✅ Report Title: Analysis of BPFDoor Malware Targeting Korean Enterprises

S2W’s Threat Intelligence Center, TALON, has released a detailed report analyzing BPFDoor malware that was recently distributed to Korean enterprises.

This high-level threat intelligence report explores the technical workings of the BPFDoor malware in depth and provides guidance on how to detect and respond to such threats.

✅ Executive Summary:

1) S2W’s Threat Research and Intelligence Center TALON identified and analyzed the BPFDoor malware, which has been distributed to domestic companies in South Korea.

2) BPFDoor abuses BPF (Berkeley Packet Filter) technology to achieve high-level stealth and evasion capabilities, aiming to maintain long-term persistence within Linux systems.

-This malware functions as a backdoor supporting reverse shell connections and command execution.

-It uses non-standard communication via TCP/UDP/ICMP protocols.

-During communication, it leverages a defined magic sequence within the filter to blend in with legitimate traffic, allowing it to receive packets without opening ports.

3) BPFDoor receives only specific trigger packets at the kernel level using 229 BPF Instruction Sets.

-The number of instruction sets and the magic sequence may vary depending on the version.

-It employs multiple anti-forensic techniques such as process name masquerading, daemonization, memory-based replication and execution, and shell history evasion.

4) Originally named by PwC in 2021, BPFDoor is known to have been used by the Chinese APT group Earth Bluecrow (a.k.a. Red Menshen).

-So far, no evidence indicates use by other threat groups.

-Consistent communication patterns and magic sequences (0x5293, 0x39393939, 0x7255) have been identified.

-The attacker continues to use BPFDoor for lateral movement and long-term persistence.

5) S2W provides custom YARA rules to detect BPFDoor samples and variants used in the recent intrusion.

-It is recommended to perform pre-infection detection by checking BPF filters, searching for magic sequences, detecting Salt strings, and verifying port status.

-Regular monitoring for abnormal socket connections, file tampering, and process name spoofing is also advised when operating Linux servers.

📌 What is BPFDoor Malware?

First named and disclosed by PwC in 2021, BPFDoor is a Linux-based malware that leverages BPF (Berkeley Packet Filter) to evade detection and receive packets directly in user space. It supports TCP, UDP, and ICMP protocols and communicates via non-standard methods to remain hidden.

Its advanced stealth and persistence mechanisms allow it to maintain long-term presence in Linux systems. Notably, the malware’s source code was uploaded to GitHub in 2022.

BPF is a lightweight virtual machine technology operating at the OS kernel level, designed to execute bytecode securely at various hook points. It filters packets directly within the kernel space, allowing efficient traffic handling and improved security and performance.

While BPF is widely used in security and observability tools, its misuse by malware like BPFDoor enables powerful evasion and stealth capabilities.

🧑‍💻 Author: S2W TALON (Updated. 2025-04-30)

👉 Read the full report: https://bit.ly/432A501

*The full report is available upon request or with a subscription to the S2W platform.