{
	"id": "63994d51-749b-4511-bbe7-3062e6e8ab65",
	"created_at": "2026-04-06T00:07:38.201361Z",
	"updated_at": "2026-04-10T03:33:12.093561Z",
	"deleted_at": null,
	"sha1_hash": "9e35d7c3dc7f08d635bc1892edab63d8263d7e8f",
	"title": "BPFDoor Malware Evolves – Stealthy Sniffing Backdoor ups its Game | Deep Instinct",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 806849,
	"plain_text": "BPFDoor Malware Evolves – Stealthy Sniffing Backdoor ups its\r\nGame | Deep Instinct\r\nBy Shaul Vilkomir-PreismanThreat Intelligence Researcher\r\nPublished: 2023-05-10 · Archived: 2026-04-05 18:04:58 UTC\r\nWhat is BPFdoor?\r\nBPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold\r\nin already-breached networks and environments and functions primarily to ensure an attacker can re-enter an\r\ninfected system over an extended period of time, post-compromise.\r\nThe malware gets its name from its usage of a Berkley Packet Filter – a fairly unique way of receiving its\r\ninstructions and evading detection, which bypasses firewall restrictions on incoming traffic.\r\nThe malware is associated with a Chinese threat actor, Red Menshen (AKA Red Dev 18), which has been\r\nobserved targeting telecommunications providers across the Middle East and Asia, as well as entities in the\r\ngovernment, education, and logistics sectors since 2021.\r\nWhen it was first discovered, approximately one year ago, BPFdoor was noted for its effective and elegant design\r\nand its high emphasis on stealth – an essential element in maintaining undetected long-term persistence.\r\nRecently, Deep Instinct’s threat lab observed and analyzed a previously undocumented and fully undetected new\r\nvariant of BPFdoor.\r\nNew, Stealthier Variant\r\nSeveral key differences that make this new variant even stealthier compared to the previous version include the\r\nfollowing:\r\n  “New stealthy” 2023 variant “Old” 2022 variant\r\nEncryption Static library encryption RC4 Encryption\r\nCommunication Reverse-Shell\r\nBind shell and\r\niptables\r\nCommands\r\nNo hardcoded commands – all commands are sent through the\r\nreverse-shell\r\nHardcoded\r\ncommands\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 1 of 13\n\n“New stealthy” 2023 variant “Old” 2022 variant\r\nFilenames Not hardcoded Hardcoded\r\nOne of the most significant differences compared to the previous variant lies in the removal of many of its\r\nhardcoded indicators, making the newer version more difficult to detect. Since first seen on VirusTotal in February\r\n2023, the new variant remained undetected and is still undetected as of this writing.\r\nBPFdoor Technical Analysis\r\nWhen executed, the BPFdoor sample will attempt to create and get a lock on a runtime file at\r\n“/var/run/initd.lock” and will exit if it fails using that file as a makeshift mutex.\r\nFigure 1 - BPFdoor \"mutex\" check\r\nIf successful, BPFdoor will fork itself and continue to run as a child process and in this context will close its stdin,\r\nstdout, and stderr streams, and set itself to ignore the following operating system signals:\r\nSignal\r\nNumber\r\nSignal\r\nName\r\nSignal Description\r\n1 SIGHUP\r\nSIGHUP (\"signal hang-up\") is a signal sent to a process when its controlling\r\nterminal session is closed.\r\n2 SIGINT\r\nSIGINT (“signal interrupt”) is a signal sent when a user interrupts a\r\nprogram (Ctrl + C)\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 2 of 13\n\nSignal\r\nNumber\r\nSignal\r\nName\r\nSignal Description\r\n3 SIGQUIT SIGQUIT is a signal sent to terminate a process.\r\n13 SIGPIPE SIGPIPE is a signal sent when a pipe breaks.\r\n17 SIGCHLD SIGCHLD is a signal sent when a child process exits.\r\n21 SIGTTIN\r\nSIGTTIN is a signal sent to a process attempting to read from the same\r\nterminal session and is blocked.\r\n23 SIGTTOU\r\nSIGTTOU is a signal sent to a process attempting to write to the same\r\nterminal session and is blocked.\r\nIgnoring these signals hardens BPFdoor against tampering with its processes.\r\nHaving set up the above, BPFdoor then allocates a memory buffer and creates a socket as follows:\r\nFigure 2 - Socket arguments\r\nFigure 3 - Socket creation\r\nIt will proceed to specify the following socket options using setsockopt:\r\nFigure 4 - Setsockopt options\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 3 of 13\n\nFigure 5 - Call to setsockopt\r\nAnd will read from it in a loop (further described below) using recvfrom:\r\nFigure 6 - Recvfrom arguments\r\nFigure 7 - Recvfrom call\r\nAn interesting point in the above-described flow is that the “addr” parameter is zeroed out in the call to recvfrom;\r\nit should point to a specific address from which to read data. The socket is not connected and no bind or listen\r\ncalls have been made. So, what exactly is going on here?\r\nInterpreting the exact arguments that are used to create the socket reveals that the call is structured as follows:\r\nFigure 8 - Socket call\r\nThis creates the socket as a special packet sniffing socket which is able to read every packet that is sent to the\r\nmachine from the ethernet layer and above without being bound to any specific protocol.\r\nBPFdoor employs this type of packet sniffing socket to read data with recvfrom, even without an “addr”\r\nparameter, by using the loop below to search for a specific “magic” byte sequence:\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 4 of 13\n\nFigure 9 - Looped search for \"magic\" byte sequence (highlighted)\r\n“Magic” byte sequence: \\x44\\x30\\xCD\\x9F\\x5E\\x14\\x27\\x66\r\nOnce found, the loop will break and BPFdoor will continue to Its next phase of operation.\r\nBut, that creates quite a lot of traffic that BPFdoor will need to go through.\r\nLet’s examine the usage of setsockopt a bit further. When parsing its arguments, we arrive at the following code:\r\nFigure 10 - Setsockopt attaches BPF\r\nThis is where BPFdoor gets its name from. The above code that attaches a Berkley Packet Filter to the socket; this\r\nis the very same mechanism that underpins infosec staples such as libpcap and allows BPFdoor to filter out\r\n“uninteresting” types of data coming through its socket.\r\nA Berkley Packet Filter can be defined as in the example below, which allows TCP over IPv4:\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 5 of 13\n\nFigure 11 - BPF example\r\nBy setting the socket option SO_ATTACH_FILTER and pointing filter to the following sock_filter_code:\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 6 of 13\n\nFigure 12 - BPF sock_filter_code\r\nBPFdoor guides the kernel to set up its socket to only read UDP, TCP, and SCTP traffic coming through ports 22\r\n(ssh), 80 (http), and 443 (https).\r\nBecause of its positioning at such a low level, BPFdoor does not abide by any firewall rules, and can bypass any\r\nfirewall restrictions on incoming traffic and listen for packets that otherwise wouldn't have surfaced to the\r\nmachine's user mode.\r\nWhen BPFdoor finds a packet containing its “magic” bytes in the filtered traffic it will treat it as a message from\r\nits operator and will parse out two fields and will again fork itself.\r\nThe parent process will continue and monitor the filtered traffic coming through the socket while the child will\r\ntreat the previously parsed fields as a Command \u0026 Control IP-Port combination and will attempt to contact it.\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 7 of 13\n\nFigure 13 - Connect to Command \u0026 Control\r\nAn interesting point to note, this variant of BPFdoor contains a pre-compiled version of libtomcrypt, an open-source encryption library, as can be seen in the sample’s contained strings, which also offer a few additional\r\ninsights:\r\nFigure 14 - Contained strings\r\nWe can see that the library was compiled at the beginning of October 2022 using GCC on a system running Red\r\nHat Linux. This may suggest that this variant has been operational significantly earlier than its first appearance on\r\nVirusTotal.\r\nBy compiling our own version of the library in similar fashion and using bindiff to compare against BPFdoor we\r\ncan see its statically linked exports:\r\nFigure 15 - Libtomcrypt bindiff snippet\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 8 of 13\n\nHaving made the comparison, we determined that BPFdoor is using libtomcrypt functionality to set up a secure\r\nand encrypted “reverse-shell” session with its Command \u0026 Control. This replaced its previous mechanism.\r\nAfter this session is established, BPFdoor will begin a loop that can be described by the following:\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 9 of 13\n\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 10 of 13\n\nConclusion\r\nBPFdoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration.\r\nRegardless of whether one considers the encryption library compilation time (October 2022) or its initial\r\nsubmission to VirusTotal (February 2023) as indicative of when this sample was first put into use, it is truly\r\namazing how long it has remained fully undetected.\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 11 of 13\n\nFigure 16 \u0026 17 - 0 VirusTotal detections, 7 different scans.\r\nIOCs\r\nafa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7 – BPFDoor ELF SHA256\r\n/var/run/initd.lock – BPFDoor \"mutex”\r\nMITRE ATT\u0026CK:\r\nTactic Technique Description Observable\r\nCommand and\r\nControl\r\nDefense\r\nEvasion\r\nPersistence\r\nT1205 - Traffic\r\nSignaling\r\nAttacker employs “magic” values to\r\ntrigger response.\r\n“Magic” byte\r\nsequence\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 12 of 13\n\nTactic Technique Description Observable\r\nCommand and\r\nControl\r\nDefense\r\nEvasion\r\nPersistence\r\nT1205.002 - Traffic\r\nSignaling: Socket Filters\r\nAttacker attaches filter to a network\r\nsocket.\r\nUsage of Berkley\r\nPacket Filter\r\nCommand and\r\nControl\r\nT1573 - Encrypted\r\nChannel\r\nAttacker employs encrypted\r\nCommand \u0026 Control\r\ncommunication.\r\nUsage of\r\nlibtomcrypt\r\nExecution T1106 – Native API\r\nAttacker calls upon native OS APIs\r\nin order to execute behaviors.\r\nUsage of popen\r\nEarlier variant analysis:\r\nhttps://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\r\nDeep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world’s first\r\nand only purpose-built, deep learning cybersecurity framework. We prevent ransomware, zero-day threats, and\r\npreviously unknown malware in \u003c20 milliseconds, 750x faster than the fastest ransomware can encrypt. Deep\r\nInstinct has \u003e99% zero-day accuracy and promises a \u003c0.1% false positive rate. The Deep Instinct Prevention\r\nPlatform is an essential addition to every security stack – providing complete, multi-layered protection against\r\nthreats across hybrid environments.\r\nSource: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nhttps://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game"
	],
	"report_names": [
		"bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game"
	],
	"threat_actors": [
		{
			"id": "9c8a7541-1ce3-450a-9e41-494bc7af11a4",
			"created_at": "2023-01-06T13:46:39.358343Z",
			"updated_at": "2026-04-10T02:00:03.300601Z",
			"deleted_at": null,
			"main_name": "Red Menshen",
			"aliases": [
				"Earth Bluecrow",
				"Red Dev 18"
			],
			"source_name": "MISPGALAXY:Red Menshen",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e35d7c3dc7f08d635bc1892edab63d8263d7e8f.pdf",
		"text": "https://archive.orkl.eu/9e35d7c3dc7f08d635bc1892edab63d8263d7e8f.txt",
		"img": "https://archive.orkl.eu/9e35d7c3dc7f08d635bc1892edab63d8263d7e8f.jpg"
	}
}