BPFDoor malware uses Solaris vulnerability to get root privileges


Level 37
Thread author
Top Poster
Feb 4, 2016
New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems.
BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations.

The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen.
PwC found BPFDoor during an incident response engagement in 2021. Looking closer at the malware, the researchers noticed that it received commands from Virtual Private Servers (VPS) controlled through compromised routers in Taiwan.

Subsequent, comprehensive research from Craig Rowland, the founder of Sandfly Security, and Kevin Beaumont showed the highly insidious nature of the malware, which can virtually bypass most detection systems. BPFDoor can't be stopped by firewalls, it can function without opening any ports and does not need a command and control server as it can receive commands from any IP address on the web.
  • Like
Reactions: upnorth


Staff Member
Malware Hunter
Jul 27, 2015
two Windows scripts
Animated GIF

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.