The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BPFDoor Targets Linux Systems

May 20, 2022 2:44:39 PM / by PolySwarm Tech Team



PwC Threat Intelligence recently reported on BPFDoor, a passive network implant for Linux targeting telecommunications providers. The activity was attributed to the Chinese nexus threat actor group Red Menshen.

What is BPFDoor?

BPFDoor is a stealthy surveillance tool used by the threat actor group known as Red Menshen. It targets multiple Linux-based systems, including Solaris SPARC. BPFDoor has been in the wild for at least five years, is highly evasive, and is not detected by most endpoint protection vendors.

According to security researcher Kevin Beaumont, threat actors can use BPFDoor to backdoor a system for remote code execution without opening new firewall rules or network ports. A web app existing on a particular port, such as port 443, can listen and react on the existing port, and the implant can be reached over the port. This is possible due to the use of a BPF packet filter. Threat actors leverage a tool that works over internal and internet networks, allowing them to communicate with the implants using a password. PwC noted the threat actors used virtual private servers to send commands to BPFDoor victims.

Beaumont researched the malware throughout 2021 and found it affected systems in multiple countries including the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar. BPFDoor was discovered in systems across multiple verticals including government, postal and logistics, and education. Beaumont stated that BPFDoor appears to be used for surveillance purposes.

Who is Red Menshen?

Red Menshen, also known as Red Dev 18, is a Chinese nexus threat actor group active since at least 2021. Red Menshen’s targets include telecommunications entities in the Middle East and Asia. Other verticals the group targets include government, education, and logistics. Known TTPs include BPFDoor, Mangzamel, Mimikatz, Metasploit, and custom variants of Gh0st. Red Menshen also uses VPSs hosted at a well-known service provider and VPNs leveraging compromised routers located in Taiwan. The threat actors appear to be active on a regular schedule, operating Monday through Friday from the hours of 01:00 to 10:00 UTC.


PolySwarm has multiple samples of BPFDoor.















You can use the following CLI command to search for all BPFDoor samples in our portal:

$ polyswarm link list -f BPFDoor

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, China, Linux, Red Menshen, BPFDoor, Telecommunications

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts