{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bpfdoor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["bpfdoor","linux","backdoor","ebpf"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBPFDoor is an evasive Linux backdoor that utilizes extended Berkeley Packet Filter (eBPF) technology to establish stealthy communication channels and maintain persistence on compromised systems. This backdoor has been observed targeting telecom networks, acting as a sleeper cell within the infrastructure. The threat leverages eBPF for its ability to operate at a low level, making detection challenging. This threat brief focuses on detecting BPFDoor through its interaction with common PID and lock files in the \u003ccode\u003e/var/run\u003c/code\u003e directory, where it attempts to masquerade as legitimate processes or services. The access of these files by unauthorized or unexpected processes can be a strong indicator of BPFDoor activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system, possibly through exploitation of a vulnerability or stolen credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the BPFDoor backdoor onto the compromised system.\u003c/li\u003e\n\u003cli\u003eBPFDoor establishes persistence by injecting itself into the kernel using eBPF.\u003c/li\u003e\n\u003cli\u003eBPFDoor attempts to blend in with legitimate system activity by accessing or manipulating process ID (.pid) and lock (.lock) files in the \u003ccode\u003e/var/run\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eSpecifically, BPFDoor may access files like \u003ccode\u003e/var/run/aepmonend.pid\u003c/code\u003e, \u003ccode\u003e/var/run/auditd.lock\u003c/code\u003e, \u003ccode\u003e/var/run/cma.lock\u003c/code\u003e, \u003ccode\u003e/var/run/console-kit.pid\u003c/code\u003e, \u003ccode\u003e/var/run/consolekit.pid\u003c/code\u003e, \u003ccode\u003e/var/run/daemon.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hald-addon.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hald-smartd.pid\u003c/code\u003e, \u003ccode\u003e/var/run/haldrund.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hp-health.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hpasmlit.lock\u003c/code\u003e, \u003ccode\u003e/var/run/hpasmlited.pid\u003c/code\u003e, \u003ccode\u003e/var/run/kdevrund.pid\u003c/code\u003e, \u003ccode\u003e/var/run/lldpad.lock\u003c/code\u003e, \u003ccode\u003e/var/run/mcelog.pid\u003c/code\u003e, \u003ccode\u003e/var/run/system.pid\u003c/code\u003e, \u003ccode\u003e/var/run/uvp-srv.pid\u003c/code\u003e, \u003ccode\u003e/var/run/vmtoolagt.pid\u003c/code\u003e, and \u003ccode\u003e/var/run/xinetd.lock\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis access may involve reading, writing, or modifying these files to conceal its presence.\u003c/li\u003e\n\u003cli\u003eBPFDoor uses the eBPF-based communication channel to receive commands from a remote attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the compromised system, potentially leading to data theft, system disruption, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful BPFDoor infection can lead to a persistent and stealthy backdoor on a Linux system. Given the nature of eBPF, detection is difficult, potentially allowing attackers long-term access to the system and sensitive data. Telecom networks are specifically mentioned, indicating potential disruption of critical communications infrastructure. The number of victims and specific damage caused varies per deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eBPFDoor Abnormal Process ID or Lock File Accessed\u003c/code\u003e to your SIEM to detect suspicious access to lock and PID files in \u003ccode\u003e/var/run\u003c/code\u003e based on auditd logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on identifying the process accessing the lock or PID file and whether it is legitimate.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to identify unusual eBPF activity.\u003c/li\u003e\n\u003cli\u003eRegularly review and update intrusion detection systems (IDS) signatures to include known BPFDoor indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T11:18:05Z","date_published":"2026-04-01T11:18:05Z","id":"/briefs/2024-10-bpfdoor-lockfile-access/","summary":"BPFDoor, an evasive Linux backdoor, is detected via the unusual access of process ID and lock files in the /var/run/ directory, indicating potential malicious activity.","title":"BPFDoor Lock File Access","url":"https://feed.craftedsignal.io/briefs/2024-10-bpfdoor-lockfile-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Bpfdoor","version":"https://jsonfeed.org/version/1.1"}