China Linked Red Menshen Hides BPFDoor Implants Inside Telecom Networks
Stealth implants target telecom cores
A sustained espionage campaign has embedded kernel-level implants inside telecommunications infrastructure. Rapid7 called the access mechanisms “some of the stealthiest digital sleeper cells” ever seen in telecoms. The activity is linked to an actor tracked as Red Menshen by PwC and other firms.
How the implant works
At the center is a Linux and Unix backdoor known as BPFDoor. Rapid7 Labs explained that BPFDoor “does not expose listening ports or maintain visible command-and-control channels.” The implant uses the Berkeley Packet Filter to inspect traffic inside the kernel. It waits for a carefully crafted trigger packet. When the marker appears, BPFDoor spawns a shell. That gives attackers remote command access without opening ports or producing obvious network beacons.
Security researcher Kevin Beaumont observed that the implant parses ICMP, UDP, and TCP packets and looks for a magic value and, for TCP and UDP, a password. Beaumont showed that ICMP probes can be used as a low-friction wake-up. Craig Rowland at Sandfly Security described how BPFDoor can alter local iptables rules to redirect attacker traffic through legitimate ports. Rowland said, “For instance, the implant can redirect all traffic from the attacker using TCP port 443 to the shell. Externally, the traffic will look like TLS traffic but, in fact, the attacker is interacting with a remote root shell.”
Tools and post exploitation
Researchers say Red Menshen deploys other tooling after initial access. PwC reported the group uses CrossC2 beacons on Linux, Sliver, TinyShell, keyloggers, and brute-force utilities. PwC also found Gh0st RAT and custom Mangzamel variants in Windows post-exploitation, along with open-source tools such as Mimikatz and Metasploit.
Rapid7 and PwC have both shown that BPFDoor includes two pieces. One is a passive kernel listener that checks traffic for the magic packet. The other is a controller that the attacker can use to send those specially formed packets. Rapid7 warned the controller can run inside the victim environment and “masquerade as legitimate system processes” to trigger implants across internal hosts.
Telecom specific risks
Some BPFDoor builds support SCTP. Rapid7 noted that SCTP support means the implant can observe telecom-native protocols. That raises the risk of visibility into subscriber behavior and location. Rapid7 summed this up by saying BPFDoor can act as “an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations.”
ExaTrack researcher Tristan Pourcelot documented naming and evasion tactics. He found many variants that masquerade as normal daemons and use hard-coded command keywords or MD5 hashes. Florian Roth located older BPFDoor source code online, which helps explain the rapid evolution and variant proliferation.
Evading detection
BPFDoor hides in memory. Rowland reported anti-forensics steps such as wiping the process environment and timestomping file dates. The implant loads a BPF sniffer so it can see packets in front of local firewalls. That makes firewall rules ineffective by design. Rowland said defenders who rely on static file hashes or who avoid Linux EDR agents are vulnerable. He warned, “People fly naked with Linux often and stuff like this happens.”
Rapid7 and independent analysts also described a newer BPFDoor variant that hides trigger data inside normal HTTPS requests. The implant checks for a marker at a fixed byte offset. If present, the payload activates. The variant also uses ICMP for low-weight peer communications. Rapid7 commented that attackers are embedding implants deeper in the stack by targeting kernels and infrastructure rather than just user-space.
What operators should do now
Experts recommend targeted hunting and behavior-based detection. Sandfly suggests inspecting BPF attachments and abnormal iptables changes. Beaumont and Rowland both published methods to probe for live implants safely. PwC urged defenders to monitor internet-facing edge appliances and to examine VPS and router chains tied to command infrastructure.
These findings show the threat is long-lived and tailored for telecom environments. Rapid7, PwC, Sandfly, and independent researchers agree the implants are built for low-noise persistence. Detection requires the right telemetry and focused threat hunting.
#BPFDoor #RedMenshen #TelecomSecurity #KernelThreats #CyberEspionage #ThreatHunting