{
	"id": "12907ca3-2ba0-45fc-b75d-1db055c31a24",
	"created_at": "2026-04-10T03:21:17.623905Z",
	"updated_at": "2026-04-10T13:11:58.221544Z",
	"deleted_at": null,
	"sha1_hash": "9e29a83a17f0ae32b6739f16d54e32061bef63c3",
	"title": "BPFDoor — an active Chinese global surveillance tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 325901,
	"plain_text": "BPFDoor — an active Chinese global surveillance tool\r\nBy Kevin Beaumont\r\nPublished: 2022-05-08 · Archived: 2026-04-10 02:32:00 UTC\r\nMember-only story\r\n3 min read\r\nMay 7, 2022\r\nRecently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux\r\nthey attribute to Red Menshen, a Chinese threat actor group.\r\nhttps://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896\r\nPage 1 of 3\n\nYou can read more in PwC’s great, yearly threat intelligence brief, here.\r\nPwC plan to present their findings in June:\r\nBPFDoor is interesting. It allows a threat actor to backdoor a system for remote code execution, without opening\r\nany new network ports or firewall rules. For example, if a webapp exists on port 443, it can listen and react on the\r\nexisting port 443, and the implant can be reached over the webapp port (even with the webapp running). This is\r\nbecause it uses a BPF packet filter.\r\nhttps://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896\r\nPage 2 of 3\n\nOperators have access to a tool which allows communication to the implants, using a password, which allows\r\nfeatures such as remotely executing commands. This works over internal and internet…\r\nSource: https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896\r\nhttps://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
	],
	"report_names": [
		"bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
	],
	"threat_actors": [],
	"ts_created_at": 1775791277,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e29a83a17f0ae32b6739f16d54e32061bef63c3.pdf",
		"text": "https://archive.orkl.eu/9e29a83a17f0ae32b6739f16d54e32061bef63c3.txt",
		"img": "https://archive.orkl.eu/9e29a83a17f0ae32b6739f16d54e32061bef63c3.jpg"
	}
}