A China-associated cyber-espionage group, Red Menshen, has been conducting long-term operations targeting telecom networks across Asia and the Middle East, using a highly covert Linux backdoor called BPFDoor to spy on government and critical infrastructure systems.
Tracked under multiple aliases—including Earth Bluecrow, DecisiveArchitect, and Red Dev 18—Red Menshen has operated since at least 2021, embedding persistent access mechanisms deep within network environments. Security researchers at Rapid7 describe these implants as “some of the stealthiest digital sleeper cells ever observed in telecommunications networks.”
The group’s toolkit includes kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, enabling prolonged network presence without detection. Unlike conventional malware, BPFDoor leverages Berkeley Packet Filter (BPF) functionality to inspect network traffic directly at the kernel level, activating only upon receiving specially crafted “magic” packets. This approach eliminates visible command-and-control channels or listening ports, making the implant nearly invisible to standard monitoring.
Red Menshen typically gains initial access by exploiting internet-facing systems, including VPN appliances, firewalls, and web-facing platforms from vendors like Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts. Once inside, the group deploys Linux-compatible frameworks such as CrossC2, along with Sliver, TinyShell, keyloggers, and brute-force utilities to move laterally and harvest credentials.
BPFDoor operates in two parts: a passive backdoor on compromised systems and a controller managed by the attackers. The backdoor inspects incoming traffic for the trigger packet and opens a remote shell upon detection. The controller can also operate internally within the victim network, masquerading as legitimate system processes to trigger additional implants or enable lateral movement.
Some BPFDoor variants even support the Stream Control Transmission Protocol (SCTP), allowing attackers to monitor telecom-native protocols, track subscribers, and gather intelligence on individuals of interest. A newly discovered version enhances stealth further by hiding trigger packets within legitimate HTTPS traffic and using ICMP for lightweight inter-host communication.
“Telecom environments, with their bare-metal systems, virtualization layers, and containerized 4G/5G core components, provide an ideal terrain for low-noise, long-term persistence,” Rapid7 said. By embedding malware in the operating system kernel and infrastructure platforms rather than the user space, Red Menshen ensures its operations remain undetected for extended periods.
The campaign highlights a growing trend in cyber-espionage: attackers are embedding implants deeper into networks, targeting infrastructure and operating system components to maintain persistent access while evading traditional monitoring tools.
