New BPFDoor Malware Controller Enables Stealthy Lateral Movement on Linux Servers

Cybersecurity researchers have uncovered a new controller module linked to the notorious BPFDoor backdoor, advancing the malware’s stealthy capabilities to enable lateral movement across Linux-based systems. This new development marks a serious evolution in targeted cyber attacks against the telecommunications, finance, and retail sectors in regions including South Korea, Hong Kong, Myanmar, Malaysia, and Egypt throughout 2024.

According to a technical report by Trend Micro’s Fernando Mercês, the new controller is capable of opening a reverse shell, allowing attackers to move laterally within compromised networks. This stealthy method increases their chances of escalating privileges, accessing sensitive internal systems, and maintaining long-term persistence.

Linked to Earth Bluecrow – A Persistent Threat Actor

This campaign has been attributed with medium confidence to the Earth Bluecrow threat group (also known as DecisiveArchitect, Red Dev 18, and Red Menshen). Due to the public leak of BPFDoor’s source code in 2022, it’s also possible that multiple groups are now using the malware framework, making attribution more complex.

BPFDoor: A Sophisticated Linux Backdoor With Firewall-Evading Powers

Originally discovered in 2022, BPFDoor is a Linux-based backdoor designed for covert, long-term cyber espionage. It is notable for using the Berkeley Packet Filter (BPF) to inspect incoming network traffic, silently waiting for a specific "Magic Byte" to trigger its payload — all while evading firewall detection.

 

“The packet never reaches the firewall because it’s handled at the kernel level by BPF,” Mercês explained. “That’s what makes this tool particularly stealthy — a trait more commonly seen in rootkits than in backdoors.”

New Malware Controller Expands BPFDoor’s Capabilities

The latest research reveals that the attackers are deploying a new, previously undocumented controller. This component enables them to remotely issue commands and spread across infected networks after compromising one machine.

Before issuing any commands, the controller prompts the operator to enter a password, which must match a hard-coded value in the BPFDoor malware. Once authenticated, attackers can:

Open a reverse shell
Redirect incoming connections to a local shell on a defined port
Verify the backdoor is still active

The controller supports multiple protocols including TCP, UDP, and ICMP, and even offers optional encryption for secure communication.

 

In “direct mode,” attackers can connect straight to the infected machine and gain remote shell access — but only after successfully passing the password check.

Rising Threat of BPF Abuse in Modern Malware

BPF’s powerful packet filtering capabilities are now being weaponized by malware developers, posing new challenges for defenders.

 

“BPF opens a new frontier for attackers,” Mercês noted. “Security researchers must enhance their skill sets to analyze BPF code and defend against such sophisticated threats.”

Conclusion

The emergence of this advanced BPFDoor controller signifies a dangerous new chapter in Linux-targeting cyber threats. By leveraging covert communication, firewall evasion, and secure lateral movement, cybercriminals are refining their tactics to infiltrate high-value networks with minimal detection.