Back to Intelligence

How to Protect Against Stealthy BPFDoor Variants: Detection and Defense Strategies

SA
Security Arsenal Team
April 4, 2026
8 min read

How to Protect Against Stealthy BPFDoor Variants: Detection and Defense Strategies

Introduction

Security researchers have uncovered seven new variants of BPFDoor, a stealthy backdoor that operates at the kernel level using Berkeley Packet Filters (BPFs). This advanced threat is particularly concerning for defenders because it creates a virtually undetectable access mechanism that can be activated by "magic packets" through stateless protocols.

BPFDoor represents a significant evolution in threat actor tradecraft, specifically designed to bypass traditional security controls. Unlike standard malware that leaves obvious traces, BPFDoor hides in plain sight by leveraging legitimate kernel functions to inspect network traffic and execute commands without leaving the usual forensic footprints.

For IT and security teams, understanding this threat is critical because BPFDoor provides attackers with persistent, remote access that can survive system reboots and evade most endpoint detection solutions. This blog post will explain the technical nature of these variants and provide actionable defense strategies to protect your organization.

Technical Analysis

BPFDoor is a sophisticated kernel-level unauthorized access mechanism that uses Berkeley Packet Filters (BPFs) to inspect traffic directly from within the operating system kernel. According to Rapid7 Labs research, the new variants employ undocumented features that make detection significantly more challenging.

The malware operates by:

  1. Installing a BPF program in the kernel that filters network packets
  2. Activating only when receiving specifically crafted "magic packets"
  3. Using stateless protocols to tunnel commands to the compromised system
  4. Operating with minimal CPU usage and memory footprint
  5. Avoiding persistent file storage to reduce forensic evidence

Affected systems primarily include Linux-based environments, particularly servers running distributions with BPF capabilities enabled. The threat affects kernel versions 3.x and above that support extended BPF (eBPF) functionality.

The severity of this threat is heightened by its ability to bypass standard firewall rules and network monitoring solutions. Once installed, BPFDoor provides attackers with remote command execution capabilities that are virtually invisible to most detection mechanisms.

Defensive Monitoring

SIGMA Rules

YAML
---
title: Suspicious BPF System Call from Non-Root Process
id: 7e9f3a2c-1d8b-4e5a-9b7c-2d3e4f5a6b7c
status: experimental
description: Detects non-root processes attempting to use BPF system calls which may indicate BPFDoor activity
references:
  - https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants
author: Security Arsenal
date: 2023/06/15
tags:
  - attack.execution
  - attack.t1059.001
  - attack.persistence
  - attack.t1547.006
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/bpfdoor'
    Image|contains:
      - '/tmp/'
      - '/dev/shm/'
  filter:
    User: 'root'
condition: selection and not filter
falsepositives:
  - Legitimate network debugging tools
  - System administrators using BPF utilities
level: high
---
title: Suspicious eBPF Program Load
id: 9f2e1d4c-5a6b-7c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects loading of eBPF programs that may be associated with BPFDoor backdoor
references:
  - https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants
author: Security Arsenal
date: 2023/06/15
tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.defense_evasion
  - attack.t1055.001
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|contains:
      - 'bpftool'
      - 'ip'
    CommandLine|contains:
      - 'prog load'
      - 'bpf'
    User|endswith:
      - 'nobody'
      - 'daemon'
      - 'www-data'
condition: selection
falsepositives:
  - Legitimate system administration
  - Authorized security monitoring tools
level: medium
---
title: Unusual Network Connection Patterns Indicating BPFDoor
id: 3e5f6a7b-8c9d-0e1f-2a3b-4c5d6e7f8a9b
status: experimental
description: Detects network connections with characteristics associated with BPFDoor command and control
references:
  - https://www.rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants
author: Security Arsenal
date: 2023/06/15
tags:
  - attack.command_and_control
  - attack.t1071.004
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    DestinationPort:
      - 80
      - 443
      - 22
      - 53
    State:
      - 'ESTABLISHED'
    Initiated: 'true'
  filter:
    Image|endswith:
      - '/apache2'
      - '/nginx'
      - '/sshd'
      - '/named'
condition: selection and not filter
falsepositives:
  - Legitimate web server traffic
  - Standard administrative connections
level: low

KQL Queries

KQL — Microsoft Sentinel / Defender
// Detect suspicious BPF-related process activity
let SuspiciousProcesses = materialize(
  Process
  | where TimeGenerated > ago(7d)
  | where ProcessVersionInfoCompanyName contains "" or ProcessVersionFileDescription contains ""
  | where ProcessName in~ ("bpfdoor", "bdoor", "bpfc")
  | where ProcessCommandLine contains "bpf" or ProcessCommandLine contains "filter"
  | extend ProcessCreationTime = TimeGenerated
);
SuspiciousProcesses
| project TimeGenerated, DeviceName, ProcessName, ProcessCommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc
;

// Check for unusual module loading that could indicate kernel-level compromise
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ActionType in~ ("LoadImage", "CreateRemoteThread", "ProcessInject")
| where FileName contains "bpf" or FileName contains "kernel"
| where InitiatingProcessFileName !in~ ("systemd", "udevd", "modprobe", "insmod")
| project Timestamp, DeviceName, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
;

// Network traffic analysis for potential BPFDoor command and control
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in~ (80, 443, 22, 53)
| where LocalPort > 49152 or LocalPort == 0
| where InitiatingProcessFileName !in~ ("apache2", "nginx", "sshd", "named", "httpd")
| summarize ConnectionCount=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| where ConnectionCount > 0
| project DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ConnectionCount, FirstSeen, LastSeen
| order by ConnectionCount desc
;

Velociraptor VQL

VQL — Velociraptor
-- Hunt for BPF-related processes that could be associated with BPFDoor
SELECT Pid, Name, Exe, Username, Cmdline, StartTime, Cwd
FROM pslist()
WHERE Name =~ "bpfdoor" 
   OR Name =~ "bpfc"
   OR Exe =~ "/tmp/."
   OR Exe =~ "/dev/shm/."
   OR Cmdline =~ "bpf"
   OR Exe =~ "/.bpf"

-- Check for suspicious kernel modules and BPF programs loaded
SELECT Name, Size, UsedBy, State, Address
FROM ls(path="/proc/modules")
WHERE Name =~ "bpf" 
   OR Name =~ "door" 
   OR Name =~ "backdoor" 
   OR Name =~ "rootkit"

-- Search for potential BPFDoor persistence mechanisms
SELECT FullPath, Size, ModTime, Mode, Type
FROM glob(globs="/etc/**/*.so", "/lib/**/*.so", "/usr/lib/**/*.so")
WHERE (Name =~ "bpf" OR Name =~ "door")
   AND ModTime < now() - 24*60*60

-- Check for suspicious network connections that could indicate BPFDoor C2
SELECT Pid, Family, Type, State, LocalAddress, LocalPort, RemoteAddress, RemotePort, Uid
FROM netstat()
WHERE (RemotePort IN (80, 443, 22, 53) OR RemotePort > 1024)
   AND State =~ "ESTABLISHED"
   AND Uid > 0
   AND Pid NOT IN (SELECT Pid FROM pslist() WHERE Name =~ "(apache|nginx|sshd|named|httpd)")

Bash Scripts

Bash / Shell
#!/bin/bash
# BPFDoor Detection and Remediation Script
# This script helps detect potential BPFDoor infections and implements basic defenses

echo "[+] Starting BPFDoor Detection Scan..."

# Check for suspicious processes related to BPFDoor
echo "[+] Checking for suspicious BPF-related processes..."
ps aux | grep -E "bpfdoor|bpfc|/.bpf|door" | grep -v grep

# Check for unusual kernel modules
echo "[+] Checking for suspicious kernel modules..."
lsmod | grep -E "bpf|door|backdoor|rootkit"

# Check for BPF programs loaded in the kernel
echo "[+] Checking for loaded BPF programs..."
if command -v bpftool &> /dev/null; then
    bpftool prog show 2>/dev/null | grep -v "name"
else
    echo "[!] bpftool not found. Please install to check BPF programs."
fi

# Check for suspicious network connections
echo "[+] Checking for suspicious network connections..."
netstat -tunap 2>/dev/null | grep ESTABLISHED | awk '$7 ~ /^[0-9]+\/[^root\/]$/ {print}'

# Check for suspicious files in common BPFDoor locations
echo "[+] Checking for suspicious files in /tmp, /dev/shm, /var/tmp..."
find /tmp /dev/shm /var/tmp -type f -name "*.bpf*" -o -name "*door*" 2>/dev/null

# Check for unusual setuid binaries
echo "[+] Checking for unusual setuid binaries..."
find / -perm -4000 -type f -not -path "/proc/*" 2>/dev/null | xargs ls -lh | awk '$5 < 10000 {print $NF}'

# Basic hardening recommendations
echo ""
echo "[+] Basic hardening recommendations:"
echo "    1. Restrict BPF capabilities to specific users only"
echo "    2. Monitor kernel module loading activities"
echo "    3. Implement eBPF monitoring solutions"
echo "    4. Regularly audit system processes and network connections"
echo "    5. Keep kernel and system packages updated"

echo ""
echo "[+] Scan complete. If suspicious items were found, conduct a deeper investigation."

Remediation

To protect your organization against BPFDoor and similar kernel-level threats, implement the following defensive measures:

  1. Restrict BPF Capabilities: Limit access to Berkeley Packet Filter functionality to only essential system accounts. Consider implementing kernel module signing to prevent unauthorized module loading.

  2. Implement Kernel-Level Monitoring: Deploy security solutions specifically designed to detect kernel-level activities, such as:

    • Kernel integrity monitoring systems
    • eBPF-based security tools that can detect suspicious eBPF programs
    • Advanced endpoint detection platforms with kernel inspection capabilities

  3. Network Traffic Analysis: Implement deep packet inspection and behavioral analysis to detect anomalous traffic patterns that might indicate command and control communications.

  4. Vulnerability Management: Regularly patch and update kernel and system packages to address potential vulnerabilities that could be exploited to install BPFDoor or similar threats.

  5. Least Privilege Enforcement: Ensure processes and services operate with minimal necessary privileges to limit the impact of potential compromise.

  6. System Hardening: Apply system hardening frameworks (CIS Benchmarks, STIGs) that include specific controls for kernel-level protections.

  7. Incident Response Preparation: Develop specific response procedures for kernel-level compromises, including forensic capabilities to detect and analyze BPF-based backdoors.

  8. Regular Auditing: Implement routine audits of kernel modules, BPF programs, and network connections to identify potential compromise indicators.

  9. Endpoint Detection Improvements: Enhance endpoint detection capabilities to include kernel-level monitoring and memory forensics to identify stealthy backdoors.

  10. Security Awareness: Train security teams on advanced kernel-level threats and the specific techniques used by BPFDoor to improve detection capabilities.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectionbpfdooraptlinuxthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action