Saturday, May 3, 2025
HomeCyber Security NewsRed Menshen APT Group Deploying BPFDoor in Linux Kernel

Red Menshen APT Group Deploying BPFDoor in Linux Kernel

Published on

SIEM as a Service

Follow Us on Google News

APTs Red Menshen expands targets to Linux and cloud servers, as seen in ransomware attacks on VMware ESXi, Mirai botnet variations, and cloud-focused stealers and crypto miners.

APT groups extend focus beyond Windows, signified by Sandworm’s attacks on Linux-based routers. Unlike cybercrime malware with broad targets, APT malware prioritizes persistent stealth and routine maintenance.

Red Menshen, an APT group active in the Middle East and Asia, continuously enhances the BPFDoor backdoor, utilizing Berkeley Packet Filter (BPF) to evade Linux and Solaris OS firewalls. 

- Advertisement - Google News

Cybersecurity researchers at Trend Micro identify the Linux and Solaris variants as Backdoor.Linux.BPFDOOR and Backdoor.Solaris.BPFDOOR.ZAJE, respectively, with added monitoring and detection patterns.

Red Menshen advances BPF filters, increasing instructions six-fold, indicating active development and successful deployment of BPFDoor.

Workflow of BPFDoor

The intriguing technical aspect of BPFDoor lies in its kernel-level loading of packet filters, commonly known as BPF or LSF in Linux, representing the same underlying technology.

BPFDoor’s BPF filters enable backdoor activation with a single network packet, bypassing firewalls by leveraging the kernel’s BPF engine, and this rootkit-like capability sets it apart from typical backdoors.

BPFDoor variants employ classic BPF filters, with Linux samples using SO_ATTACH_FILTER and Solaris samples utilizing libpcap functions for runtime filter loading.

When a packet with the magic number arrives, BPFDoor connects back to the source IP, establishing a distinct identifier-based communication.

A privileged reverse shell is established by BPFDoor, enabling remote command execution by the attacker through a pipe connection to the infected machine’s shell.

Activation of BPFDoor backdoor (Source – TrendMicro)

The samples of BPFDoor across 2018-2022 feature a uniform BPF program accepting unique magic numbers for the following protocols:-

  • TCP
  • UDP
  • ICMP
BPF program instruction old (Source – TrendMicro)

The BPF program in these samples comprises 30 instructions, which measure the filter’s complexity, reads the report shared.

On the affected systems, there are three distinct packets that trigger the activation of the backdoor, and here below, we have mentioned them:-

  • UDP packet containing the magic number 0x7255 at the data field
  • ICMP ECHO (ping) packet containing the same 0x7255 magic number at the data field
  • TCP packet containing the magic number 0x5293 at the data field

Experts identified four telfhash-supported samples introducing a 4-byte magic number for TCP packets, resulting in a new BPF program with 39 instructions.

BPF program instruction New (Source – TrendMicro)

In 2023, three samples utilized an enhanced BPF program with 229 instructions, specifically validating ICMP packets as ICMP ECHO requests.

Targets of Red Menshen APT

Here below, we have mentioned the countries targeted using BPFDoor:-

  • Turkey
  • Hong Kong
  • Brazil

Here below, we have mentioned the industries targeted using BPFDoor:-

  • Telecommunication services
  • Financial services
  • Other services

Incorporating BPF bytecode into malware poses a new complicated hurdle for security experts. So, the BPFDoor’s evolving filters indicate threat actors’ efforts to enhance stealth and evade detection.

Updating rules and diving into BPF filter analysis promptly is advised for network defenders and malware analysts.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...