AhnLab Detection Information on BPFDoor Exploited in Recent Hacking Attacks and KISA Hash Notice
BPFDoor is a Linux-based backdoor malware. AhnLab previously published their EDR detection information on this malware through the ASEC blog in October 2024. KISA recently shared threat information and warnings on BPFDoor, which has been exploited in hacking attacks. V3 detection information on the hash values shared by KISA in their first and second notices is as follows.
- Previous ASEC Blog Post: BPFDoor Linux Malware Detected by AhnLab EDR
- Sample Hash Values Shared by KISA in Their First Notice (link to KISA Bohonara first notice)
| No | File Name | Size | MD5 | SHA2 | V3 Detection Information |
| 1 | hpasmmld | 2,265KB | a47d96ffe446a431a46a3ea3d1ab4d6e | c7f693f7f85b01a8c0e561bd369845f40bff423b0743c7aa0f4c323d9133b5d4 | Backdoor/Linux.BPFDoor.2318528 (2025.04.24.00) |
| 2 | smartadm | 2,067KB | 227fa46cf2a4517aa1870a011c79eb54 | 3f6f108db37d18519f47c5e4182e5e33cc795564f286ae770aa03372133d15c4 | Backdoor/Linux.BPFDoor.2116536 (2025.04.24.00) |
| 3 | hald-addon-volume | 2,071KB | f4ae0f1204e25a17b2adbbab838097bd | 95fd8a70c4b18a9a669fec6eb82dac0ba6a9236ac42a5ecde270330b66f51595 | Backdoor/Linux.BPFDoor.2120632 (2025.04.24.00) |
| 4 | dbus-srv-bin.txt | 34KB | 714165b06a462c9ed3d145bc56054566 | aa779e83ff5271d3f2d270eaed16751a109eb722fca61465d86317e03bbf49e4 | Backdoor/Linux.BPFDoor.34752 (2025.04.24.00) |
- Sample Hash Values Shared by KISA in Their Second Notice (link to KISA Bohonara second notice)
| No | File Name | Size | MD5 | SHA2 | V3 Detection Information |
| 1 | dbus-srv | 34KB | 3c54d788de1bf6bd2e7bc7af39270540 | 925ec4e617adc81d6fcee60876f6b878e0313a11f25526179716a90c3b743173 | Backdoor/Linux.BPFDoor.34752 (2025.04.24.00) |
| 2 | inode262394 | 28KB | fbe4d008a79f09c2d46b0bcb1ba926b3 | 29564c19a15b06dd5be2a73d7543288f5b4e9e6668bbd5e48d3093fb6ddf1fdb | Backdoor/Linux.BPFDoor.XE254 (2025.04.29.02) |
| 3 | dbus-srv | 34KB | c2415a464ce17d54b01fc91805f68967 | be7d952d37812b7482c1d770433a499372fde7254981ce2e8e974a67f6a088b5 | Backdoor/Linux.BPFDoor.34752 (2025.04.24.00) |
| 4 | dbus-srv | 34KB | aba893ffb1179b2a0530fe4f0daf94da | 027b1fed1b8213b86d8faebf51879ccc9b1afec7176e31354fbac695e8daf416 | Backdoor/Linux.BPFDoor.34752 (2025.04.24.00) |
| 5 | dbus-srv | 32KB | e2c2f1a1fbd66b4973c0373200130676 | a2ea82b3f5be30916c4a00a7759aa6ec1ae6ddadc4d82b3481640d8f6a325d59 | Backdoor/Linux.BPFDoor (2025.05.03.01) |
| 6 | File_in_Inode_#1900667 | 28KB |
dc3361ce344917da20f1b8cb4ae0b31d |
e04586672874685b019e9120fcd1509d68af6f9bc513e739575fc73edefd511d | Backdoor/Linux.BPFDoor (2025.05.03.01) |
| 7 | gm | 2,063KB | 5f6f79d276a2d84e74047358be4f7ee1 | adfdd11d69f4e971c87ca5b2073682d90118c0b3a3a9f5fbbda872ab1fb335c6 | Trojan/Linux.BPFControl (2025.05.03.01) |
| 8 | rad | 22KB | 0bcd4f14e7d8a3dc908b5c17183269a4 | 7c39f3c3120e35b8ab89181f191f01e2556ca558475a2803cb1f02c05c830423 | Trojan/Linux.BPFControl (2025.05.03.01) |
As BPFDoor is open source, various malware strains can continue to be distributed. Therefore, defense through additional solutions such as EDR is necessary. The following are the detection names of AhnLab EDR and AIPS for BPFDoor.
- EDR Detection Information
DefenseEvasion/EDR.Event.M12190 (2024.10.08.02)
Behavior/DETECT.Event.M12191 (2024.10.08.02)
DefenseEvasion/DETECT.Firewall.M12192 (2024.10.08.02)
DefenseEvasion/DETECT.Firewall.M12193 (2024.10.08.02)
Execution/EDR.BPFDoor.M12195 (2025.05.05.02)
Execution/EDR.BPFDoor.M12599 (2025.05.08.02)
- AIPS Detection Information
BPFDoor Malware CnC Communication-1 (427)
BPFDoor Malware CnC Communication-2 (427)
BPFDoor Malware CnC Communication-3 (427)
BPFDoor Malware CnC Communication-4 (427)
BPFDoor Malware CnC Communication-5 (427)
BPFDoor Malware CnC Communication-6 (427)
BPFDoor Malware CnC Communication-7 (427)
BPFDoor Malware CnC Communication-8 (427)
0bcd4f14e7d8a3dc908b5c17183269a4
227fa46cf2a4517aa1870a011c79eb54
3c54d788de1bf6bd2e7bc7af39270540
5f6f79d276a2d84e74047358be4f7ee1
714165b06a462c9ed3d145bc56054566
027b1fed1b8213b86d8faebf51879ccc9b1afec7176e31354fbac695e8daf416
29564c19a15b06dd5be2a73d7543288f5b4e9e6668bbd5e48d3093fb6ddf1fdb
3f6f108db37d18519f47c5e4182e5e33cc795564f286ae770aa03372133d15c4
7c39f3c3120e35b8ab89181f191f01e2556ca558475a2803cb1f02c05c830423
925ec4e617adc81d6fcee60876f6b878e0313a11f25526179716a90c3b743173
