Close Menu
    What's Hot

    UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware

    Thinking Machines is coming for Anthropic’s intellectual vibe

    The World Cup conundrum of Europe’s far right – Live Updates

    Facebook X (Twitter) Instagram
    Trending
    • UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware
    • Thinking Machines is coming for Anthropic’s intellectual vibe
    • The World Cup conundrum of Europe’s far right – Live Updates
    • Why is China protesting about the nationalisation of British Steel? | International Trade News
    • The Search for Another Earth-Like Planet Just Took a Big Step Forward
    • UK steel quota concessions to seal India deal pose risk to Welsh plant, say insiders
    • World Cup final predictions and best bets: Back Spain to surge as Argentina’s engine empties | Football News
    • Democrats look to World Cup watch parties to register thousands of voters
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks

    adminBy adminMarch 26, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks
    Share
    Facebook Twitter LinkedIn Pinterest Email

    China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks

    A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.

    The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that’s also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021.

    Rapid7 described the covert access mechanisms as “some of the stealthiest digital sleeper cells” ever encountered in telecommunications networks.

    The campaign is characterized by the use of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the threat actor the ability to persistently inhabit networks of interest. One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor.

    “Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels,” Rapid7 Labs said in a report shared with The Hacker News. “Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet.”

    Cybersecurity

    “There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself.”

    The attack chains begin with the threat actor targeting internet-facing infrastructure and exposed edge services, such as VPN appliances, firewalls, and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts, to obtain initial access.

    Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities. Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.

    Central to Red Menshen’s operations, however, is BPFDoor. It features two distinct components: One is a passive backdoor deployed on the compromised Linux system to inspect incoming traffic for a predefined “magic” packet by installing a BPF filter and spawning a remote shell upon receiving such a packet. The other integral part of the framework is a controller that’s administered by the attacker and is responsible for sending the specially formatted packets.

    “The controller is also designed to operate within the victim’s environment itself,” Rapid7 explained. “In this mode, it can masquerade as legitimate system processes and trigger additional implants across internal hosts by sending activation packets or by opening a local listener to receive shell connections, effectively enabling controlled lateral movement between compromised systems.”

    What’s more, certain BPFDoor artifacts have been found to support the Stream Control Transmission Protocol (SCTP), potentially enabling the adversary to monitor telecom-native protocols and gain visibility into subscriber behavior and location, and even track individuals of interest.

    These aspects demonstrate that the functionality of BPFdoor goes beyond a stealthy Linux backdoor. “BPFdoor functions as an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations,” the security vendor added.

    It doesn’t end there. A previously undocumented variant of BPFdoor incorporates architectural changes to make it more evasive and stay undetected for prolonged periods in modern enterprise and telecom environments. These include concealing the trigger packet within seemingly legitimate HTTPS traffic and introducing a novel parsing mechanism that ensures the string “9999” appears at a fixed byte offset within the request.

    Cybersecurity

    This camouflage, in turn, allows the magic packet to stay hidden inside HTTPS traffic and avoid causing shifts to the position of data inside the request, and allows the implant to always check for the marker at a specific byte offset and, if it’s present, interpret it as the activation command.

    The newly discovered sample also debuts a “lightweight communication mechanism” that uses the Internet Control Message Protocol (ICMP) for interacting between two infected hosts.

    “These findings reflect a broader evolution in adversary tradecraft,” Rapid7 said. “Attackers are embedding implants deeper into the computing stack — targeting operating system kernels and infrastructure platforms rather than relying solely on user-space malware.”

    “Telecom environments — combining bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G/5G core components — provide ideal terrain for low-noise, long-term persistence. By blending into legitimate hardware services and container runtimes, implants can evade traditional endpoint monitoring and remain undetected for extended periods.”

    BPFDoor ChinaLinked Implants Menshen Networks red Spy Stealthy Telecom
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleHow the Meta and YouTube child safety rulings end Big Tech invincibility
    Next Article My brief, weird time with the Samsung TriFold
    admin
    • Website

    Related Posts

    UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware

    July 19, 2026

    Man Utd 0-1 Wrexham: Andrey Santos makes Red Devils debut in opening pre-season loss in Helsinki | Football News

    July 18, 2026

    New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

    July 18, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware

    Thinking Machines is coming for Anthropic’s intellectual vibe

    The World Cup conundrum of Europe’s far right – Live Updates

    Why is China protesting about the nationalisation of British Steel? | International Trade News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by