diff --git a/src/linux-hardening/linux-post-exploitation/README.md b/src/linux-hardening/linux-post-exploitation/README.md
index a31efd26f6f..3d139c8dffa 100644
--- a/src/linux-hardening/linux-post-exploitation/README.md
+++ b/src/linux-hardening/linux-post-exploitation/README.md
@@ -150,6 +150,48 @@ Hardening
 - Overwrite the in-memory `argv[0]` buffer after reading `/proc/self/cmdline` length and the `argv[0]` pointer, padding with NULs so `/proc/<pid>/cmdline` and `ps` also show the fake label.
 - Hunt by comparing `Name:` in `/proc/<pid>/status` against the real executable path and looking for loopback mutex listeners owned by processes with tiny/blank cmdlines.
 
+## Kernel-resident passive backdoors via BPF (BPFDoor-style)
+
+Some Linux backdoors avoid exposing any listening port by attaching a malicious **BPF socket filter** to a raw or packet socket. The implant stays passive, inspects inbound traffic in the kernel path, and only spawns a bind/reverse shell when a controller sends the correct trigger. This means `netstat`, `ss`, and `nmap` can look normal until activation.
+
+Common tradecraft patterns:
+
+- **Split implant/controller model**: the implant only filters traffic and executes the next stage; a separate controller crafts the activation packet and drives the shell.
+- **HTTPS-hidden trigger delivery**: newer variants can hide the activation bytes inside normal-looking HTTPS requests so the trigger survives reverse proxies, load balancers, and TLS termination paths.
+- **Fixed-offset "magic ruler" checks**: instead of fully parsing HTTP, the controller pads data so a marker such as `9999` lands at a predictable offset. Rapid7 observed `26`-byte rulers with `SOCK_DGRAM` and `40`-byte rulers with `SOCK_RAW`.
+- **ICMP relay/control traffic**: compromised hosts can forward commands inside crafted ICMP payloads. A sentinel such as `0xFFFFFFFF` can be used as a "final destination / do not forward" marker.
+- **Protocol-aware filtering**: filtering unusual transports such as SCTP moves the implant closer to telecom signaling traffic instead of normal enterprise TCP services.
+- **Masquerading**: combine the trapdoor with the `prctl`/`argv[0]` process renaming tricks from the previous section and with daemon-looking PID or lock files.
+
+Practical hunt from a live host:
+
+```bash
+# Raw/packet sockets and attached filters
+ss -0pb | egrep -i 'packet|raw'
+cat /proc/net/packet
+
+# Map suspicious PIDs to their real executable and cmdline
+for p in /proc/[0-9]*; do
+  exe=$(readlink "$p/exe" 2>/dev/null)
+  cmd=$(tr '\0' ' ' < "$p/cmdline" 2>/dev/null)
+  [ -n "$exe" ] && printf "%s | %s | %s\n" "${p##*/}" "$exe" "$cmd"
+done | egrep -i 'agetty|smartd|init|dockerd|hpas'
+
+# Common environment markers and deleted/fileless execution
+grep -aHE 'HOME=/tmp|HISTFILE=/dev/null' /proc/[0-9]*/environ 2>/dev/null
+find /proc/[0-9]*/exe -lname '*deleted*' -ls 2>/dev/null
+
+# Mutex / pid artifacts often used to prevent double execution
+find /var/run /run -maxdepth 1 -type f \( -name '*.pid' -o -name '*.lock' \) \
+  -size 0c -printf '%m %p\n' 2>/dev/null
+
+# Persistence paths worth checking after finding a suspicious PID
+grep -RInE 'iptables|bpfd|dockerd|hpas|/dev/shm|/var/tmp|/tmp/' \
+  /etc/systemd /etc/init.d /etc/rc*.d /etc/cron* 2>/dev/null
+```
+
+If the host supports `bpftool`, also baseline legitimate BPF usage. Unexpected packet filters, raw sockets, or process names that do not match the backing executable are strong post-exploitation signals even when no listening port is visible.
+
 ## References
 
 - [0xdf – HTB Planning (Grafana env creds reuse, systemd BASIC_AUTH)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
@@ -157,5 +199,7 @@ Hardening
 - [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 - [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
 - [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)
+- [Rapid7 Labs - BPFdoor in Telecom Networks: Sleeper Cells in the Backbone](https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/)
+- [Rapid7 Labs - Linux BPFDoor Detection Script](https://github.com/rapid7/Rapid7-Labs/tree/main/BPFDoor)
 
 {{#include ../../banners/hacktricks-training.md}}