ET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND] (Inbound)

SID: 2069175Rev: 616 views
History
Sourceet/open
CreatedMay 5, 2026
UpdatedMay 14, 2026
Classificationcommand-and-control
alert icmp any any -> $HOME_NET any (msg:"ET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND] (Inbound)"; xbits:set,ET.bpfdoor,track ip_dst,expire 60; noalert; itype:8; content:"X:"; fast_pattern; offset:16; content:!"|20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37|"; reference:url,rapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/; reference:url,community.emergingthreats.net/t/sig-bpfdoor-icmpshell-icmp-artifacts-from-rapid7-whitepaper/3271; classtype:command-and-control; sid:2069175; rev:6; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2026_05_05, deployment Perimeter, deprecation_reason False_Positive, malware_family BPFDoor, confidence Medium, signature_severity Major, tag BPF, updated_at 2026_05_14; target:dest_ip;)

References

urlrapid7.com/blog/post/tr-new-whitepaper-stealthy-bpfdoor-variants/
urlcommunity.emergingthreats.net/t/sig-bpfdoor-icmpshell-icmp-artifacts-from-rapid7-whitepaper/3271

Metadata

affected productLinux
attack targetClient_Endpoint
created at2026_05_05
deploymentPerimeter
deprecation reasonFalse_Positive
malware familyBPFDoor
confidenceMedium
signature severityMajor
tagBPF
updated at2026_05_14

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!