From 45da13ce5e2393cadfeb04c7032e95018b306751 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Wed, 11 May 2022 19:03:39 -0500
Subject: [PATCH] chg: [backdoors] Adds BPFDoor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/backdoor.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/backdoor.json b/clusters/backdoor.json
index 9b2cbe8..ee16029 100644
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@@ -172,7 +172,20 @@
       ],
       "uuid": "16902832-0118-40f2-b29e-eaba799b2bf4",
       "value": "SUNBURST"
+    },
+    {
+      "description": "BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant",
+      "meta": {
+        "refs": [
+          "https://troopers.de/troopers22/talks/7cv8pz/",
+          "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896?gi=1effe9eb6507",
+          "https://twitter.com/cyb3rops/status/1523227511551033349",
+          "https://twitter.com/CraigHRowland/status/1523266585133457408"
+        ]
+      },
+      "uuid": "0c3b1aa5-3a33-493e-9126-28ebced4ed09",
+      "value": "BPFDoor"
     }
   ],
-  "version": 11
+  "version": 12
 }