Key Findings

• China-linked threat actor Red Menshen has maintained a long-term espionage campaign targeting telecom networks in the Middle East and Asia since at least 2021

• The group deploys BPFDoor, a kernel-level Linux backdoor that operates as a "digital sleeper cell" with no visible listening ports or command-and-control beaconing

• BPFDoor inspects network traffic inside the kernel using Berkeley Packet Filter functionality, activating only when receiving a specially crafted trigger packet

• Initial access is gained through exposed edge services including VPN appliances, firewalls, and web platforms from Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts

• A newly discovered BPFDoor variant conceals trigger packets within HTTPS traffic and uses ICMP for communication between infected hosts, making detection significantly harder

• Some BPFDoor samples monitor SCTP protocols, potentially enabling attackers to track subscriber behavior, location data, and identify individuals of interest

Background

Red Menshen, also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18, represents a sophisticated threat cluster with demonstrated capability to maintain persistent access in critical infrastructure. The group's focus on telecom networks is particularly concerning given that these environments carry government communications, sensitive business data, and personal information for entire populations. Researchers at Rapid7 Labs describe the implants as some of the stealthiest digital sleeper cells ever encountered, operating undetected for prolonged periods.

Initial Access and Exploitation Chain

Red Menshen begins operations by scanning for internet-facing infrastructure and exploiting known vulnerabilities in edge services. The attack pattern targets devices that serve as natural entry points into networks, such as VPN concentrators and web-facing firewalls. Once gaining initial access through these exposed services, the group deploys beacon frameworks like CrossC2 to establish command and control capabilities. Following this foothold, attackers deploy additional tools including Sliver, TinyShell, keyloggers, and brute-force utilities to harvest credentials and facilitate lateral movement toward core telecom infrastructure where sensitive data resides.

BPFDoor Architecture and Operation

BPFDoor functions differently from conventional malware through its abuse of legitimate kernel functionality. Rather than opening listening ports or establishing visible connections, the implant installs a custom Berkeley Packet Filter inside the Linux kernel that continuously inspects incoming network traffic. This filter searches for a predefined sequence of bytes, essentially a "magic packet," that acts as an activation trigger. When the correct packet arrives, the implant spawns a remote shell, providing the attacker with system access. The sophistication lies in the fact that this entire process occurs at the kernel level, below the visibility of traditional security monitoring tools that typically operate in user space.

The BPFDoor framework consists of two main components. The passive backdoor resides on compromised Linux systems and performs the packet inspection and activation functions. The controller, managed by the attacker, sends the specially formatted trigger packets from outside the network or from within the victim's environment itself. When operating internally, the controller can masquerade as legitimate system processes and trigger additional implants across internal hosts, effectively enabling controlled lateral movement between already-compromised systems without generating suspicious traffic patterns.

Telecom-Specific Capabilities

Certain BPFDoor variants incorporate support for the Stream Control Transmission Protocol, a telecom-native protocol that operates alongside traditional TCP and UDP. This capability allows attackers to monitor subscriber behavior, track location data through telecom signaling, and potentially identify and track specific individuals of interest. The presence of SCTP support indicates that Red Menshen has specifically engineered its tools to operate within telecom environments and exploit the unique protocols and data flows specific to those networks. This goes beyond standard remote access and positions BPFDoor as a specialized access layer embedded within the telecom backbone.

Evolution and Evasion Techniques

Recent analysis uncovered a previously undocumented BPFDoor variant incorporating significant architectural improvements designed to evade detection in modern enterprise and telecom environments. This variant conceals its trigger packet within what appears to be legitimate HTTPS traffic, a technique that allows the magic packet to remain hidden within encrypted communications that defenders typically allow through their networks. The variant introduces a novel parsing mechanism ensuring the string "9999" appears at a fixed byte offset within the request, eliminating data shifts that could alert security systems to anomalies in traffic patterns. This precision allows the implant to reliably check for the activation marker at a specific location while maintaining the appearance of normal encrypted web traffic.

The newly discovered sample also features a lightweight communication mechanism using the Internet Control Message Protocol for interactions between infected hosts. ICMP, commonly used for network diagnostics like ping, typically generates minimal security alerts compared to other protocols, providing another layer of stealth for lateral movement and command execution.

Broader Implications for Infrastructure Security

The Red Menshen campaign reflects a fundamental shift in advanced adversary tradecraft. Rather than relying on traditional user-space malware vulnerable to standard detection methods, sophisticated actors increasingly target the operating system kernel and infrastructure platforms themselves. Telecom environments present particularly attractive targets due to their layered architecture combining bare-metal systems, virtualization platforms, high-performance appliances, and containerized 4G and 5G core components. By embedding implants at these deeper levels and blending into legitimate hardware services and container runtimes, attackers achieve persistence that persists across system updates, antivirus scans, and traditional security controls designed to operate at higher software layers.

Sources

• https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html

• https://securityaffairs.com/190029/malware/china-linked-red-menshen-apt-deploys-stealthy-bpfdoor-implants-in-telecom-networks.html

• https://www.reddit.com/r/SecOpsDaily/comments/1s4glpi/chinalinked_red_menshen_uses_stealthy_bpfdoor/

• https://x.com/TheCyberSecHub/status/2037229770908512761

• https://www.socdefenders.ai/item/09f20018-e771-4a69-a86e-3ec868b1efa2

• https://ground.news/article/researchers-release-tool-to-detect-stealthy-bpfdoor-implants-in-critical-infrastructure-networks