BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly in the telecommunications sector.

First identified by PwC in 2021, BPFDoor is a highly sophisticated backdoor malware designed to infiltrate Linux systems with an emphasis on long-term persistence and evasion.

On April 25, 2025, the Korea Internet & Security Agency (KISA) issued a security advisory after confirming its distribution to critical systems, highlighting the growing frequency of these attacks.

According to S2W’s Threat Research and Intelligence Center (TALON) Report, which recently analyzed the malware, BPFDoor exploits Berkeley Packet Filter (BPF) technology-a kernel-level networking tool originally intended for efficient packet filtering-to achieve unparalleled stealth.

By using 229 BPF Instruction Sets, the malware filters specific trigger packets, enabling it to receive commands without opening traditional network ports, thus blending malicious traffic seamlessly with legitimate data.

Advanced Features and Attribution to Earth Bluecrow

BPFDoor’s technical sophistication lies in its ability to support non-standard communication protocols such as TCP, UDP, and ICMP, employing magic sequences like 0x5293, 0x39393939, and 0x7255 to mask its activities within normal traffic.

Its advanced anti-forensic techniques-including process name masquerading, daemonization, and memory-based execution-make detection incredibly challenging.

The malware also uses reverse shell capabilities and encrypted communication channels, sometimes leveraging outdated RC4-MD5 suites or self-signed SSL certificates, to obscure its command-and-control interactions.

Notably, BPFDoor has been exclusively linked to the Chinese-backed APT group Earth Bluecrow (also known as Red Menshen), with consistent communication patterns and magic sequences reinforcing this attribution.

S2W’s analysis indicates that attackers deploy BPFDoor for lateral movement within compromised networks, ensuring prolonged access to targeted systems.

This persistence is further aided by features like mutex file creation to prevent duplicate execution and privilege checks to ensure root-level access, demonstrating meticulous design for sustained infiltration.

Mitigation Strategies Amid Rising Threats

The implications of BPFDoor’s capabilities are profound, as evidenced by the public release of its source code on GitHub in 2022, potentially enabling variants and wider exploitation.

S2W and KISA recommend robust mitigation strategies to counter this threat, emphasizing pre-infection detection through BPF filter queries, magic sequence searches, and monitoring for hardcoded salt strings used in password hashing.

Organizations managing Linux servers are urged to vigilantly monitor socket connections, inspect for executable file tampering, and verify process name integrity.

S2W has also provided YARA rules to detect known samples and variants of BPFDoor, enhancing defensive capabilities.

As this malware continues to evolve, with differences in controller options and hardcoded values observed across versions, the cybersecurity community must prioritize behavior-based detection over static indicators.

The battle against BPFDoor underscores the critical need for advanced monitoring and proactive threat hunting to safeguard critical infrastructure from such insidious, persistent threats orchestrated by state-sponsored actors like Earth Bluecrow.