A dangerous Linux backdoor called BPFDoor has returned in a more powerful form, with researchers uncovering new variants built to stay invisible inside critical network infrastructure.
Linked to a China-nexus threat actor group known as Red Menshen, these updated versions target Linux servers embedded deep inside global telecom networks.
Unlike earlier strains, the new variants come equipped with techniques that make them far harder to detect and even harder to remove once they are inside a compromised system.
BPFDoor works by abusing the Berkeley Packet Filter, a legitimate Linux kernel function used to inspect and filter network traffic. The malware loads a custom BPF filter that watches every incoming packet on an infected system without ever opening a visible port.
Firewalls see nothing unusual, and standard port scans return clean results. The backdoor waits silently for a specially crafted trigger, known as a magic packet, and only activates when that exact signal arrives.
This passive design is what has allowed BPFDoor to remain undetected on compromised networks for months or even years.
Rapid7 analysts identified seven new BPFDoor variants after conducting a months-long investigation that involved analyzing nearly 300 malware samples.
Their research uncovered two primary new variants — icmpShell and httpShell — both of which significantly advance the backdoor’s ability to stay hidden and operate without detection.
These variants introduce stateless command-and-control routing and ICMP relay as their core communication features, giving attackers a way to manage infected machines without leaving any fixed digital trail.
The malware has been found living inside telecom backbone infrastructure, where it gives attackers persistent, long-term access to intercept and manipulate sensitive communications.
Its support for telecom-native protocols like SCTP, combined with an awareness of container runtime environments, shows that this tool was built specifically for high-value, deep-infrastructure targets.
The pattern of activity points to an organized, state-sponsored group conducting a long-term cyber-espionage campaign rather than a quick, opportunistic intrusion.
Stateless C2 and ICMP Relay
One of the most striking changes in the new variants is how they handle communication with their operators. In older versions, the attacker’s IP had to be hardcoded into the magic packet payload — a fixed point that a defender could potentially catch.
The new variants solve this with a special -1 flag, set to the broadcast IP 255.255.255.255. When this flag appears in the magic packet structure, the malware ignores any hardcoded address and routes the reverse shell back to the source IP found in the triggering packet’s own headers.
.webp)
This makes the attacker’s controller completely stateless, letting them operate from behind NAT devices or VPNs without exposing a fixed command-and-control address.
When the authentication check fails, the infected machine does not simply go quiet — it becomes a hidden relay node inside the network.
The malware reads an internal target IP from the Host Identity Protocol field embedded in the ICMP packet, rewrites the key trigger bytes, and sends a crafted ICMP Echo Request toward that internal address.
.webp)
This effectively lets attackers tunnel commands through internal systems using ping traffic, which most monitoring tools do not flag. To prevent relay loops, the malware resets the hop IP back to -1 after each forwarded packet.
The backdoor opens three parallel sockets for TCP, UDP, and ICMP, giving it a fallback if defenders block one channel.
.webp)
On the host, it disguises its process as a legitimate service like HPE Insight Management Agents, performs timestomping, and wipes file descriptors to erase all traces.
.webp)
Security teams should monitor for raw socket usage on Linux endpoints, audit process names against known services, and watch for unexpected ICMP traffic within internal networks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
