BPFDoor Variants Hide with Stateless C2 and ICMP Relay Tactics
Seven novel BPFDoor variants enhance Linux backdoor tradecraft, embedding implants deep within kernel space to evade detection in extensive telecom networks.
These clandestine tools leverage Berkeley Packet Filters to quietly inspect kernel traffic, lying dormant until a “magic packet” activates a hidden shell.
Once triggered, the backdoor seamlessly integrates with legitimate processes and network flows, establishing persistent access with minimal observable activity.
The critical innovation involves command-and-control (C2) infrastructure. Instead of relying on fixed servers or hardcoded IP addresses, the malware treats the source of the magic packet as the C2 endpoint, creating a stateless controller that can bypass NAT or VPN protections.
This technique uses a special “Hidden IP” (HIP) field and a -1 flag value to ignore embedded C2 addresses and establish contact with the packet originator.
Both HTTP and ICMP variants introduce ICMP-based relay capabilities, transforming infected hosts into covert routers across internal network segments.
Rapid7 Labs’ investigation uncovered undocumented features leading to the identification of seven distinct BPFDoor variants.
By reading an internal target IP from the HIP field, rewriting ICMP flags to valid magic values, and forwarding crafted Echo Requests, BPFDoor can laterally move between network segments without opening traditional ports.
This approach exploits common network policies that permit ping traffic while rarely performing deep ICMP inspection.
HTTP Tunneling and “Magic Ruler”
httpShell conceals C2 traffic within legitimate HTTP streams over IPv4 and IPv6. It binds to all network interfaces, allowing the kernel to decapsulate protocols like GRE or GTP so BPF logic only examines inner packets for specific magic markers.
A “magic ruler” padding scheme guarantees the 4-byte trigger value consistently lands at the same byte offset, even when proxies or WAFs modify headers, enabling the backdoor to survive advanced Layer 7 manipulation.
However, the IPv6 implementation has limitations. It assumes a simple IPv6 header without extension headers. If additional headers exist and push the payload further down, the backdoor may never activate.
This creates a narrow detection opportunity for defenders monitoring unusual BPF filters in high-value environments.
The ICMP Shell variant targets highly restricted environments where standard outbound channels are blocked. It establishes bidirectional shells entirely over ICMP, using a dynamic BPF filter tied to the malware’s process ID to ensure each execution requires a unique magic knock pattern.
Once active, icmpShell supports encrypted ICMP tunnels, UDP/ICMP hole-punching, and RC4 encryption for returning shell output, while attacker commands may use recognizable prefixes like “X:”.

It also employs hardcoded ICMP sequence numbers and technically invalid ICMP codes for heartbeat messages, creating reliable structural markers for network intrusion detection systems monitoring ICMP flows.
Additional variants and active beacons
Beyond httpShell and icmpShell, Rapid7 tracks multiple lettered variants specializing in stealth and resilience.
Screen captures highlight ICMP handshakes, shell encryption, attacker commands, and 1234 ICMP sequence numbers hardcoded in the backdoor.

Some variants hide under paths like /var/run/user/0 and aggressively clear file descriptors and timestamps to frustrate forensic analysis.
Others spawn parallel raw sockets (TCP, UDP, ICMP) to avoid missing magic packets and provide fallback C2 channels if one protocol is blocked.
One notable “H” variant introduces an active beacon that periodically resolves NTP-themed domains, opening encrypted TCP 443 sessions using legacy OpenSSL and RC4-MD5 to masquerade as time synchronization or IoT telemetry.
Most samples redirect output to /dev/null, but this variant performs a complete FD (File Descriptor) wipe.

By concealing C2 within what appears as routine SSL traffic to plausible hostnames, the malware maintains access even where outbound connections are heavily filtered.
Rapid7’s published YARA and Suricata rules, along with a triage script to enumerate active BPF filters, aim to help teams detect both legacy and new BPFDoor variants before they become long-term sleeper cells in telecom backbones.
Because these implants reside in the kernel and depend on BPF logic, defenders must move beyond simple Indicators of Compromise (IoCs) and payload signatures.
Rapid7 recommends focusing on structural anomalies such as unusual BPF filters on AF_PACKET or raw sockets, hardcoded ICMP sequence numbers, invalid ICMP codes, and processes masquerading as common daemons with suspicious execution paths.