BPFDoor is a sophisticated Linux backdoor associated with the Chinese threat group Red Menshen. It operates as a Berkeley Packet Filter (BPF) sniffer, allowing it to function at the network layer, which enables it to bypass firewall protections and operate without the need for open ports. The malware is designed to facilitate remote code execution for attackers who possess a specific 'magic' password necessary to control the implant. Detection of BPFDoor involves tracking specific process executions on Linux or macOS systems through a combination of process path and command arguments indicative of its activities. The rule is implemented within a Snowflake query format, targeting EDR logs for relevant processes that exhibit behaviors characteristic of the backdoor. Techniques leveraged here align with evasion of defenses, highlighting how adversaries exploit permitted actions to conceal malicious activities.