From bytecode to bytes: automated magic packet generation

This research post analyzes BPFDoor, a kernel-level Linux backdoor that hides in classic BPF socket programs and is used by China-linked APTs (Red Menshen/Earth Bluecrow) for long-term, stealthy access to telecommunications, education, and government targets; it demonstrates an automated method using symbolic execution with Z3 and scapy to derive the exact network packets that trigger BPF-based implants and provides an open-source tool (filterforge) to automate deconstruction and detection.