{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ebpf/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["bpfdoor","linux","backdoor","ebpf"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBPFDoor is an evasive Linux backdoor that utilizes extended Berkeley Packet Filter (eBPF) technology to establish stealthy communication channels and maintain persistence on compromised systems. This backdoor has been observed targeting telecom networks, acting as a sleeper cell within the infrastructure. The threat leverages eBPF for its ability to operate at a low level, making detection challenging. This threat brief focuses on detecting BPFDoor through its interaction with common PID and lock files in the \u003ccode\u003e/var/run\u003c/code\u003e directory, where it attempts to masquerade as legitimate processes or services. The access of these files by unauthorized or unexpected processes can be a strong indicator of BPFDoor activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system, possibly through exploitation of a vulnerability or stolen credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the BPFDoor backdoor onto the compromised system.\u003c/li\u003e\n\u003cli\u003eBPFDoor establishes persistence by injecting itself into the kernel using eBPF.\u003c/li\u003e\n\u003cli\u003eBPFDoor attempts to blend in with legitimate system activity by accessing or manipulating process ID (.pid) and lock (.lock) files in the \u003ccode\u003e/var/run\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eSpecifically, BPFDoor may access files like \u003ccode\u003e/var/run/aepmonend.pid\u003c/code\u003e, \u003ccode\u003e/var/run/auditd.lock\u003c/code\u003e, \u003ccode\u003e/var/run/cma.lock\u003c/code\u003e, \u003ccode\u003e/var/run/console-kit.pid\u003c/code\u003e, \u003ccode\u003e/var/run/consolekit.pid\u003c/code\u003e, \u003ccode\u003e/var/run/daemon.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hald-addon.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hald-smartd.pid\u003c/code\u003e, \u003ccode\u003e/var/run/haldrund.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hp-health.pid\u003c/code\u003e, \u003ccode\u003e/var/run/hpasmlit.lock\u003c/code\u003e, \u003ccode\u003e/var/run/hpasmlited.pid\u003c/code\u003e, \u003ccode\u003e/var/run/kdevrund.pid\u003c/code\u003e, \u003ccode\u003e/var/run/lldpad.lock\u003c/code\u003e, \u003ccode\u003e/var/run/mcelog.pid\u003c/code\u003e, \u003ccode\u003e/var/run/system.pid\u003c/code\u003e, \u003ccode\u003e/var/run/uvp-srv.pid\u003c/code\u003e, \u003ccode\u003e/var/run/vmtoolagt.pid\u003c/code\u003e, and \u003ccode\u003e/var/run/xinetd.lock\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis access may involve reading, writing, or modifying these files to conceal its presence.\u003c/li\u003e\n\u003cli\u003eBPFDoor uses the eBPF-based communication channel to receive commands from a remote attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the compromised system, potentially leading to data theft, system disruption, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful BPFDoor infection can lead to a persistent and stealthy backdoor on a Linux system. Given the nature of eBPF, detection is difficult, potentially allowing attackers long-term access to the system and sensitive data. Telecom networks are specifically mentioned, indicating potential disruption of critical communications infrastructure. The number of victims and specific damage caused varies per deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eBPFDoor Abnormal Process ID or Lock File Accessed\u003c/code\u003e to your SIEM to detect suspicious access to lock and PID files in \u003ccode\u003e/var/run\u003c/code\u003e based on auditd logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on identifying the process accessing the lock or PID file and whether it is legitimate.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to identify unusual eBPF activity.\u003c/li\u003e\n\u003cli\u003eRegularly review and update intrusion detection systems (IDS) signatures to include known BPFDoor indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T11:18:05Z","date_published":"2026-04-01T11:18:05Z","id":"/briefs/2024-10-bpfdoor-lockfile-access/","summary":"BPFDoor, an evasive Linux backdoor, is detected via the unusual access of process ID and lock files in the /var/run/ directory, indicating potential malicious activity.","title":"BPFDoor Lock File Access","url":"https://feed.craftedsignal.io/briefs/2024-10-bpfdoor-lockfile-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ebpf","security-agent","autonomous-response","privilege-escalation","c2-blocking","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eInner Warden is an open-source security agent designed to enhance server protection by utilizing eBPF for kernel-level monitoring. The project aims to provide autonomous response capabilities, initially developed to protect an AI agent (OpenClaw). Inner Warden uses eBPF tracepoints (execve, connect, openat), kprobes on commit_creds for detecting privilege escalation, LSM hooks to block execution from /tmp and /dev/shm, and XDP for high-speed IP blocking. It incorporates a detection layer for brute force attacks, port scans, privilege escalations, container escapes, and C2 callbacks. The response layer includes blocking IPs, killing processes, restricting sudo access, and deploying simple honeypots. A distributed mesh architecture allows nodes to share signals about suspicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through an unspecified vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a malicious binary from \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/dev/shm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInner Warden\u0026rsquo;s LSM hook blocks the execution of the binary, preventing the initial execution attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges by exploiting a vulnerability, triggering the \u003ccode\u003ecommit_creds\u003c/code\u003e kprobe.\u003c/li\u003e\n\u003cli\u003eInner Warden detects the privilege escalation attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish a command-and-control (C2) connection.\u003c/li\u003e\n\u003cli\u003eInner Warden detects the C2 callback and blocks the attacker\u0026rsquo;s IP address using XDP, preventing further communication.\u003c/li\u003e\n\u003cli\u003eInner Warden nodes share signals of the suspicious activity, prompting other nodes within the mesh to adjust their behavior, increasing security across the distributed environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deployment of Inner Warden could prevent privilege escalation attacks, block execution of malicious code from temporary directories, disrupt command-and-control communication, and mitigate brute force and port scanning attempts. A compromised node could potentially send false positives, but Inner Warden\u0026rsquo;s trust scoring is designed to avoid large-scale disruption. The primary impact is improved host security posture and potentially reduced incident response workload through automated threat mitigation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the process creation rule below to detect executions blocked by Inner Warden\u0026rsquo;s LSM hook from \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/dev/shm\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the network connection rule to identify C2 callbacks blocked by Inner Warden\u0026rsquo;s XDP-based IP blocking.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the privilege escalation detection rule, indicating potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor for alerts generated by Inner Warden regarding potential poisoning or false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-22T12:00:00Z","date_published":"2026-03-22T12:00:00Z","id":"/briefs/2026-03-inner-warden/","summary":"The open-source Inner Warden project is a security agent leveraging eBPF for kernel-level monitoring and autonomous response actions like IP blocking and process termination, aiming to create a distributed security mesh.","title":"Inner Warden Security Agent Capabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-inner-warden/"}],"language":"en","title":"CraftedSignal Threat Feed — Ebpf","version":"https://jsonfeed.org/version/1.1"}