a-9e41-494bc7af11a4", "created_at": "2023-01-06T13:46:39.358343Z", "updated_at": "2026-04-10T02:00:03.300601Z", "deleted_at": null, "main_name": "Red Menshen", "aliases": [ "Earth Bluecrow", "Red Dev 18" ], "source_name": "MISPGALAXY:Red Menshen", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434014, "ts_updated_at": 1775791992, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4bf7d837a4bd64a77b02bba0d4e84fb0082f9eeb.pdf", "text": "https://archive.orkl.eu/4bf7d837a4bd64a77b02bba0d4e84fb0082f9eeb.txt", "img": "https://archive.orkl.eu/4bf7d837a4bd64a77b02bba0d4e84fb0082f9eeb.jpg" } }