BPFDoor Evasive Linux Backdoor and Malware Forensic Investigation Presentation

This is a presentation on evasive Linux malware featuring BPFDoor given at the Oslo FIRST Cold Incident Response Conference in Norway. This presentation will use BPFDoor as an example of how to investigate evasive Linux malware using command line forensics and investigation techniques. BPFDoor was a professional piece of malware showing that you don't need to use elaborate stealth rootkit techniques to be effective. Simple and evasive hiding methods can take you a long way on Linux and allow sophisticated malware to hide very effectively and persist. This presentation discusses these elements of BPFDoor and what makes a piece of malware professional vs. amateur in execution. Sandfly's agentless intrusion detection and incident response platform for Linux easily finds BPFDoor operating. Please see our website for a free license to check your systems today instantly. Be sure to subscribe and follow us: https://www.sandflysecurity.com   / sandflysecurity     / sandfly  

Join Today
Linux Rootkits and Malware from Simple to Sophisticated
▶︎

Linux Rootkits and Malware from Simple to Sophisticated

Linux Stealth Rootkit Hunting with Command Line Forensics - FIRST 2025 Oslo Cold Incident Response
▶︎

Linux Stealth Rootkit Hunting with Command Line Forensics - FIRST 2025 Oslo Cold Incident Response

Attacking AI - Jason Haddix - NDC Security 2026
▶︎

Attacking AI - Jason Haddix - NDC Security 2026

Linux Backdoor Deep Dive (Part 1)
▶︎

Linux Backdoor Deep Dive (Part 1)

SSH Lateral Movement Attack and Key Threats on Linux Webinar
▶︎

SSH Lateral Movement Attack and Key Threats on Linux Webinar

Physics Just Proved Your "Now" Doesn't Exist
▶︎

Physics Just Proved Your "Now" Doesn't Exist

DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro
▶︎

DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro

Simple Linux Forensics Christchurch Hacker Con 2017 With Craig Rowland From Sandfly Security
▶︎

Simple Linux Forensics Christchurch Hacker Con 2017 With Craig Rowland From Sandfly Security

Using Strace to Trace Linux Syscalls
▶︎

Using Strace to Trace Linux Syscalls

SMS spoofing and Raspberry Pi Scada hacking
▶︎

SMS spoofing and Raspberry Pi Scada hacking

Liz Rice – eBPF for Security
▶︎

Liz Rice – eBPF for Security

God Says:"I JUST CONFIRMED — ONLY YOU CAN SEE THIS LETTER"/God Message Now/God Message
▶︎

God Says:"I JUST CONFIRMED — ONLY YOU CAN SEE THIS LETTER"/God Message Now/God Message

Linux EDR Reverse Shell Detection, Investigation, and Forensics
▶︎

Linux EDR Reverse Shell Detection, Investigation, and Forensics

The Most Destructive Hack Ever Used: NotPetya
▶︎

The Most Destructive Hack Ever Used: NotPetya

In-Depth Study Of Linux Rootkits: Evolution, Detection, And Defense - Stephan Berger
▶︎

In-Depth Study Of Linux Rootkits: Evolution, Detection, And Defense - Stephan Berger

eBPF - The Future Of Isolated/Malware Analysis
▶︎

eBPF - The Future Of Isolated/Malware Analysis

The UEFI Firmware Rootkits: Myths and Reality
▶︎

The UEFI Firmware Rootkits: Myths and Reality

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup
▶︎

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup

World's Deadliest Computer Virus: WannaCry
▶︎

World's Deadliest Computer Virus: WannaCry

How I Passed the OSCP in 8 Hours (On My First Attempt!)
▶︎

How I Passed the OSCP in 8 Hours (On My First Attempt!)