An extensive investigation conducted by Rapid7 Labs has uncovered a sophisticated cyber espionage operation orchestrated by Red Menshen, a threat actor linked to China. This group has embedded highly covert digital sleeper cells within global telecommunications infrastructures, marking a significant shift towards long-term strategic positioning.
Unveiled on March 26, 2026, the report highlights a transition from sporadic cyberattacks to entrenched operations within the crucial networks that form the backbone of both national and international communications.
Targeting Telecommunications Networks
The telecommunications sector is critical, managing government communications, subscriber identity verifications, and critical industry coordination. Networks rely on protocols such as SS7, Diameter, and SCTP, which are essential for managing global connectivity and subscriber mobility. This makes them prime targets for intelligence gathering far beyond the scope of a typical data breach.
By maintaining persistent access within telecom cores, attackers can potentially expose subscriber data, track mobility, and intercept authentication processes, posing significant risks for geopolitical monitoring. Red Menshen has focused its attacks on telecom providers across regions including South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East, with potential spillover effects on connected governmental networks.
The BPFdoor Backdoor Mechanism
Central to this campaign is a Linux-based backdoor known as BPFdoor, which operates stealthily at the kernel level by exploiting Berkeley Packet Filter (BPF) functionalities. Unlike traditional malware, BPFdoor avoids opening listening ports or generating noticeable command signals. It uses a custom BPF filter that discreetly monitors traffic, activating upon receiving a specific “magic packet.” This makes detection via tools like netstat or nmap challenging.
Rapid7 Labs has discovered an advanced variant of BPFdoor that enhances stealth by hiding command triggers within legitimate HTTPS traffic. This version uses SSL termination points for activation, ensuring the implant’s survival through proxy header modifications.
The new variant also employs an ICMP-based control channel, allowing compromised servers to relay commands using specially crafted ICMP packets. This technique supports lateral movement without conventional command-and-control traffic, enhancing the campaign’s stealth.
Infrastructure Mimicry and Defensive Measures
BPFdoor samples have been observed mimicking legitimate processes, such as HPE’s Agentless Management Service, to blend into telecom environments. Other samples target Kubernetes-hosted 5G core functions by impersonating Docker components.
Initial access vectors include edge infrastructure like Ivanti VPNs and network devices from Cisco, Juniper, and Fortinet, along with VMware ESXi hosts. Post-exploitation tools reported include CrossC2, TinyShell, and custom keyloggers tailored for telecom environments.
Rapid7 has coordinated with national CERTs to alert affected organizations and released a free open-source scanning tool to detect BPFdoor variants. Organizations are advised to enhance monitoring of kernel-level activities and unusual high-port behaviors on Linux systems to mitigate this threat effectively.
Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Reach out to share your cybersecurity insights and stories.
