Do Son 
The BPFDoor malware has once again captured the attention of cybersecurity experts, following a recent surge in attacks leveraging this backdoor, which has been linked to the threat actor Earth Bluecrow, also known as Red Menshen.
Designed to target Linux-based servers, BPFDoor is distinguished by its exceptional stealth. According to research by Trend Micro, the malware has been actively deployed across the telecommunications, financial, and retail sectors—particularly in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. The attackers employ sophisticated techniques, including kernel-level network packet filtering via the Berkeley Packet Filter (BPF), and establish reverse connections for covert remote control of compromised machines.
The malware is triggered upon receiving a so-called “magic sequence”—a specific string of bytes embedded in network packets. Once activated, BPFDoor executes predefined commands while remaining virtually invisible. Key features include process name spoofing, absence of open ports, and evasion of standard security logs—attributes that render it ideal for long-term persistence within victim infrastructures.
The primary control mechanism is based on a reverse shell, allowing attackers to initiate a connection from outside to the infected server, thereby bypassing inbound traffic controls. This architecture enables remote command execution, lateral movement within internal networks, and unauthorized access to other systems and sensitive data.
BPFDoor supports three communication protocols—TCP, UDP, and ICMP—for interaction with its command-and-control servers. Through these channels, encrypted data is exchanged, and most traditional defense mechanisms are circumvented. The commands sent by the controller allow for dynamic adjustment of connections, password updates, changes to magic sequences, and destination ports—tailoring the intrusion to the victim’s specific infrastructure.
Investigations have revealed that the malware is frequently used against strategically significant targets. In South Korea and Myanmar, telecom companies have been attacked; in Egypt, financial institutions; and in Malaysia, the retail sector. These incidents affirm that Earth Bluecrow is conducting a large-scale cyber-espionage campaign aimed at critical industries.
Security professionals strongly advise vigilant monitoring of anomalous network traffic, particularly packets containing suspicious byte patterns transmitted via TCP, UDP, or ICMP. Such traffic is often a telltale sign of BPFDoor activity within a network.
With its layered obfuscation techniques and use of reverse connections, BPFDoor represents a formidable threat to information security. Given the adaptive and sophisticated tactics employed by Earth Bluecrow, organizations must prioritize continuous monitoring, rapid incident response, and proactive defense strategies.
