A peek behind the BPFDoor


Threats knock on your door all the time. In this research piece, we explore BPFDoor — a backdoor payload specifically crafted for Linux in order to gain re-entry into a previously or actively compromised target environment. This payload has been observed across systems for five years, suggesting that the threat actors responsible for operating the malware have been around for some time and have likely operated undetected in many environments. 

The threat actors have leveraged a network of VPS servers to act as a controller and access these systems via compromised routers based out of Taiwan, acting as a VPN network for the adversarial group. In the Elastic Security Intelligence and Analytics team’s deep research, we explore the actual payload, the backdoor lifecycle, and the BPF filters that are leveraged to provide you with insights on how evasion occurs within impacted systems. 

It’s important to know how you can detect this payload threat and understand the sophistication of the loader. Both are covered in this research. The Elastic Security Intelligence and Analytics team also shares the actual indicators of compromise.

It’s critical to invest the time and resources into ensuring your organization’s workloads remain effectively monitored. Get started with a free 14-day trial of Elastic Cloud. Or download the self-managed version of the Elastic Stack for free.