A months-long investigation by Rapid7 Labs has exposed a sophisticated state-sponsored espionage campaign by the China-nexus threat actor Red Menshen, which has embedded some of the most covert digital sleeper cells ever documented inside global telecommunications infrastructure.
Why It Matters
Telecommunications networks carry government communications, authenticate subscriber identities, coordinate critical industries, and process signaling flows across national borders. Persistent access within a telecom core can expose subscriber identifiers, mobility events, authentication exchanges, and communication metadata — enabling large-scale tracking of high-value geopolitical targets. This campaign represents a strategic shift from opportunistic hacking to long-term pre-positioning within the backbone of international communications.
Targeted Regions
Red Menshen has specifically targeted telecom providers across:
- South Korea
- Hong Kong
- Myanmar
- Malaysia
- Egypt
- Middle East
Collateral risk extends to government networks that depend on these carriers.
BPFdoor: A Kernel-Level Trapdoor
At the center of this campaign is BPFdoor, a stealth Linux backdoor engineered to operate within the operating system kernel by abusing Berkeley Packet Filter (BPF) functionality. Unlike conventional malware:
- Does not open listening ports
- Generates no visible command-and-control beaconing
- Installs a custom BPF filter inside the kernel that silently inspects incoming traffic
- Activates only when it receives a specially crafted “magic packet” containing a predefined byte sequence
- Tools such as netstat, ss, or nmap show nothing unusual
New Variant Capabilities
Rapid7 Labs identified a previously undocumented BPFdoor variant with advanced stealth capabilities:
- HTTPS Traffic Concealment: Hides command triggers within legitimate HTTPS traffic, exploiting SSL termination points
- Magic Ruler Padding: A sophisticated padding mechanism ensures markers land at fixed offsets within request data, allowing the implant to survive proxy header rewriting
- ICMP Control Channel: Compromised servers relay commands using crafted ICMP packets embedded with 0xFFFFFFFF as a “do not forward” signal, enabling lateral propagation without standard C2 traffic
Infrastructure Masquerading
BPFdoor samples employ sophisticated disguise techniques:
- Mimic legitimate processes on HPE ProLiant bare-metal servers (impersonating hpasmlited daemon)
- Spoof Docker and containerd components
- Target Kubernetes-hosted 5G core functions (AMF, SMF, UDM)
Initial Access Vectors
Initial access consistently targets edge infrastructure:
- Ivanti Connect Secure VPNs
- Cisco and Juniper network devices
- Fortinet firewalls
- VMware ESXi hosts
Post-exploitation tooling includes CrossC2, TinyShell, SSH brute-forcers, and custom ELF keyloggers with telecom-aware credential lists referencing terms like “imsi.”
Defender Actions
Rapid7 has coordinated with national CERTs and government partners to notify affected organizations. The firm released a free, open-source scanning script capable of detecting both legacy and new BPFdoor variants to assist organizations in rapid exposure validation.
Organizations should:
- Expand visibility into kernel-level operations
- Monitor raw BPF filter activity
- Track anomalous high-port behavior on Linux systems
