British security researcher Kevin Beaumont has listed details of a backdoor that is believed to infect Linux systems, with consulting firm PwC also documenting it. Both say the threat emanates from China.

Called BPFDoor, there is no indication of either PwC or Beaumont as to how the backdoor gains a foothold on any system.

Beaumont said it used a BPF packet filter and therefore could do its job without opening new network ports or firewall rules.

PwC Threat Intelligence mentioned BPFDoor in its 2021 threat report, calling the person(s) behind it Red Menshen and saying it was targeting telecom operators in the Middle East and Asia.

It “also identified that the threat actor sends commands to BPFDoor victims through virtual private servers hosted at a well-known provider, and that these VPS, in turn, are administered through compromised routers based in Taiwan, that the threat actor uses as VPN tunnels.”.

Beaumont said it found BPFDoor installed in a number of organizations in 2021, in the United States, South Korea, Hong Kong, Turkey, India, Vietnam and Myanmar. These included systems in government, postal, logistics, and educational institutions.

“Operators have access to a tool that enables communication with implants, using a password, which enables features such as running commands remotely. It works over internal networks and the Internet” , he wrote.

“Because BPFDoor doesn’t open any inbound network ports, doesn’t use outbound C2, and renames its own process on Linux (so ps aux, for example, will show a friendly name), it’s very evasive.”

PwC mentioned that their research showed that Red Menshen was primarily active “Monday through Friday (with no weekend sightings), with most communication occurring between 01:00 and 10:00 UTC. This pattern suggests a consistent period of 8 to 9 a.m. window of activity for the threat actor, with a realistic likelihood that it aligns with local working hours.”

Beaumont pointed out that each implant had its own hash, which made detection by searching for hashes a waste of time.

He said another researcher, Florian Roth, discovered the source code for the BPFDoor controller on VirusTotal, a malware signature database owned by Google.


The last year has seen a meteoric rise in ransomware incidents around the world.

Over the past 12 months, threat researchers at SonicWall Capture Labs have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available through the SonicWall Cyber ​​Threat Report 2022, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the growing wave of cybercrime.

Click the button below to get the report.



It’s all about webinars.

Marketing budgets are now focused on webinars combined with lead generation.

If you want to promote a webinar, we recommend at least a 3-4 week campaign before your event.

The iTWire campaign will include numerous advertisements on our news site and a major newsletter promotion and promotional and editorial news. Plus a keynote speaker video interview on iTWire TV which will be used in promotional messages on the iTWire homepage.

Now that we are coming out of Lockdown, iTWire will focus on supporting your webinars and campaigns and support through partial payments and extended terms, Webinar Business Booster pack and other support programs. We can also create your advertisements and written content and coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



A surgical method to remember for the treatment of symptomatic ipsilateral central venous occlusions in patients with hemodialysis access: about a case of axillo-axillary venous bypass and review of the literature


7 questions to ask yourself when trying to decide which subject to choose in 10th grade

Check Also