New BPFDoor Linux Backdoor Variants Use Stateless C2 to Evade Detection
Key Takeaways New, highly stealthy variants of the BPFDoor Linux backdoor have been identified, significantly improving its evasion capabilities. The malware, linked to the China-nexus threat actor...
Key Takeaways
- New, highly stealthy variants of the BPFDoor Linux backdoor have been identified, significantly improving its evasion capabilities.
- The malware, linked to the China-nexus threat actor Red Menshen, targets critical Linux servers within global telecom infrastructure.
- Key enhancements include stateless command-and-control (C2) and ICMP relay functionality, making detection and removal exceptionally difficult.
- BPFDoor operates by abusing the Berkeley Packet Filter to monitor network traffic without opening visible ports, activating only upon receiving a specific “magic packet.”
- Defenders should focus on monitoring raw socket usage, unusual ICMP traffic, and auditing process names for signs of compromise.
The persistent Linux backdoor known as BPFDoor has re-emerged with advanced capabilities, making it even more formidable. Cybersecurity researchers have uncovered these new iterations, which are specifically engineered for heightened stealth and evasion within sensitive network environments, particularly critical infrastructure.
Table Of Content
These updated versions are attributed to Red Menshen, a threat actor group with suspected ties to China. Their primary targets are Linux servers embedded deep within global telecommunications networks, indicating a focus on high-value, strategic espionage.
Unlike its predecessors, the latest BPFDoor variants incorporate sophisticated techniques that render them significantly harder to detect and remove once they have infiltrated a system.
BPFDoor exploits the legitimate Berkeley Packet Filter (BPF) function within the Linux kernel, which is typically used for network traffic inspection and filtering. The malware loads a custom BPF filter that silently monitors all incoming packets on an infected system without ever opening a standard network port. This method ensures that firewalls remain oblivious to its presence, and conventional port scans yield no suspicious results. The backdoor lies dormant, awaiting a precisely crafted “magic packet” to trigger its malicious activities.
This inherently passive design has enabled BPFDoor to persist undetected within compromised networks for extended periods, often spanning months or even years.
Analysts at Rapid7 identified seven novel BPFDoor variants following an extensive, months-long investigation that involved scrutinizing nearly 300 malware samples. Their research brought to light two primary new variants, dubbed icmpShell and httpShell, both of which represent significant advancements in the backdoor’s ability to remain hidden and operate without triggering alarms.
These new variants introduce stateless command-and-control (C2) routing and ICMP relay as their primary communication mechanisms. These features provide attackers with a robust method to manage compromised machines without leaving behind a persistent or easily traceable digital footprint.
The malware has been discovered operating within critical telecom backbone infrastructure, granting attackers enduring access to intercept and manipulate sensitive communications. Its support for telecom-specific protocols like SCTP, coupled with an awareness of container runtime environments, strongly suggests that this tool was purpose-built for high-value, deep-infrastructure targets. The observed pattern of activity aligns with that of an organized, state-sponsored entity engaged in a long-term cyber-espionage campaign, rather than opportunistic intrusions.
Stateless C2 and ICMP Relay
A pivotal evolution in the new BPFDoor variants is their overhauled approach to operator communication. Earlier versions required the attacker’s IP address to be hardcoded into the magic packet payload, presenting a potential fixed point for defenders to identify. The latest variants circumvent this limitation through a specialized -1 flag, set to the broadcast IP 255.255.255.255.
When this flag is present in the magic packet structure, the malware disregards any hardcoded address. Instead, it routes the reverse shell back to the source IP address extracted directly from the triggering packet’s headers. This innovation renders the attacker’s controller completely stateless, enabling them to operate from behind NAT devices or VPNs without exposing a static command-and-control address.
Should the initial authentication check fail, the infected machine does not simply cease communication. Instead, it transforms into a concealed relay node within the network. The malware extracts an internal target IP address from the Host Identity Protocol (HIP) field embedded within the ICMP packet. It then rewrites key trigger bytes and dispatches a specially crafted ICMP Echo Request towards that internal address.
This technique effectively allows attackers to tunnel commands through internal systems using seemingly innocuous ping traffic, which most network monitoring tools are not configured to flag as malicious. To prevent relay loops, the malware intelligently resets the hop IP back to -1 after each forwarded packet.
The backdoor establishes three concurrent sockets for TCP, UDP, and ICMP traffic, providing a resilient fallback mechanism if defenders manage to block one communication channel. On the compromised host, BPFDoor further obfuscates its presence by masquerading its process as a legitimate service, such as HPE Insight Management Agents. It also employs timestomping to alter file timestamps and wipes file descriptors to eliminate forensic traces of its activity.
What You Should Do
- Monitor Raw Socket Usage: Implement robust monitoring for raw socket usage on all Linux endpoints, as BPFDoor abuses this functionality.
- Audit Process Names: Regularly audit active process names against known legitimate services to detect masquerading attempts.
- Analyze ICMP Traffic: Pay close attention to unexpected or unusual ICMP traffic patterns within your internal networks, especially across different subnets.
- Network Segmentation: Enhance network segmentation to limit the lateral movement capabilities of such backdoors.
- Regular Patching: Ensure all Linux systems are kept up-to-date with the latest security patches to mitigate potential vulnerabilities BPFDoor or its loaders might exploit.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.