Red Menshen telecom espionage campaign
Campaign
Summary
Hide ▲
Show ▼
A China-nexus Red Menshen operation has sustained covert access in telecom networks across the Middle East and Asia, increasing the risk of government espionage and long-term persistence. The cluster is also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. It uses BPFDoor, kernel-level implants, and credential-harvesting tooling to remain hidden and move laterally. Initial access often starts through VPN appliances, firewalls, and other internet-facing edge services.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
TrojPix air-gap covert channel turns video cables into a high-speed exfiltration path
Technical Analysis
H score20
First: 06.07.2026 11:50
Last: 06.07.2026 11:50
Sources 1
About this happening:
**TrojPix** introduces a new **air-gap exfiltration** technique that uses **imperceptible pixel modulation** and **video cable emissions** to move data out of isolated systems, ra...
TrojPix air-gap covert channel turns video cables into a high-speed exfiltration path
Technical AnalysisAbout this happening: **TrojPix** introduces a new **air-gap exfiltration** technique that uses **imperceptible pixel modulation** and **video cable emissions** to move data out of isolated systems, ra...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
Campaign
H score18
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
CampaignAbout this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor Meta
H score43
First: 12.06.2026 11:52
Last: 12.06.2026 11:52
Sources 1
About this happening:
A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor MetaAbout this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Latest development: 15.06.2026 09:30
Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.
Timeline
-
26.03.2026 19:40 2 articles · 3mo ago
Red Menshen telecom espionage tradecraft and BPFDoor persistence
Technical Analysis UpdateA long-running Red Menshen campaign inside telecom networks has used BPFDoor kernel-level implants, CrossC2, Sliver, TinyShell, keyloggers, and brute-force utilities to persist, harvest credentials, and move laterally after initial access through internet-facing VPN appliances, firewalls, and web-facing platforms tied to Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts. The activity also includes BPFDoor artifacts that support SCTP, a newer variant that hides its trigger packet inside HTTPS traffic with a fixed-byte-offset "9999" marker, and ICMP-based communication between infected hosts, expanding low-noise visibility into telecom and government environments.
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40