Researchers at PwC Threat Intelligence have documented the discovery of BPFDoor, a passive network implant attributed to Red Menshen, a Chinese threat group. BPFDoor presents a novel method of receiving instructions and executing code on infected hosts. Unlike many implants, BPFDoor does not open any ports, nor does it perform outbound Command and Control operations (C2). In addition, it performs process name masquerading to achieve a high level of evasion and employs Berkeley Packet Filtering (BPF) in order to filter packets on legitimate ports for ‘magic bytes’ that activate the implant. This method of packet filtering lends itself well to stealthy operations not only because of the lack port opening, but also the very low CPU overhead required to do the filtering.
Independent researcher Kevin Beaumont also found that this implant has been active in organizations around the globe since at least 2021, though early versions of the source code have been discovered and suggest the existence of this implant many years earlier. He also states that “Inside those organizations I believe it is likely present on thousands of systems. The implant appears to be for surveillance purposes.”