A stealthy Linux backdoor known as BPFDoor has resurfaced with enhanced capabilities, allowing attackers to open reverse shells and move across networks undetected, according to new findings from Trend Micro.
Initially exposed in 2021, BPFDoor has long been linked to Chinese state-backed hacking groups—notably Red Menshen and Earth Bluecrow. Designed for cyberespionage, this backdoor is notorious for flying under the radar and maintaining access for months, even years, without raising alarms.
Trend Micro’s recent report shows that newer versions of BPFDoor are now using a malware controller that helps attackers execute commands, gain shell access, and move laterally across networks. What makes this threat even more concerning is how it evades detection—especially in Linux environments.
One key feature is its use of Berkeley Packet Filters (BPF). These allow the malware to monitor traffic discreetly. Even if a network’s firewall blocks certain packets, BPFDoor can still spot special “magic packets” used by attackers to activate the backdoor. This level of stealth is more common in rootkits than in typical backdoors.
In these recent attacks, BPFDoor can either open a reverse shell or redirect connections to a specific port for shell access. Attackers authenticate their commands using passwords, which act as a barrier against unauthorized access.
According to Trend Micro, the malware’s controller is adaptable and supports TCP, UDP, and ICMP protocols—giving attackers flexible options to manage infected systems. If the right password is provided, it can even connect directly to the compromised machine over TCP and launch a shell session.
The cybersecurity firm warns that, beacause BPFDoor’s source code was leaked in 2022, it’s now harder to pin down who’s using it. While the tactics align with Earth Bluecrow, the attribution remains uncertain.
Trend Micro urges organizations to take this threat seriously. The backdoor doesn’t listen on any open ports and can disguise its process name, making it extremely difficult to spot during routine scans or security checks.
“Tools like BPFDoor are built to persist quietly,” Trend Micro notes. “Standard monitoring won’t flag anything suspicious. That’s what makes it so dangerous.”
Given BPFDoor’s advanced evasion techniques and long-term persistence, companies—especially in telecom, finance, and retail sectors—are advised to strengthen monitoring, audit network activity more frequently, and use behavioral analytics tools to detect unusual processes.
