Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
BPFDoor Variants Evade Detection Using Stateless C2

BPFDoor Variants Evade Detection Using Stateless C2

Posted on April 7, 2026 By CWS

A sophisticated Linux backdoor named BPFDoor has reemerged with advanced variants designed to remain hidden within essential network systems. Recent findings by cybersecurity experts highlight these new versions’ enhanced stealth capabilities.

Targeting Critical Infrastructure

Connected to the Chinese threat group Red Menshen, these BPFDoor variants specifically attack Linux servers embedded in global telecommunications networks. The updated malware employs cutting-edge techniques to evade detection, complicating efforts to eliminate it once embedded in a system.

BPFDoor exploits the Berkeley Packet Filter, a legitimate Linux function for network traffic inspection. It utilizes a custom BPF filter to monitor all incoming packets on an infected machine while avoiding any visible port activity. This allows the malware to remain unnoticed by firewalls and standard scanning tools, waiting for a carefully crafted ‘magic packet’ to activate.

Advanced Evasion Techniques

Rapid7 researchers have identified seven new BPFDoor variants after extensive analysis of almost 300 malware samples. Two notable variants, icmpShell and httpShell, have been recognized for their advancements in maintaining stealth and operating undetected.

These versions employ stateless command-and-control mechanisms alongside ICMP relays, enabling attackers to manage compromised systems without leaving a digital trace. The malware’s residence within telecom infrastructure represents a persistent threat, allowing cybercriminals to intercept and manipulate confidential communications.

Stateless C2 and ICMP Relay Enhancements

The new BPFDoor variants introduce significant changes in communication methods with controllers. Unlike previous versions requiring a hardcoded attacker IP, the new approach uses a -1 flag set to a broadcast IP, allowing for flexible and undetectable command routing.

Should authentication checks fail, the malware does not simply become inactive; instead, it becomes a covert relay within the network. Using ICMP packets, the malware can tunnel commands through internal systems, evading most surveillance tools.

Additionally, BPFDoor opens multiple sockets for TCP, UDP, and ICMP, ensuring continued functionality even if one channel is blocked. On the host, it disguises its activities as legitimate processes, employs timestomping, and cleans up file descriptors to erase evidence of its presence.

Security professionals are advised to monitor raw socket usage on Linux systems, verify process names against legitimate services, and scrutinize unexpected ICMP traffic within networks to counteract this evolving threat.

Stay updated with our latest cybersecurity insights by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more updates.

Cyber Security News Tags:BPFDoor, container environments, cyber espionage, Cybersecurity, ICMP relay, Linux backdoor, magic packet, malware analysis, network security, Red Menshen, SCTP protocol, stateless C2, telecom infrastructure, telecom networks, threat detection

Post navigation

Previous Post: BlueHammer Exploit Affects Windows Defender Security
Next Post: Kubernetes Misconfigurations Enable Dangerous Cloud Exploits

Related Posts

Wireshark 4.6.6 Update Fixes Critical Security Flaw Wireshark 4.6.6 Update Fixes Critical Security Flaw Cyber Security News
Android 16 Comes with Advanced Device-level Security Setting Protection for 3 Billion Devices Android 16 Comes with Advanced Device-level Security Setting Protection for 3 Billion Devices Cyber Security News
Nissan Data Breach Linked to Oracle PeopleSoft Exploit Nissan Data Breach Linked to Oracle PeopleSoft Exploit Cyber Security News
Hackers Actively Exploiting Langflow RCE Vulnerability to Deploy Flodrix Botnet Hackers Actively Exploiting Langflow RCE Vulnerability to Deploy Flodrix Botnet Cyber Security News
Threat Actors Attack PayPal Users in New Account Profile Set up Scam Threat Actors Attack PayPal Users in New Account Profile Set up Scam Cyber Security News
AppViewX Unveils Global Partner Program for Identity Security AppViewX Unveils Global Partner Program for Identity Security Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark