A China-nexus threat actor known as Red Menshen has embedded stealthy BPFDoor implants in telecom networks across the Middle East and Asia, using kernel-level backdoors and passive monitoring to conduct long-term espionage against government and critical infrastructure targets.
A sophisticated espionage campaign attributed to a China-linked threat actor has successfully embedded itself within telecom networks across the Middle East and Asia, using advanced stealth techniques to conduct long-term surveillance operations. The campaign, attributed to Red Menshen (also known as Earth Bluecrow, DecisiveArchitect, and Red Dev 18), represents one of the most persistent and covert cyber espionage efforts targeting critical telecommunications infrastructure.
According to research from Rapid7, the threat actor has been actively compromising telecom providers since at least 2021, deploying what security researchers describe as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks. The campaign's strategic positioning within telecom infrastructure allows the group to maintain persistent access to government networks and critical systems.
The BPFDoor Backdoor: A Kernel-Level Threat
Central to Red Menshen's operations is BPFDoor, a Linux backdoor that operates at the kernel level, making it exceptionally difficult to detect using traditional security monitoring tools. Unlike conventional malware that exposes listening ports or maintains visible command-and-control channels, BPFDoor abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly within the kernel.
"BPFdoor does not expose listening ports or maintain visible command-and-control channels," Rapid7 Labs explained. "Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."
The backdoor operates through a two-component system: a passive backdoor deployed on compromised Linux systems that monitors incoming traffic for predefined "magic" packets, and a controller operated by the attacker that sends specially formatted packets to activate the backdoor. When the trigger packet is detected, BPFDoor spawns a remote shell, providing the attacker with full system access.
Attack Chain and Initial Access
The campaign begins with Red Menshen targeting internet-facing infrastructure and exposed edge services. The group exploits vulnerabilities in VPN appliances, firewalls, and web-facing platforms from major vendors including Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts to obtain initial access.
Once inside a network, the attackers deploy Linux-compatible beacon frameworks such as CrossC2 to facilitate post-exploitation activities. Additional tools including Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities are deployed to harvest credentials and enable lateral movement across the compromised network.
Advanced Evasion Techniques
Recent analysis has uncovered a previously undocumented variant of BPFDoor that incorporates architectural changes to enhance its stealth capabilities. This new variant conceals trigger packets within seemingly legitimate HTTPS traffic and introduces a novel parsing mechanism that ensures the string "9999" appears at a fixed byte offset within the request.
This camouflage allows the magic packet to remain hidden inside HTTPS traffic without causing shifts in data positioning, enabling the implant to consistently check for the activation marker at a specific byte offset. The variant also debuts a lightweight communication mechanism using the Internet Control Message Protocol (ICMP) for interaction between infected hosts.
Telecom-Specific Capabilities
What makes this campaign particularly concerning is BPFDoor's support for the Stream Control Transmission Protocol (SCTP), which potentially enables the adversary to monitor telecom-native protocols. This capability provides visibility into subscriber behavior, location data, and the ability to track individuals of interest.
"BPFdoor functions as an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations," Rapid7 noted. The combination of bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G/5G core components in telecom environments creates ideal terrain for low-noise, long-term persistence.
Implications for Network Security
The Red Menshen campaign demonstrates a broader evolution in adversary tradecraft, with attackers embedding implants deeper into the computing stack by targeting operating system kernels and infrastructure platforms rather than relying solely on user-space malware. This approach allows the implants to evade traditional endpoint monitoring and remain undetected for extended periods.
For organizations in the telecommunications sector and government agencies, this campaign underscores the critical importance of securing internet-facing infrastructure, implementing robust network segmentation, and deploying advanced threat detection capabilities that can identify anomalous kernel-level activity. The use of passive backdoors that only activate upon receiving specific trigger packets represents a significant challenge for traditional security monitoring approaches.
The persistence and sophistication of this campaign highlight the ongoing threat posed by state-sponsored cyber espionage operations targeting critical infrastructure, emphasizing the need for continuous security assessment and improvement of defensive capabilities.
Comments
Please log in or register to join the discussion