top of page

Stealthy Nation-State BPFDoor

BPFDoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device. It supports multiple protocols for communicating with a command & control server (C2) including TCP, UDP, and ICMP. It notably utilizes Berkeley Packet Filters (BPF) along with several other techniques to achieve these goals. BPF is a hooking function that allows a user-space program to attach a network filter onto any socket, and then allows or disallows certain types of data to come through that socket.


ATT&CK IDS: T1008 - Fallback Channels, T1036 - Masquerading, T1059 - Command and Scripting Interpreter, T1070 - Indicator Removal on Host, T1095 - Non-Application Layer Protocol, T1106 - Native API, T1548 - Abuse Elevation Control Mechanism

Read More:

bottom of page