{"id":228124,"date":"2026-03-26T13:40:00","date_gmt":"2026-03-26T17:40:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/26\/china-linked-red-menshen-uses-stealthy-bpfdoor-implants-to-spy-via-telecom-networks\/"},"modified":"2026-03-27T08:10:11","modified_gmt":"2026-03-27T12:10:11","slug":"china-linked-red-menshen-uses-stealthy-bpfdoor-implants-to-spy-via-telecom-networks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/26\/china-linked-red-menshen-uses-stealthy-bpfdoor-implants-to-spy-via-telecom-networks\/","title":{"rendered":"China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks"},"content":{"rendered":"

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/03\/china-linked-red-menshen-uses-stealthy.html<\/a><\/p>\n

Publish Date: 2026-03-26 13:40:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.<\/p>\n

The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen<\/strong>, a threat cluster that’s also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021.<\/p>\n

Rapid7 described the covert access mechanisms as “some of the stealthiest digital sleeper cells” ever encountered in telecommunications networks.<\/p>\n

The campaign is characterized by the use of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the threat actor the ability to persistently inhabit networks of interest. One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor.<\/p>\n

“Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels,” Rapid7 Labs said in a report shared with The Hacker News. “Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet.”<\/p>\n

\"Cybersecurity\"<\/p>\n

“There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself.”<\/p>\n

The attack chains begin with the threat actor targeting internet-facing infrastructure and exposed edge services, such as VPN appliances, firewalls, and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts, to obtain initial access.<\/p>\n

Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities. Also dropped are Sliver,…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks https:\/\/thehackernews.com\/2026\/03\/china-linked-red-menshen-uses-stealthy.html Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":228125,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgDsXRdaBMsOY-JUezvB02i5xzt_pSMJYGGGmt3ujh5C7VDZ7YLODicjiwDHF0vR9Y6P7XfPJJ-sIzu3aElQOfOExYn15O9tjCrOubY531cg1hKVN7U1aGCq5avhsEBdxu0qCTuwgXQEHS4mkHExgUQbsR8iU2CS7fBZAlTyXlD9o0hmU0oJ8jCip_fok4G\/s1700-e365\/tower-hack.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,35,32,34],"class_list":["post-228124","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-hacker","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228124"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=228124"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228124\/revisions"}],"predecessor-version":[{"id":228126,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/228124\/revisions\/228126"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/228125"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=228124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=228124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=228124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}