China-Linked Red Menshen Plants Stealthy BPFDoor Sleeper Cells in Global Telecom Networks
A long-running espionage campaign attributed to the China-linked threat actor Red Menshen has embedded stealthy BPFDoor implants deep inside telecommunications networks, giving the operators covert, long-term access to infrastructure that underpins government communications, subscriber identity systems, and critical national services. Rapid7 Labs described the implants as some of the stealthiest digital sleeper cells it has encountered inside telecom environments. The group is also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18.
According to Rapid7 and subsequent reporting, the activity has targeted major telecom providers across Asia and the Middle East since at least 2021. The goal is not smash-and-grab disruption. It is strategic pre-positioning for long-term intelligence collection from inside the communications backbone itself.
At the center of the campaign is BPFDoor, a Linux backdoor that behaves very differently from conventional malware. It does not need to open listening ports, maintain obvious command-and-control channels, or beacon in the usual way. Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect traffic directly inside the kernel and only activates when it receives a specially crafted magic packet. That design allows it to remain dormant for extended periods while still giving attackers a hidden trapdoor into compromised systems.
What makes this intrusion set especially alarming is where the malware is positioned. Rapid7 said the operators are not merely sitting on IT servers at the edge of an enterprise. They are embedding themselves adjacent to telecom signaling systems and the mechanisms that route calls, authenticate devices, and manage subscriber mobility. In samples reviewed by the company, BPFDoor was configured to inspect SCTP traffic, a protocol used in telecom signaling and real-time communication between core 4G and 5G network elements.
That level of access has serious espionage implications. Rapid7 warned that visibility into SCTP traffic can expose SMS contents, IMSI identifiers, source and destination metadata, subscriber identity data, and mobility events. In some scenarios, observing or manipulating signaling operations such as ProvideSubscriberLocation or UpdateLocation could allow an adversary to track the real-world movement of targeted devices. In 5G environments, the same positioning could expose registration requests and Subscription Concealed Identifiers (SUCI), turning a server compromise into population-scale insight into subscriber behavior and location.
The newly observed BPFDoor variants also show that Red Menshen is continuing to refine the platform. Rapid7 found a Layer 7 camouflage capability that hides the trigger for the malware inside what looks like legitimate HTTPS traffic. Instead of relying on a simpler activation packet that defenders might eventually signature, the attackers conceal the trigger inside encrypted web requests that pass through reverse proxies, load balancers, and SSL termination layers before being extracted on the target host.
To make that work reliably, the operators introduced what Rapid7 called a magic ruler mechanism. Because HTTP headers can shift as proxies insert metadata, the attackers pad requests so that a marker such as the string "9999" always lands at a fixed byte offset. The implant then checks that specific position rather than parsing the full header. In observed samples, the ruler used either a 26-byte or 40-byte measurement scheme depending on socket behavior, allowing the command trigger to survive proxy rewriting while still blending into otherwise normal encrypted traffic.
Rapid7 also documented an ICMP-based control channel that extends the backdoor beyond pure stealth activation. In the newer variant, ICMP packets are used as lightweight control signals between already compromised systems. One infected server can forward specially crafted ICMP traffic to another, effectively relaying instructions internally without relying on more obvious command-and-control patterns. This gives the operators a way to orchestrate lateral movement through internal telecom infrastructure while staying close to protocol behavior that often attracts less scrutiny than overt remote shells.
Another telling feature is the malware’s effort to blend into telecom and bare-metal environments. Rapid7 found samples masquerading as legitimate hardware monitoring or infrastructure services, including process names associated with HPE ProLiant environments. One observed process name, hpasmlited, was designed to mimic daemon-style behavior consistent with legitimate hardware services. This kind of service masquerading helps the implant disappear into operational noise, especially in high-performance telecom environments where such monitoring components are common.
The campaign does not rely on BPFDoor alone. Reporting says Red Menshen typically begins by exploiting exposed edge infrastructure such as VPN appliances, firewalls, and internet-facing platforms tied to vendors including Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts. Once inside, the operators deploy additional tooling such as CrossC2, Sliver, TinyShell, keyloggers, and brute-force utilities to harvest credentials and move laterally before positioning BPFDoor for persistence.
The broader significance of the research is that it shows a mature espionage model built around pre-positioning rather than immediate action. These are not smash-and-grab intrusions. They are sleeper footholds placed inside the telecom backbone well in advance of operational use. For defenders, that means compromise may not present as ransomware, overt disruption, or noisy exfiltration at first. It may look like nothing at all until a strategically timed activation occurs.
Rapid7 says telecom operators should treat detection as the start of an investigation, not the end of one. The company has released an open-source scanning script to help identify BPFDoor activity and says organizations need visibility into kernel and packet-filtering layers, where traditional endpoint and network monitoring often have blind spots. That guidance is especially important because the latest BPFDoor variants are explicitly designed to bypass multiple defensive layers at once, from TLS inspection at the edge to IDS analysis in transit and host-based monitoring on the endpoint.
Reference Links and Sources
