alert icmp any any -> $HOME_NET any (msg:"ET MALWARE BPFDoor ICMP Magic Packet (Inbound) M1"; dsize:24; content:"|72 55 00 00|"; startswith; fast_pattern; content:"|6a|"; offset:10; depth:1; pcre:"/^[a-z0-9_]{1,14}\x00*$/Ri"; reference:url,trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html?ref=haxrob.net; reference:url,haxrob.net/bpfdoor-past-and-present-part-2/; classtype:command-and-control; sid:2065006; rev:2; metadata:affected_product Linux, affected_product MySQL, attack_target Client_and_Server, tls_state TLSDecrypt, created_at 2025_09_30, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Backdoor, tag Description_Generated_By_Proofpoint_Nexus, tag BPF, updated_at 2025_10_02, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)