Red Menshen Espionage Campaign

A persistent and highly strategic cyber-espionage campaign linked to a China-aligned threat actor has successfully embedded itself within telecommunications networks. The primary objective is to surveil and infiltrate government-related infrastructure by leveraging telecom environments as a gateway.

This long-running operation is attributed to the threat cluster known as Red Menshen, also tracked under aliases such as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. Since at least 2021, the group has consistently targeted telecom providers across the Middle East and Asia, establishing deep-rooted and covert access within critical systems.

Digital Sleeper Cells: Advanced Persistence Techniques

Security researchers have characterized the access mechanisms used in this campaign as among the most covert ever observed in telecom networks. These techniques function like digital sleeper cells, remaining dormant and undetected until activated.

The attackers rely on a combination of highly advanced tools and techniques, including:

• Kernel-level implants that operate deep within the operating system
• Passive backdoors that avoid traditional detection methods
• Credential-harvesting utilities for gathering sensitive access data
• Cross-platform command-and-control frameworks enabling flexible operations

These capabilities allow the threat actor to maintain long-term persistence while minimizing detectable activity.

BPFDoor: The Invisible Backdoor in the Kernel

At the center of this campaign lies BPFDoor, a Linux-based backdoor that exemplifies stealth and sophistication. Unlike traditional malware, this implant avoids creating detectable network indicators.

Instead of opening ports or maintaining visible communication channels, BPFDoor exploits Berkeley Packet Filter (BPF) functionality within the Linux kernel. It inspects network traffic internally and activates only when it receives a specially crafted 'magic' packet.

This design eliminates the need for persistent listeners or beaconing activity, effectively embedding a hidden access mechanism directly into the operating system. The result is a virtually invisible entry point that is extremely difficult to detect through conventional monitoring tools.

Initial Compromise: Exploiting Edge Infrastructure

The attack chain typically begins by targeting internet-facing systems and edge devices. These include VPN gateways, firewalls, and web-facing services, particularly those associated with major enterprise technologies.

Once initial access is achieved, the attackers deploy a suite of post-exploitation tools to expand their control. These include frameworks like CrossC2, along with Sliver, TinyShell, keyloggers, and brute-force utilities. Together, these tools enable credential harvesting, internal reconnaissance, and lateral movement across compromised environments.

Dual-Component Architecture: Control and Activation

BPFDoor operates through a two-part architecture designed for precision and stealth. One component resides on the compromised system, passively monitoring incoming traffic for a predefined trigger packet. Upon detection, it activates by spawning a remote shell.

The second component is a controller operated by the attacker. This controller sends specially crafted packets to activate implants and can also function within the victim's environment. When deployed internally, it can disguise itself as legitimate system processes, coordinate additional infections, and facilitate controlled lateral movement between systems.

Telecom-Level Surveillance: Beyond Traditional Backdoors

Certain variants of BPFDoor demonstrate capabilities that extend beyond standard backdoor functionality. Support for the Stream Control Transmission Protocol (SCTP) enables monitoring of telecom-specific communications.

This capability allows attackers to gain insight into subscriber activity, track user behavior, and potentially determine physical locations of individuals of interest. As a result, BPFDoor effectively serves as a surveillance layer embedded within telecom infrastructure, providing long-term, low-noise visibility into sensitive operations.

Evasion Reinvented: New Variants and Stealth Enhancements

A newly identified variant of BPFDoor introduces architectural improvements designed to enhance evasion and longevity. Key advancements include:

• Concealing trigger packets within seemingly legitimate HTTPS traffic
• Enforcing a fixed byte offset marker ('9999') for reliable activation detection
• Introducing ICMP-based communication between infected hosts for low-profile interaction

These techniques allow malicious traffic to blend seamlessly with normal network activity, significantly reducing the likelihood of detection while maintaining reliable command execution.

Evolving Tradecraft: Deeper Into the Stack

The campaign highlights a broader shift in attacker methodology. Instead of relying solely on user-space malware, adversaries are increasingly embedding implants deeper within the computing stack, particularly at the kernel and infrastructure levels.

Telecom environments are especially attractive targets due to their complexity, which includes bare-metal systems, virtualization layers, high-performance networking hardware, and containerized 4G/5G core components. By integrating with legitimate services and runtime environments, these implants can evade traditional endpoint defenses and persist undetected for extended periods.

Conclusion: A New Frontier in Cyber Espionage

This campaign demonstrates a significant evolution in cyber-espionage tactics. By leveraging telecom infrastructure and kernel-level stealth mechanisms, attackers achieve long-term, low-visibility access to highly sensitive environments.

The use of advanced tools like BPFDoor, combined with innovative evasion techniques and deep system integration, signals a growing challenge for defenders. Detecting and mitigating such threats requires enhanced visibility into lower layers of the computing stack and a rethinking of traditional security approaches.