Trend Micro uncovered a previously unseen controller used in BPFDoor campaigns, attributing it to Earth Bluecrow (also known as Red Menshen), a state-sponsored APT group. BPFDoor is a stealthy Linux backdoor leveraging Berkeley Packet Filtering (BPF) to silently activate via "magic packets" that bypass firewalls, enabling long-term persistence for cyberespionage. The malware has been observed targeting telecommunications, financial, and retail sectors across South Korea, Malaysia, Myanmar, Egypt, and Hong Kong.
The controller supports reverse shells, port redirection, and encrypted communication over TCP, UDP, and ICMP, with authentication via a salted MD5 password check. Attackers can adapt magic byte sequences, disable shell history logging, and move laterally across networks.