New tool detects BPFDoor implants in critical infrastructure

For years, telecommunications providers globally have faced persistent intrusions from sophisticated, state-aligned threat actors. A new scanning tool aims to assist defenders in identifying a particularly stealthy backdoor, known as BPFDoor, which has been deployed by the China-linked group Red Menshen, also tracked as Salt Typhoon. This group has repeatedly targeted telecom operators across North America, Europe, and Asia, along with entities in finance and retail.

The group typically gains initial access by exploiting known vulnerabilities in edge devices and VPNs or using compromised credentials. To maintain long-term persistence, they deploy hard-to-detect implants. BPFDoor is a prime example, operating at the kernel level to avoid leaving a conventional network signature. “What makes BPFdoor particularly unique is its ability to operate at the kernel level without exposing a traditional network footprint,” explained Christiaan Beek, VP of Cyber Intelligence at Rapid7.

This Linux malware abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly within the kernel. It passively listens for specific “magic packets” that trigger its activation. Researchers liken such implants to “sleeper cells”, dormant until awakened by a covert signal. Once activated, BPFdoor can spawn a bind or reverse shell.

Analysis of multiple samples reveals that variants, both old and new, employ several evasive techniques. They masquerade as legitimate system services common in bare-metal telecom infrastructure and spoof core containerization components. The malware can monitor telecom-native protocols like the Stream Control Transmission Protocol (SCTP). Beyond magic packets, it can also be triggered by packets hidden within seemingly legitimate, encrypted HTTPS traffic. It uses older or non-standard encryption to confuse inspection and employs specially crafted ICMP payloads for command-and-control, even passing instructions between compromised hosts.

These methods deliberately target multiple security layers. “From TLS inspection at the edge to IDS detection in transit and endpoint monitoring on the host, illustrating a deliberate effort to operate across the full defensive stack,” the researchers noted.

BPFdoor is not alone in using magic packet activation. The SEASPY backdoor targeted Barracuda appliances, and the J-magic backdoor has been loaded onto Juniper routers. Another threat, the Symbiote rootkit, also performs kernel packet filtering to hide malicious traffic. In complex telecom environments, detecting these implants is exceptionally challenging due to limited visibility into kernel operations, raw packet filtering, and anomalous high-port activity on Linux systems.

“You’re essentially trying to identify malicious behavior hidden inside otherwise normal network traffic. It’s like looking for a needle that looks and smells like hay, while the haystack itself keeps changing,” Beek added.

To address this, Rapid7 has released a scanning script designed to detect known BPFDoor variants across Linux environments. “The script is highly effective at identifying known patterns and behaviours we’ve validated in real samples,” Beek stated. However, it is not a silver bullet. It may miss highly stealthy or evolving variants and could flag unusual but legitimate activity, so it should be integrated into a broader detection strategy.

The fundamental challenge with these threats is achieving certainty. “These threats shift the conversation from ‘Did we remove it?’ to ‘Do we have enough visibility to trust the system again?’,” Beek said. Rapid7’s ongoing research may not lead to a specific tool for every similar threat like Symbiote. Instead, the focus is on detecting the underlying techniques, such as kernel-level stealth and covert network behavior, that span multiple malware families.