China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks
China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks
https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html
Publish Date: 2026-03-26 13:40:00
Source Domain: thehackernews.com
A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.
The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that’s also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021.
Rapid7 described the covert access mechanisms as “some of the stealthiest digital sleeper cells” ever encountered in telecommunications networks.
The campaign is characterized by the use of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the threat actor the ability to persistently inhabit networks of interest. One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor.
“Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels,” Rapid7 Labs said in a report shared with The Hacker News. “Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet.”
“There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself.”
The attack chains begin with the threat actor targeting internet-facing infrastructure and exposed edge services, such as VPN appliances, firewalls, and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts, to obtain initial access.
Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities. Also dropped are Sliver,…
