BPFDoor is a highly evasive surveillance tool using the Berkeley Packet Filter (BPF). It is allegedly attributed to Chinese threat actors. It is assumed to be deployed on thousands of Linux systems, its controller has gone almost completely unnoticed by endpoint protection vendors despite it being in use for at least five years. BPFDoor works as an implant without opening any additional TCP or UDP ports instead it listen and send data on existing in use ports, by utilizing power of the BPF.
BPFDoor Implant Signatures
BPFDoor Implant Download