China-Linked Red Menshen Uses Stealthy BPFDoor Plants to Spy on Telecom Networks
A long-term and ongoing campaign by the so-called China-nexus threat actor has embedded itself in social media networks to conduct espionage against government networks.
Strategic establishment work, which involves planting and maintaining hidden access routes within key areas, has been called for Red Menshena threat group that also goes after Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a history of going after telecom operators across the Middle East and Asia since at least 2021.
Rapid7 described the hidden access methods as “some of the most dormant digital cells” ever discovered in telecommunications networks.
This campaign is characterized by the use of kernel-level installations, backdoors, evidence-harvesting tools, and cross-platform command structures, giving the threat actor the ability to remain on the networks of interest. One of the most popular tools in its malware arsenal is a Linux backdoor called BPFDoor.
“Unlike traditional malware, BPFdoor does not expose listening ports or maintain virtual control and monitoring channels,” Rapid7 Labs said in a report shared with Hacker News. “Instead, it abuses the functionality of the Berkeley Packet Filter (BPF) to inspect network traffic directly within the kernel, only to be activated if it receives a specially crafted trigger packet.”
“There is no persistent listener or transparent light. The result is a hidden trap door embedded within the operating system itself.”
Attack chains begin with a threat actor targeting Internet-facing infrastructure and exposed edge services, such as VPN devices, firewalls, and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts, to gain initial access.
After finding a successful location, Linux-compatible beacon frameworks such as CrossC2 are used to facilitate post-exploitation operations. Also dropped are Sliver, TinyShell (Unix backdoor), keystrokes, and brute-force utilities to facilitate authentication harvesting and lateral movement.
Central to Red Menshen’s performance, however, is BPFDoor. It consists of two separate components: One is a backdoor that is installed on a vulnerable Linux system to inspect incoming traffic for a predefined “magic” packet by applying a BPF filter and exposing a remote shell when it receives this packet. Another important part of the framework is the controller which is controlled by the attacker and is responsible for sending specially formatted packets.
“The controller is also designed to work in the victim’s own environment,” explains Rapid7. “In this mode, it can act as legitimate system processes and initiate additional installations on all internal hosts by sending operational packets or by opening a local listener to receive shell connections, enabling controlled joint movement between vulnerable systems.”
In addition, some BPFDoor artifacts were found to support the Stream Control Transmission Protocol (SCTP), which could enable an adversary to monitor native telecom protocols and identify subscriber behavior and location, and track contacts.
These features show that the functionality of BPFdoor extends beyond the Linux backdoor. “BPFdoor acts as an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations,” the security vendor said.
It doesn’t end there. A previously undocumented variant of BPFdoor includes architectural changes to make it more avoidable and longer invisible in modern business and communication environments. This includes hiding a trigger packet within seemingly legitimate HTTPS traffic and introducing a novel parsing method that ensures that the string “9999” appears at a fixed byte offset within the request.
This hiding, in turn, allows the magic packet to remain hidden within the HTTPS traffic and avoid causing changes in the data area within the request, and allows the installation to always check for a tag at a certain byte offset and, if present, interpret it as an activation command.
The newly discovered sample also releases a “lightweight communication mechanism” that uses the Internet Control Message Protocol (ICMP) to communicate between two infected hosts.
“These findings indicate a broader shift in enemy trade,” Rapid7 said. “Attackers are embedding vulnerabilities deep in the computer stack – targeting operating system caches and infrastructure platforms rather than relying solely on malware.”
“Telecom environments – combining bare-metal systems, virtualization layers, high-performance equipment, and 4G / 5G core components – provide an ideal environment for low-noise, long-term persistence. By combining with legitimate hardware services and container runtimes, the installation can avoid standard endpoint monitoring to remain unavailable for a long time.”
