Follow on X RSS Feed
Malware

Earth Bluecrow Deploys BPFDoor Backdoor to Target Asia and Middle East Infrastructure

Cybersec Sentinel

3 min read
Earth Bluecrow Deploys BPFDoor Backdoor to Target Asia and Middle East Infrastructure

Threat Group: - Earth Bluecrow (also known as Red Menshen, DecisiveArchitect, and Red Dev 18)
Threat Type: - Backdoor Malware
Exploited Vulnerabilities: - None (leverages BPF and raw sockets for firewall evasion and passive packet monitoring)
Malware Used: - BPFDoor (aka Backdoor.Linux.BPFDOOR or JustForFun)
Threat Score: - 🔴 High (8.4/10) – Due to exceptional stealth capabilities, advanced BPF-based communication, and targeting of national critical infrastructure
Last Threat Observation: - 20 April 2025

Overview

How Threat Score Works:
Cybersec Sentinel assigns threat scores on a scale of 0 to 10, considering sophistication, impact, evasion techniques, and targeting. A score of 8.5 indicates a highly evasive threat capable of bypassing traditional defences, requiring a full incident response lifecycle.

BPFDoor is a stealthy backdoor targeting Linux and Solaris systems, attributed to the China-aligned APT group Earth Bluecrow. It uses Berkeley Packet Filters (BPF) and raw sockets to monitor network traffic passively. By avoiding open ports and standard network communication methods, it bypasses most detection mechanisms. Activation is triggered by crafted "magic packets" that initiate remote shell sessions.

A newly discovered controller tool enhances BPFDoor operations, offering password management, encryption, and lateral movement capabilities. Earth Bluecrow focuses heavily on Asia and the Middle East, targeting telecoms, logistics, government, and recently finance and retail sectors.

Key Details

Delivery Method: Manual deployment post-compromise
Target: Linux and Solaris systems in telecom, government, logistics, education, finance

Functions:

  • Passive kernel-level packet inspection (BPF)
  • Magic packet activation (TCP/UDP/ICMP)
  • Reverse and bind shell setup with firewall manipulation
  • Encrypted C2 support via libtomcrypt
  • Controller-driven lateral movement

Obfuscation:

  • Process masquerading (e.g., dbus-daemon, udevd)
  • Memory residence (e.g., /dev/shm)
  • File deletion post-execution
  • Timestomping to 2008
  • Lock files in /var/run prevent multiple instances

Attack Vectors

BPFDoor operates without exposing ports. It listens for magic packets using raw sockets filtered by BPF bytecode, allowing it to bypass iptables and host firewalls. On activation, it launches shell sessions with traffic redirection via temporary iptables rules.

Persistence is external—cron jobs, systemd services, or init scripts ensure BPFDoor restarts post-reboot. It may run from /dev/shm and hide under legitimate-looking process names.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7
  • 07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d (unconfirmed)

File Hashes (SHA1):

  • 6227cb77cb4ab1d066eebf14e825dbc0a0a7f1e9
  • 64171d46c8290c5cd88e0fbce9e23dcecbe20865
  • 65e4d507b1de3a1e4820e4c81808fdfd7e238e10
  • 9bb8977cd5fc7be484286be8124154ab8a608d96
  • 02aebc3762e766be0ac24ef57a135398344a8f7e
  • 04aa241c574f0a7ec93ba5d27807d8e78467f21e
  • 16f94f0df6003f1566b2108f55e247f60a316185
  • 1db21dbf41de5de3686195b839e74dc56d542974
  • 28765121730d419e8656fb8d618b2068408fe5ae
  • 291af8adf6fa078692d0bf5e0d9d00c376bb3fff
  • 316ac8215095a24429632849407311b18a16e0cf
  • 351febd645c66a3c9a79253d0aefcce8ff77054c
  • 3771319be1c8883610c65977811e93b0bdaddf6f
  • 4181bc848a1cd32911a83e02feac9b8abbd69ae2
  • 43b4dbc71ada99a7b8a8d6d0490ba5526a34f9a0
  • 4b1ea5e7b28eb110d8741b76d34f7dbae6f13b79
  • 4c89beab00e3119cf516d6f98d364a5d99232181
  • 5ddcbe4b591293f7b34fc0ef65db6248bcc67eb6
  • 7ab39d7aad49abb0f626383ed776fe20a3b4c8f3
  • 88075bbc34655d1fa2a750f3bbdee38214974009
  • 8b5844fcbf6af23bc0b410fc180e7e6bdd4f35c7
  • 8ebe1a71af1061d9e943bdff46c5ed954d8c9348
  • 937f6068df4e091cf92d50afb3c6b7cad1de6230
  • 9bdea37835cdb7f0b291891386af28184ac85f79
  • a6b66b8b7eae2969fd7237888d30766baa1b2274
  • be47b0c2fb328a338874f6efbe8305ddb74f6a48
  • c38fc109e31c9d67a1efc6cb767f826b7e46fb19
  • c54e214810ca7042d013845076b0360bdd7132b2
  • c83651d7706efa8c115f2a0edb07f863f4e79ce5
  • d53b7d0030a095a3ffa4b67d13de82d08adda248
  • d61bf187c4cd3f9953b567b3ad320b9ecde1c347
  • d9037e0de902e6f7b6c5f1b3269ba482f5e67c8a
  • dc94eaa39e11f2ca7739d2cfded9eec1967f33ee
  • dd8db29e90c6b52ee3d2723cc168cf33ee0bb521
  • e17ddb6515f2d399552245191f98458b68fece7b
  • ef03b84048193a158ecf1f7033ab0cc8869dd2a5
  • f61589b1f86d8692964a6bd3e96ddadbe22994eb
  • fb488cdfd2e475f0d5cbecfe11e9bab2241f9d50

Masqueraded Process Names:

NameNotes
/sbin/udevd -dMimics udev daemon
dbus-daemon --systemMessage bus disguise
qmgr -l -t fifo -uMimics postfix queue manager
/usr/libexec/postfix/masterMasquerades as mail system process

File Paths:

PathUse
/dev/shm/kdmtmpflushExecutable copy
/var/run/haldrund.pidLock file
/tmp/zabbix_agent.logController temp file

Magic Packet Triggers:

  • Generic: D- Generic: \x440- Generic: \x44\x30ĂŤ- Generic: \x44\x30\xCDÂź- Generic: \x44\x30\xCD\x9F^- Generic: \x44\x30\xCD\x9F\x5E- Generic: \x44\x30\xCD\x9F\x5E\x14'- Generic: \x44\x30\xCD\x9F\x5E\x14\x27f- Generic: \x44\x30\xCD\x9F\x5E\x14\x27\x66
  • TCP Trigger: 0x5293
  • UDP/ICMP Trigger: 0x7255

Controller Responses:

  • UDP reply '1' on bad password
  • TCP payload “3458” for direct connect mode

Mitigation and Prevention

User Awareness: Train teams on stealth malware indicators and raw socket detection
Email Filtering: Prevent phishing or initial access vectors
Antivirus/EDR: Use tools capable of tracking setsockopt, raw socket usage
2FA: Enforce MFA for all remote access, especially privileged accounts
Monitor Logs: Watch for BPF, socket activity, firewall rule changes, and renamed processes
Regular Updates: Patch Linux systems and internet-facing devices consistently

Risk Assessment

BPFDoor's stealth, low-level system integration, and evasive communication make it a top-tier APT tool. Its deployment by Earth Bluecrow against strategic sectors elevates the risk to critical national and commercial infrastructure. Detection is difficult and often delayed, enabling long-term espionage.

Conclusion

BPFDoor reflects a shift toward passive, system-native APT implants. It avoids common detection surfaces by using raw sockets, BPF, and masquerading. Its modular design and controller tool enable stealthy lateral movement and ongoing espionage. Eradication requires system rebuilds and aggressive incident response.

Sources:

Trend Micro – BPFDoor Hidden Controller Used Against Asia, Middle East Targets
The Hacker NEws - New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks
Counter Craft - A step-by-step BPFDoor compromise