A comprehensive investigation by Rapid7 Labs has exposed a sophisticated, state-sponsored espionage campaign by the China-nexus threat actor Red Menshen, revealing one of the most covert digital sleeper cell operations ever documented within global telecommunications infrastructure.
The campaign represents a deliberate shift from opportunistic hacking to long-term pre-positioning within the very backbone networks that underpin national and international communications.
Why Telecoms Are High-Value Targets
Telecommunications networks carry government communications, authenticate subscriber identities, coordinate critical industries, and process signaling flows across national borders. At their core, these environments rely on specialized protocols such as SS7, Diameter, and SCTP to manage subscriber identity, mobility, and global connectivity.
Persistent access within a telecom core enables exposure of:
- Subscriber identifiers and mobility events
- Authentication exchanges
- Communication metadata enabling large-scale tracking of high-value geopolitical targets
Red Menshen has specifically targeted telecom providers across South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East, with collateral risk extending to government networks dependent on those carriers.
BPFdoor: Kernel-Level Stealth
BPFdoor is a stealthy Linux backdoor engineered to operate within the operating system kernel by abusing Berkeley Packet Filter (BPF) functionality. Unlike conventional malware, BPFdoor:
- Does not open listening ports
- Generates no visible C2 beaconing
- Installs a custom BPF filter that silently inspects incoming traffic
- Activates only when receiving a specially crafted “magic packet”
Tools such as netstat, ss, or nmap show nothing unusual—the system appears entirely clean.
New Variant: Enhanced Evasion
Rapid7 Labs identified a previously undocumented BPFdoor variant with significantly advanced stealth capabilities:
HTTPS Traffic Concealment: Rather than detectable magic packets, commands now hide within legitimate HTTPS traffic, exploiting SSL termination points like load balancers and reverse proxies.
Magic Ruler Padding: A sophisticated padding mechanism ensures marker strings always land at fixed offsets within inspected data, surviving proxy header rewriting—creating dynamic Layer-7 camouflage.
ICMP Control Channel: Compromised servers relay commands using crafted ICMP packets with embedded signals, enabling lateral propagation without standard C2 traffic.
Infrastructure Masquerading
Some BPFdoor samples demonstrate sophisticated environmental awareness:
- Mimics hpasmlited daemon on HPE ProLiant servers running 4G/5G core workloads
- Spoofs Docker and containerd components targeting Kubernetes-hosted 5G core functions (AMF, SMF, UDM)
Initial Access Vectors
Initial access consistently targets edge infrastructure:
- Ivanti Connect Secure VPNs
- Cisco and Juniper network devices
- Fortinet firewalls
- VMware ESXi hosts
Post-exploitation tooling includes CrossC2, TinyShell, SSH brute-forcers, and custom ELF keyloggers with telecom-aware credential lists referencing terms like “imsi.”
Defensive Recommendations
Rapid7 has released a free, open-source scanning script capable of detecting both legacy and new BPFdoor variants. Defenders should:
- Expand visibility into kernel-level operations
- Monitor raw BPF filter activity
- Track anomalous high-port behavior on Linux systems
These are areas where most organizations currently lack adequate monitoring depth.
