Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple iOS 17 Scam Alerts Protect iPhone Users From Phishing
July 3, 2026
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Home/Threats/New BPFDoor Linux Backdoor Variants Use Stateless C2 to Evade Detection
Threats

New BPFDoor Linux Backdoor Variants Use Stateless C2 to Evade Detection

Key Takeaways New, highly stealthy variants of the BPFDoor Linux backdoor have been identified, significantly improving its evasion capabilities. The malware, linked to the China-nexus threat actor...

Emy Elsamnoudy
Emy Elsamnoudy
April 7, 2026 4 Min Read
38 0

Key Takeaways

  • New, highly stealthy variants of the BPFDoor Linux backdoor have been identified, significantly improving its evasion capabilities.
  • The malware, linked to the China-nexus threat actor Red Menshen, targets critical Linux servers within global telecom infrastructure.
  • Key enhancements include stateless command-and-control (C2) and ICMP relay functionality, making detection and removal exceptionally difficult.
  • BPFDoor operates by abusing the Berkeley Packet Filter to monitor network traffic without opening visible ports, activating only upon receiving a specific “magic packet.”
  • Defenders should focus on monitoring raw socket usage, unusual ICMP traffic, and auditing process names for signs of compromise.

The persistent Linux backdoor known as BPFDoor has re-emerged with advanced capabilities, making it even more formidable. Cybersecurity researchers have uncovered these new iterations, which are specifically engineered for heightened stealth and evasion within sensitive network environments, particularly critical infrastructure.

Table Of Content

  • Key Takeaways
  • Stateless C2 and ICMP Relay
  • What You Should Do

These updated versions are attributed to Red Menshen, a threat actor group with suspected ties to China. Their primary targets are Linux servers embedded deep within global telecommunications networks, indicating a focus on high-value, strategic espionage.

Unlike its predecessors, the latest BPFDoor variants incorporate sophisticated techniques that render them significantly harder to detect and remove once they have infiltrated a system.

BPFDoor exploits the legitimate Berkeley Packet Filter (BPF) function within the Linux kernel, which is typically used for network traffic inspection and filtering. The malware loads a custom BPF filter that silently monitors all incoming packets on an infected system without ever opening a standard network port. This method ensures that firewalls remain oblivious to its presence, and conventional port scans yield no suspicious results. The backdoor lies dormant, awaiting a precisely crafted “magic packet” to trigger its malicious activities.

This inherently passive design has enabled BPFDoor to persist undetected within compromised networks for extended periods, often spanning months or even years.

Analysts at Rapid7 identified seven novel BPFDoor variants following an extensive, months-long investigation that involved scrutinizing nearly 300 malware samples. Their research brought to light two primary new variants, dubbed icmpShell and httpShell, both of which represent significant advancements in the backdoor’s ability to remain hidden and operate without triggering alarms.

These new variants introduce stateless command-and-control (C2) routing and ICMP relay as their primary communication mechanisms. These features provide attackers with a robust method to manage compromised machines without leaving behind a persistent or easily traceable digital footprint.

The malware has been discovered operating within critical telecom backbone infrastructure, granting attackers enduring access to intercept and manipulate sensitive communications. Its support for telecom-specific protocols like SCTP, coupled with an awareness of container runtime environments, strongly suggests that this tool was purpose-built for high-value, deep-infrastructure targets. The observed pattern of activity aligns with that of an organized, state-sponsored entity engaged in a long-term cyber-espionage campaign, rather than opportunistic intrusions.

Stateless C2 and ICMP Relay

A pivotal evolution in the new BPFDoor variants is their overhauled approach to operator communication. Earlier versions required the attacker’s IP address to be hardcoded into the magic packet payload, presenting a potential fixed point for defenders to identify. The latest variants circumvent this limitation through a specialized -1 flag, set to the broadcast IP 255.255.255.255.

When this flag is present in the magic packet structure, the malware disregards any hardcoded address. Instead, it routes the reverse shell back to the source IP address extracted directly from the triggering packet’s headers. This innovation renders the attacker’s controller completely stateless, enabling them to operate from behind NAT devices or VPNs without exposing a static command-and-control address.

Should the initial authentication check fail, the infected machine does not simply cease communication. Instead, it transforms into a concealed relay node within the network. The malware extracts an internal target IP address from the Host Identity Protocol (HIP) field embedded within the ICMP packet. It then rewrites key trigger bytes and dispatches a specially crafted ICMP Echo Request towards that internal address.

This technique effectively allows attackers to tunnel commands through internal systems using seemingly innocuous ping traffic, which most network monitoring tools are not configured to flag as malicious. To prevent relay loops, the malware intelligently resets the hop IP back to -1 after each forwarded packet.

The backdoor establishes three concurrent sockets for TCP, UDP, and ICMP traffic, providing a resilient fallback mechanism if defenders manage to block one communication channel. On the compromised host, BPFDoor further obfuscates its presence by masquerading its process as a legitimate service, such as HPE Insight Management Agents. It also employs timestomping to alter file timestamps and wipes file descriptors to eliminate forensic traces of its activity.

What You Should Do

  • Monitor Raw Socket Usage: Implement robust monitoring for raw socket usage on all Linux endpoints, as BPFDoor abuses this functionality.
  • Audit Process Names: Regularly audit active process names against known legitimate services to detect masquerading attempts.
  • Analyze ICMP Traffic: Pay close attention to unexpected or unusual ICMP traffic patterns within your internal networks, especially across different subnets.
  • Network Segmentation: Enhance network segmentation to limit the lateral movement capabilities of such backdoors.
  • Regular Patching: Ensure all Linux systems are kept up-to-date with the latest security patches to mitigate potential vulnerabilities BPFDoor or its loaders might exploit.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Kubernetes Misconfigurations Let Attackers Access Cloud Accounts

Next Post

Fiber Optic Cables Can Be Used as Covert Microphones for Spying

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us