{
	"id": "18143e9f-d166-441e-b25f-ea0a8745a28e",
	"created_at": "2026-04-10T03:22:04.668637Z",
	"updated_at": "2026-04-10T13:12:36.209097Z",
	"deleted_at": null,
	"sha1_hash": "a2d3a6321f64d5ba3b083aed22713c54b6872549",
	"title": "Stealthier version of Linux BPFDoor malware spotted in the wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3265538,
	"plain_text": "Stealthier version of Linux BPFDoor malware spotted in the wild\r\nBy Bill Toulas\r\nPublished: 2023-05-11 · Archived: 2026-04-10 03:05:51 UTC\r\nA new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption\r\nand reverse shell communications.\r\nBPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by\r\nsecurity researchers around 12 months ago.\r\nThe malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while\r\nbypassing incoming traffic firewall restrictions.\r\nBPFDoor is designed to allow threat actors to maintain lengthy persistence on breached Linux systems and remain\r\nundetected for extended periods.\r\nhttps://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/\r\nPage 1 of 6\n\nNew BPFDoor version\r\nUntil 2022, the malware used RC4 encryption, bind shell and iptables for communication, while commands and\r\nfilenames were hardcoded.\r\nThe newer variant analyzed by Deep Instinct features static library encryption, reverse shell communication, and\r\nall commands are sent by the C2 server.\r\nDifferences between the old and new versions (Deep Instinct)\r\nBy incorporating the encryption within a static library, the malware developers achieve better stealth and\r\nobfuscation, as the reliance on external libraries like one featuring the RC4 cipher algorithm is removed.\r\nThe main advantage of the reverse shell against the bind shell is that the former establishes a connection from the\r\ninfected host to the threat actor's command and control servers, allowing communication to the attackers' servers\r\neven when a firewall protects the network.\r\nFinally, removing hardcoded commands makes it less likely for anti-virus software to detect the malware using\r\nstatic analysis like signature-based detection. It theoretically also gives it more flexibility, supporting a more\r\ndiverse command set.\r\nDeep Instinct reports that the latest version of BPFDoor is not flagged as malicious by any available AV engines\r\non VirusTotal, despite its first submission on the platform dating February 2023.\r\nOperation logic\r\nUpon first execution, BPFDoor creates and locks a runtime file at \"/var/run/initd.lock,\" and then forks itself to run\r\nas a child process, and finally sets itself to ignore various OS signals that could interrupt it.\r\nhttps://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/\r\nPage 2 of 6\n\nOS signals the malware is set to ignore (Deep Instinct)\r\nNext, the malware allocates a memory buffer and creates a packet sniffing socket that it'll use for monitoring\r\nincoming traffic for a \"magic\" byte sequence (\"\\x44\\x30\\xCD\\x9F\\x5E\\x14\\x27\\x66\").\r\nLooking for the magic byte sequence (Deep Instinct)\r\nAt this stage, BPFDoor attaches a Berkley Packet Filter to the socket to read only UDP, TCP, and SCTP traffic\r\nthrough ports 22 (ssh), 80 (HTTP), and 443 (HTTPS).\r\nAny firewall restrictions present on the breached machine won't impact this sniffing activity because BPFDoor\r\noperates at such a low level that they're not applicable.\r\nhttps://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/\r\nPage 3 of 6\n\nBPF on a socket (Deep Instinct)\r\n\"When BPFdoor finds a packet containing its \"magic\" bytes in the filtered traffic, it will treat it as a message from\r\nits operator and will parse out two fields and will again fork itself,\" explains Deep Instinct.\r\n\"The parent process will continue and monitor the filtered traffic coming through the socket while the child will\r\ntreat the previously parsed fields as a Command \u0026 Control IP-Port combination and will attempt to contact it.\"\r\nAfter establishing a connection with the C2, the malware sets up a reverse shell and waits for a command from the\r\nserver.\r\nhttps://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/\r\nPage 4 of 6\n\nOperational diagram\r\n(Deep Instinct)\r\nBPFDoor remains undetected by security software, so system admins may only rely on vigorous network traffic\r\nand logs monitoring, using state-of-the-art endpoint protection products, and monitor the file integrity on\r\n\"/var/run/initd.lock.\"\r\nAlso, a May 2022 report by CrowdStrike highlighted that BPFDoor used a 2019 vulnerability to achieve\r\npersistence on targeted systems, so applying the available security updates is always a crucial strategy against all\r\ntypes of malware.\r\nhttps://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/\r\nhttps://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/"
	],
	"report_names": [
		"stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild"
	],
	"threat_actors": [],
	"ts_created_at": 1775791324,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2d3a6321f64d5ba3b083aed22713c54b6872549.pdf",
		"text": "https://archive.orkl.eu/a2d3a6321f64d5ba3b083aed22713c54b6872549.txt",
		"img": "https://archive.orkl.eu/a2d3a6321f64d5ba3b083aed22713c54b6872549.jpg"
	}
}