Backdoor operates at the kernel level using BPF to passively inspect traffic and trigger on crafted packets, avoiding exposed ports or typical C2 indicators.

Tradecraft enables long-term persistence and covert access inside core network infrastructure, with very limited visibility from standard monitoring.

Interesting case of network-layer backdoor design rather than traditional userland implants.