{"id":211633,"date":"2025-04-17T02:24:48","date_gmt":"2025-04-17T07:24:48","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/04\/new-bpfdoor-controller-enables-stealthy-lateral-movement-in-linux-server-attacks"},"modified":"2025-04-17T02:24:48","modified_gmt":"2025-04-17T07:24:48","slug":"new-bpfdoor-controller-enables-stealthy-lateral-movement-in-linux-server-attacks","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/04\/new-bpfdoor-controller-enables-stealthy-lateral-movement-in-linux-server-attacks","title":{"rendered":"New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks"},"content":{"rendered":"<p style=\"padding-right: 20px\"><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/new-bpfdoor-controller-enables-stealthy-lateral-movement-in-linux-server-attacks2.jpg\"><\/a><\/p>\n<p>Cybersecurity researchers have unearthed a new controller component associated with a known backdoor called <a href=\"https:\/\/thehackernews.com\/2023\/05\/new-variant-of-linux-backdoor-bpfdoor.html\" rel=\"noopener\" target=\"_blank\">BPFDoor<\/a> as part of cyber attacks targeting telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024.<\/p>\n<p>\u201cThe controller could open a reverse shell,\u201d Trend Micro researcher Fernando Merc\u00eas <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/d\/bpfdoor-hidden-controller.html\" rel=\"noopener\" target=\"_blank\">said<\/a> in a technical report published earlier in the week. \u201cThis could allow lateral movement, enabling attackers to enter deeper into compromised networks, allowing them to control more systems or gain access to sensitive data.<\/p>\n<p>The campaign has been attributed with medium confidence to a threat group it tracks as Earth Bluecrow, which is also known as DecisiveArchitect, Red Dev 18, and Red Menshen. The lower confidence level boils down to the fact that the BPFDoor malware source code was <a href=\"https:\/\/github.com\/gwillgues\/BPFDoor\">leaked in 2022<\/a>, meaning it could also have bee adopted by other hacking groups.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have unearthed a new controller component associated with a known backdoor called BPFDoor as part of cyber attacks targeting telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024. \u201cThe controller could open a reverse shell,\u201d Trend Micro researcher Fernando Merc\u00eas said in a technical report published [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,45],"tags":[],"class_list":["post-211633","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-finance"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/211633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=211633"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/211633\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=211633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=211633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=211633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}