Analysis of nearly 300 malware samples has revealed seven previously undocumented BPFDoor variants quietly burrowing into the backbone of global telecommunications infrastructure with stealth capabilities so advanced they can bypass multi-million-dollar enterprise security stacks without triggering a single alert.
Overview
Advanced persistent threats (APTs) do not stand still, and BPFDoor is proof of that. First observed in 2021 and publicly documented in 2022, BPFDoor is a Linux backdoor historically attributed to Chinese state-sponsored threat actors.
It leverages Berkeley Packet Filters (BPFs) to inspect network traffic directly from inside the OS kernel, creating a silent trapdoor that awakens only when a crafted “magic packet” arrives via stateless protocols. For years, static indicators of compromise (IoCs) allowed defenders to detect and block them until now.
New research published by Rapid7 Labs in April 2026 documents seven new BPFDoor variants that fundamentally re-architect how the malware evades detection, establishes persistence, and moves laterally through carrier-grade networks.
The research, built on analysis of nearly 300 samples, identifies two primary new variants, httpShell and icmpShell, that represent a generational leap in operational security, each designed to survive modern EDR platforms, enterprise proxies, web application firewalls (WAFs), and stateful packet inspection.
The targeting profile is especially alarming. BPFDoor is embedding itself into the core of 4G and 5G telecom infrastructure, including Home Subscriber Servers (HSS) and Ericsson-style edge architectures, positioning threat actors for long-term, silent espionage in networks that underpin national communications.
From Fileless to On-Disk: A Calculated Pivot
Historically, BPFDoor achieved stealth by running from /dev/shm and immediately deleting itself, appearing “fileless” to forensic tools.
Modern EDR solutions, however, now flag processes executing from deleted inodes in temporary filesystems. In response, the httpShell variant has eliminated the /dev/shm drop, instead residing on disk under a hard-coded process name that mimics a legitimate system daemon.
httpShell: The “Magic Ruler” Variant
The httpShell variant operates at the kernel level, binding to all network interfaces simultaneously and forcing the host kernel itself to decapsulate complex carrier-grade tunnels such as GRE and GTP.
Its most sophisticated feature is a mathematical padding scheme dubbed the “Magic Ruler” that ensures its 9999 The trigger marker always lands at the 26th byte offset of inspected data, allowing it to survive header shifts introduced by enterprise proxies and WAFs.
The variant also introduces a Hidden IP (HIP) field embedded in a newly discovered magic_packet_v2 structure. When set to -1 (the flag 0xFFFFFFFFThe malware ignores any hardcoded command-and-control (C2) IP.
Instead, it sends its reverse shell back to the packet’s source address, making the attacker’s controller completely stateless and deployable behind NAT or VPNs.
icmpShell: The Dynamic PTY Tunnel
Designed for heavily restricted environments, icmpShell tunnels entire interactive shell sessions over ICMP. Its most innovative feature is PID-bound mutation: the malware injects a dynamic BPF filter tied specifically to its runtime Process ID (PID).
Since the PID changes with every execution, the required “magic knock” signature also mutates, rendering static firewall rules completely ineffective.
icmpShell further implements RC4 encryption for shell traffic, bidirectional ICMP tunnels, and ICMP “hole-punching” heartbeats to keep firewall state tables open during attacker inactivity.
In Rapid7’s lab tests, the backdoor automatically terminated itself after 12 seconds of inactivity by the attacker, a surgically precise design that minimizes forensic exposure during access to network backbone systems.
Variant ‘G’: Triple-Protocol Parallel Sniffing
One newly identified variant, designated Rapid7 Variant ‘G’, spawns three independent threads each monitoring TCP, UDP, and ICMP simultaneously via raw sockets, deploying identical BPF filters across all three protocols.
This triple-redundant architecture prevents high-volume traffic on one protocol from drowning out a trigger on another and gives threat actors a built-in C2 fallback. If a defender blocks ICMP, the implant seamlessly switches to TCP triggers without reconfiguring the implant.
Variant ‘H’: The Active Beacon
Unlike passive BPFDoor variants that wait silently, Rapid7 Variant ‘H’ actively beacons outbound, resolving the dynamic DNS domain ntpussl.instanthq.com to disguise encrypted C2 sessions as routine NTP-over-SSL synchronization traffic.
It uses a statically linked OpenSSL library with an RC4-MD5 cipher suite to connect on port 443, embedding an activation “kill switch” that checks the resolved DNS IP address 127.0.0.1 before proceeding.
HPE ProLiant Targeting
One variant was specifically tailored for HPE ProLiant servers, spoofing the process name cmathreshd with realistic flags to impersonate HPE Insight Management Agents. It actively kills the legitimate HP agent on detection of its lock file and calls unsetenv("LD_PRELOAD") to disable user-mode security hooks.
This degree of environmental specificity confirms that threat actors possess detailed knowledge of physical bare-metal infrastructure deployed in telecom core networks.
Mitigation
Defenders must shift detection strategy from payload-based signatures to structural anomalies and protocol behavior:
- Suricata/NIDS rules: Target the hardcoded ICMP sequence number
1234and the technically invalid ICMP Code 1 injected by icmpShell’s heartbeat thread - Host-level monitoring: Flag processes whose executable path no longer exists on disk and any root-owned process spoofing known daemons (e.g.,
zabbix_agentd,dockerd,cmathreshd) - Auditd rules: Monitor for
AF_PACKETsocket creation (SOCK_RAW,SOCK_DGRAM) andsetsockoptcalls used to attach BPF filters - Rapid7 triage script: Deploy
rapid7_bpfdoor_check.shto identify zero-byte mutex files and active BPF filters attached to packet sockets across both legacy and modern variants - Intelligence Hub: Rapid7 customers can access continuously updated YARA rules and Suricata detection rulesets through the Intelligence Hub
- DNS monitoring: Block or alert on resolution of masquerade domains mimicking NTP update services, particularly those using DDNS providers
Conclusion
BPFDoor’s evolution from a fileless sniffer to a multi-variant, kernel-embedded espionage platform signals a new era of APT persistence in critical infrastructure.
The combination of stateless C2 routing, PID-bound dynamic signatures, triple-protocol parallel sniffing, and NTP-masquerading active beacons demonstrates that the threat actors behind this toolkit possess both deep Linux kernel expertise and intimate knowledge of telecom network architecture.
With Rapid7’s research still ongoing and findings suggesting targeted sectors may extend beyond mobile carriers, organizations operating Linux-based backbone infrastructure must treat BPFDoor detection as an urgent operational priority.
Frequently Asked Questions
Q1: What makes BPFDoor so difficult to detect compared to other Linux backdoors?
BPFDoor operates entirely inside the OS kernel using Berkeley Packet Filters, making it invisible to standard tools like netstat or ssIts PID-bound dynamic signatures and stateless C2 routing mean no static firewall rule or signature database can reliably catch it.
Q2: Which industries are most at risk from the newly discovered BPFDoor variants?
Telecommunications carriers running 4G/5G core infrastructure are the primary targets, but Rapid7 notes findings suggest the scope may extend beyond mobile carriers to any organization running Linux-based bare-metal servers, including those using HPE ProLiant hardware in enterprise environments.
Site: thecybrdef.com
About the Author
