BPFdoor in Telecom Networks Sleeper Cells in the Backbone

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report
• Blog Title: BPFdoor in Telecom Networks: Sleeper Cells in the Backbone
• Suggested Section: 🐧 Linux Privilege Escalation / Linux Post-Exploitation (new page: “Kernel-resident backdoors via BPF (BPFdoor-style magic-packet activation, HTTPS offset padding, ICMP propagation, process masquerading)”)

🎯 Content Summary

Title: BPFdoor in Telecom Networks: Sleeper Cells in the Backbone (Rapid7 Labs, published/updated Mar 26, 2026)

High-level finding (what this is):
Rapid7 Labs reports an ongoing, China-nexus telecom-focused espionage campaign attributed to Red Menshen. The centerpiece is BPFdoor, a stealthy Linux backdoor engineered to operate “within the operating system kernel” by abusing Berkeley Packet Filter (BPF) traffic filtering. The post is not a CV...

🔧 Technical Details

Kernel-resident passive backdoor via BPF “trapdoor” activation: A stealth backdoor can avoid binding any user-space listening port by installing a malicious BPF filter in the Linux kernel. The filter inspects inbound packets for a predefined “magic packet/magic byte” sequence and stays dormant otherwise. When the trigger matches, it spawns a bind shell or reverse shell, making host/port scans and tools like netstat/ss/nmap appear normal until activation.

Split implant/controller model to minimize beaconing and enable controlled lateral movement: Keep the implant fully passive (only traffic inspection) and use a separate controller to craft and send the activation packets and manage shell sessions. Running the controller from inside the victim environment enables stealthier lateral movement by triggering additional implants over internal networks and optionally opening local listeners while masquerading as benign processes.

Hide activation commands inside...

🤖 Agent Actions

I’m mapping the existing Linux, post-exploitation, and packet-filtering content first, then I’ll compare it against the blog’s techniques to avoid duplicating anything already covered.
I’ve narrowed the likely landing zones to Linux post-exploitation and nearby network/forensics pages. Next I’m reading the candidate files directly to see whether BPF-based passive backdoors, SCTP filtering, and masquerading are already covered or need a focused addition.
The style is consistent with concise technique blocks plus short command-heavy triage. I’m now checking whether HackTricks already has BPF/eBPF trapdoor coverage or adjacent malware/process-masquerading sections that would make a new page unnecessary.
There is already a brief BPFDoor mention in useful-linux-commands.md, but only from the defensive telemetry angle. I’m reading that section and the book summary now to decide whether the best change is a new Linux post-exploitation page linked from the section index or a targeted expansion of an existing page.
I have enough repo context to place this, but I want one external pass over Rapid7’s public detection material so the added hunting commands and references are anchored to what Rapid7 actually released, not just the blog summary.
The cleanest fit is the existing Linux post-exploitation index page, not a new page. It already holds concise post-compromise credential theft, persistence, and masquerading techniques, and adding a focused BPF trapdoor section there keeps the content in one file as required.
I’m editing the Linux post-exploitation page now. The change will stay in a single file and add a concise section on BPF passive trapdoors plus practical hunting commands, then I’ll re-read the rendered markdown block and references.
The patch is in place and the diff is clean. I’m doing a final verification pass for formatting, reference placement, and whether anything I added accidentally overlaps too much with the existing masquerading section.
Updated README.md with a new section on BPFDoor-style kernel-resident passive backdoors via BPF.

The addition covers the parts that were not already documented in HackTricks: passive BPF socket-filter activation with no visible listening port, split implant/controller operation, HTTPS-hidden triggers with fixed-offset “magic ruler” padding (9999, 26/40 offsets), ICMP relay with 0xFFFFFFFF, SCTP-aware filtering, and live-host hunting commands. I kept it in the existing Linux post-exploitation page instead of creating a new file, because that was the best fit and avoided redundant structure.

Verification: reviewed the final markdown and diff; references were appended at the end of the same file as required.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report

Content Categories: Based on the analysis, this content was categorized under "🐧 Linux Privilege Escalation / Linux Post-Exploitation (new page: “Kernel-resident backdoors via BPF (BPFdoor-style magic-packet activation, HTTPS offset padding, ICMP propagation, process masquerading)”)".

Repository Maintenance:

• MD Files Formatting: 963 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0