BPFDoor Linux kernel implants leveraged by Red Menshen for stealthy telecom espionage

First reported

26.03.2026 19:40

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A China-nexus threat group, tracked as Red Menshen (aka Earth Bluecrow, DecisiveArchitect, Red Dev 18), has conducted a multi-year espionage campaign targeting telecom providers in the Middle East and Asia by deploying stealthy Linux kernel-level implants. The adversary abuses Berkeley Packet Filter (BPF) functionality to embed passive backdoors (BPFDoor) that activate via crafted network packets, avoiding detectable listeners or C2 channels. Initial access is obtained via internet-facing edge services (e.g., VPNs, firewalls) from vendors including Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto, and Apache Struts. Post-exploitation includes deployment of frameworks like CrossC2 and Sliver, alongside credential harvesting tools, enabling lateral movement. BPFDoor’s functionality extends to telecom-native protocols (e.g., SCTP), potentially granting visibility into subscriber behavior, location tracking, and surveillance of high-value targets. A newly documented variant enhances evasion by concealing trigger packets within legitimate HTTPS traffic at fixed byte offsets and introducing ICMP-based lightweight communication between infected hosts.

Timeline

26.03.2026 19:40 1 articles · 4h ago

BPFDoor variant enhances evasion with HTTPS-embedded triggers and ICMP-based lateral movement
A previously undocumented BPFDoor variant has been identified deploying new evasion techniques, including embedding activation triggers within legitimate HTTPS traffic at fixed byte offsets and introducing ICMP-based communication between infected hosts. These enhancements expand the implant’s ability to operate undetected in telecom and enterprise environments while facilitating internal lateral movement.
Show sources

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
Open in new tab

Information Snippets

Red Menshen has conducted espionage against telecom providers in the Middle East and Asia since at least 2021.
First reported: 26.03.2026 19:40

1 source, 1 article
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
BPFDoor is a Linux backdoor that abuses BPF to inspect network traffic in-kernel and activate only upon receiving a preconfigured "magic" packet, avoiding persistent listeners or beaconing.
First reported: 26.03.2026 19:40

1 source, 1 article
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
Initial access is gained via internet-facing infrastructure such as VPN appliances, firewalls, and web-facing platforms from vendors including Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts.
First reported: 26.03.2026 19:40

1 source, 1 article
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
Post-exploitation tooling includes CrossC2, Sliver, TinyShell (Unix backdoor), keyloggers, and brute-force utilities for credential harvesting and lateral movement.
First reported: 26.03.2026 19:40

1 source, 1 article
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
BPFDoor contains two components: a passive backdoor deployed on compromised Linux systems and a controller that sends specially formatted activation packets, including the ability to masquerade as legitimate processes and trigger lateral movement.
First reported: 26.03.2026 19:40

1 source, 1 article
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
BPFDoor artifacts support SCTP, enabling potential monitoring of telecom-native protocols to track subscriber behavior and location data.
First reported: 26.03.2026 19:40

1 source, 1 article
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
A previously undocumented BPFDoor variant conceals trigger packets within seemingly legitimate HTTPS traffic by embedding a "9999" string at a fixed byte offset, minimizing detection risk.
First reported: 26.03.2026 19:40

1 source, 1 article
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
The new BPFDoor variant introduces a lightweight communication mechanism using ICMP for interactions between infected hosts.
First reported: 26.03.2026 19:40

1 source, 1 article
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40

Summary

Timeline

BPFDoor variant enhances evasion with HTTPS-embedded triggers and ICMP-based lateral movement

Information Snippets