Red Menshen telecom espionage campaign
Campaign
Summary
Hide ▲
Show ▼
A China-nexus Red Menshen operation has sustained covert access in telecom networks across the Middle East and Asia, increasing the risk of government espionage and long-term persistence. The cluster is also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. It uses BPFDoor, kernel-level implants, and credential-harvesting tooling to remain hidden and move laterally. Initial access often starts through VPN appliances, firewalls, and other internet-facing edge services.
Related Happenings
Akamai acquires LayerX for secure enterprise browser expansion
Industry Action
First: 22.05.2026 18:43
Last: 22.05.2026 18:43
Sources 1
About this happening:
Akamai Technologies agreed to acquire **LayerX** for **$205 million**, expanding its **secure enterprise browser** and **ZTNA** capabilities. The move gives Akamai a browser-layer...
Akamai acquires LayerX for secure enterprise browser expansion
Industry ActionAbout this happening: Akamai Technologies agreed to acquire **LayerX** for **$205 million**, expanding its **secure enterprise browser** and **ZTNA** capabilities. The move gives Akamai a browser-layer...
Secret Blizzard Kazuar modular P2P botnet
Malware Activity
First: 16.05.2026 17:15
Last: 16.05.2026 17:15
Sources 1
About this happening:
**Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Secret Blizzard Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
First: 12.05.2026 15:50
Last: 12.05.2026 15:50
Sources 1
About this happening:
A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware ActivityAbout this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
Timeline
-
26.03.2026 19:40 2 articles · 2mo ago
Red Menshen telecom espionage tradecraft and BPFDoor persistence
Technical Analysis UpdateA long-running Red Menshen campaign inside telecom networks has used BPFDoor kernel-level implants, CrossC2, Sliver, TinyShell, keyloggers, and brute-force utilities to persist, harvest credentials, and move laterally after initial access through internet-facing VPN appliances, firewalls, and web-facing platforms tied to Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts. The activity also includes BPFDoor artifacts that support SCTP, a newer variant that hides its trigger packet inside HTTPS traffic with a fixed-byte-offset "9999" marker, and ICMP-based communication between infected hosts, expanding low-noise visibility into telecom and government environments.
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40