{"id":403,"date":"2026-03-26T18:35:23","date_gmt":"2026-03-26T18:35:23","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=403"},"modified":"2026-03-26T18:35:23","modified_gmt":"2026-03-26T18:35:23","slug":"china-linked-red-menshen-uses-stealthy-bpfdoor-implants-to-spy-via-telecom-networks","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=403","title":{"rendered":"China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks"},"content":{"rendered":"
\n
<\/a><\/div>\n

A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.<\/p>\n

The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen<\/strong>, a threat cluster that’s also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021.<\/p>\n

Rapid7 described the covert access mechanisms as \u00absome of the stealthiest digital sleeper cells\u00bb ever encountered in telecommunications networks.<\/p>\n

The campaign is characterized by the use of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the threat actor the ability to persistently inhabit networks of interest. One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor.<\/p>\n

\u00abUnlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels,\u00bb Rapid7 Labs said<\/a> in a report shared with The Hacker News. \u00abInstead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThere is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself.\u00bb<\/p>\n

The attack chains begin with the threat actor targeting internet-facing infrastructure and exposed edge services, such as VPN appliances, firewalls, and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts, to obtain initial access.<\/p>\n

Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities. Also dropped are Sliver, TinyShell (a Unix backdoor<\/a>), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.<\/p>\n

Central to Red Menshen’s operations, however, is BPFDoor. It features two distinct components: One is a passive backdoor deployed on the compromised Linux system to inspect incoming traffic for a predefined \u00abmagic\u00bb packet by installing a BPF filter and spawning a remote shell upon receiving such a packet. The other integral part of the framework is a controller that’s administered by the attacker and is responsible for sending the specially formatted packets.<\/p>\n

\"\"<\/a><\/div>\n

\u00abThe controller is also designed to operate within the victim\u2019s environment itself,\u00bb Rapid7 explained. \u00abIn this mode, it can masquerade as legitimate system processes and trigger additional implants across internal hosts by sending activation packets or by opening a local listener to receive shell connections, effectively enabling controlled lateral movement between compromised systems.\u00bb<\/p>\n

What’s more, certain BPFDoor artifacts have been found to support the Stream Control Transmission Protocol (SCTP<\/a>), potentially enabling the adversary to monitor telecom-native protocols and gain visibility into subscriber behavior and location, and even track individuals of interest.<\/p>\n

These aspects demonstrate that the functionality of BPFdoor goes beyond a stealthy Linux backdoor. \u00abBPFdoor functions as an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations,\u00bb the security vendor added.<\/p>\n

It doesn’t end there. A previously undocumented variant of BPFdoor incorporates architectural changes to make it more evasive and stay undetected for prolonged periods in modern enterprise and telecom environments. These include concealing the trigger packet within seemingly legitimate HTTPS traffic and introducing a novel parsing mechanism that ensures the string \u00ab9999\u00bb appears at a fixed byte offset within the request.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

This camouflage, in turn, allows the magic packet to stay hidden inside HTTPS traffic and avoid causing shifts to the position of data inside the request, and allows the implant to always check for the marker at a specific byte offset and, if it’s present, interpret it as the activation command.<\/p>\n

The newly discovered sample also debuts a \u00ablightweight communication mechanism\u00bb that uses the Internet Control Message Protocol (ICMP) for interacting between two infected hosts.<\/p>\n

\u00abThese findings reflect a broader evolution in adversary tradecraft,\u00bb Rapid7 said. \u00abAttackers are embedding implants deeper into the computing stack \u2014 targeting operating system kernels and infrastructure platforms rather than relying solely on user-space malware.\u00bb<\/p>\n

\u00abTelecom environments \u2014 combining bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G\/5G core components \u2014 provide ideal terrain for low-noise, long-term persistence. By blending into legitimate hardware services and container runtimes, implants can evade traditional endpoint monitoring and remain undetected for extended periods.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks. The strategic positioning activity, which involves implanting…<\/p>\n","protected":false},"author":1,"featured_media":404,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[915,479,502,913,280,288,565,914,485],"class_list":["post-403","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-bpfdoor","tag-chinalinked","tag-implants","tag-menshen","tag-networks","tag-red","tag-spy","tag-stealthy","tag-telecom"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/403","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=403"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/403\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/404"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}