A persistent espionage campaign by a Chinese-affiliated threat group has successfully infiltrated telecommunications networks across Asia and the Middle East to monitor government communications. By utilizing advanced kernel-level backdoors like BPFDoor, the attackers maintain invisible, long-term access to critical infrastructure without traditional detection signatures.
A sophisticated threat actor known as Red Menshen has spent years establishing a deep-seated presence within global telecommunications providers to conduct high-level espionage. This group, which also operates under various aliases such as Earth Bluecrow and DecisiveArchitect, has been active since at least 2021. Their primary goal is to maintain a strategic foothold within these networks, allowing them to intercept sensitive data and monitor government activities over extended periods. Experts have noted that the level of stealth employed by this group is among the highest ever seen in the industry, effectively creating digital sleeper cells within the systems they compromise.
The group gains its initial foothold by targeting vulnerabilities in internet-facing infrastructure and edge devices. They specifically look for weaknesses in appliances and platforms from major providers like Cisco, Fortinet, and VMware. By exploiting these exposed services, they can bypass traditional security perimeters and enter the internal environment. Once inside, they deploy a variety of tools, including beacon frameworks and backdoors, to ensure they can move laterally through the network and harvest credentials from high-value users.
One of the most effective tools in their inventory is a Linux backdoor known as BPFDoor. This malware is particularly dangerous because it does not behave like standard malicious software. Instead of opening a visible port or regularly reaching out to a command-and-control server, it remains entirely silent and passive. It utilizes the Berkeley Packet Filter functionality to monitor network traffic directly within the operating system’s kernel. This allows the malware to hide in plain sight, as there is no active process for security software to easily flag.
The backdoor only springs into action when it identifies a specific, “magic” trigger packet sent by the attackers. When this unique packet is detected, the implant spawns a remote shell, giving the threat actor immediate access to the compromised system. Because there is no persistent listener or obvious beaconing, the result is a hidden trapdoor embedded within the core of the operating system. This method allows the group to avoid detection by standard network monitoring tools that look for unusual outgoing connections or open ports.
Beyond BPFDoor, Red Menshen utilizes a diverse toolkit to maintain their persistence and facilitate data exfiltration. They deploy cross-platform frameworks like CrossC2 and Sliver, along with keyloggers and brute-force utilities to expand their reach within a victim’s network. By combining these highly technical kernel-level implants with traditional post-exploitation tools, the group has created a resilient and nearly invisible infrastructure for long-term espionage. Their ability to remain undetected for years highlights a significant and ongoing challenge for the global telecommunications sector.
Source: https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/