China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks
Red Menshen: "خلايا نائمة" مخفية كتستهدف شبكات التيليكوم العالمية
Red Menshen: The Invisible "Sleeper Cells" Targeting Global Telecom Networks
A sophisticated, long-term espionage campaign is currently targeting telecommunications providers across Asia and the Middle East. Attributed to the China-nexus threat actor known as Red Menshen, the operation represents what researchers are calling some of the most stealthy "digital sleeper cells" ever discovered in critical infrastructure.
By embedding kernel-level implants deep within the telecom backbone, the group has successfully maintained persistence to spy on government networks and track high-value individuals for years.
TL;DR
Red Menshen (aka Earth Bluecrow) is using highly evasive Linux backdoors called BPFDoor to compromise telecom providers. These implants allow the attackers to hide within the operating system kernel, monitoring internal traffic and moving laterally across networks without maintaining visible command-and-control channels. The campaign has recently evolved to include new variants that hide within legitimate HTTPS traffic and use ICMP for inter-host communication.
Profile of the Threat Actor: Red Menshen
Red Menshen, also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18, has been active since at least 2021. Their primary objective appears to be strategic positioning—establishing and maintaining long-term, low-noise access within critical environments to facilitate espionage.
The group specifically targets the "telecom backbone," which provides a vantage point to monitor subscriber behavior, track locations, and gain visibility into sensitive government communication passing through these providers.
The Initial Foothold: Targeting the Edge
The attack chain begins by exploiting vulnerabilities in internet-facing infrastructure. Red Menshen targets exposed edge services and appliances from major vendors, including:
- VPN appliances and firewalls (Cisco, Ivanti, Juniper Networks, Fortinet, Palo Alto Networks)
- Virtualization platforms (VMware)
- Web-facing platforms (Apache Struts)
Once initial access is achieved, the attackers deploy a suite of post-exploitation tools, including Sliver, CrossC2, and TinyShell, alongside keyloggers and brute-force utilities to harvest credentials and move laterally.
The Core Threat: BPFDoor
The centerpiece of Red Menshen’s arsenal is BPFDoor, a Linux backdoor that operates differently than traditional malware. Instead of opening a listening port or "beaconing" out to a server—actions that often trigger security alerts—BPFDoor utilizes Berkeley Packet Filter (BPF) functionality.
How it Works:
- Passive Monitoring: The implant sits directly inside the kernel, inspecting all incoming network traffic.
- Magic Packets: It remains dormant until it identifies a specifically crafted "trigger" or "magic" packet.
- Remote Shell: Once the packet is received, the implant spawns a remote shell for the attacker.
- Internal Controller: The attackers also use a controller within the victim’s environment that can masquerade as legitimate system processes to trigger implants on other internal hosts.
Monitoring Telecom-Native Protocols
Recent analysis by Rapid7 found that certain BPFDoor artifacts now support the Stream Control Transmission Protocol (SCTP). This is significant because SCTP is frequently used in telecommunications signaling. By monitoring this protocol, Red Menshen can gain visibility into subscriber data and movement, potentially tracking individuals of interest in real-time.
Evolution of Stealth: New BPFDoor Variants
Red Menshen has recently introduced an undocumented variant of BPFDoor designed to bypass modern enterprise monitoring. The new features include:
- HTTPS Camouflage: The "magic" trigger packet is now hidden within seemingly legitimate HTTPS traffic.
- Fixed Offset Parsing: To avoid detection through data shifts, the implant looks for a specific string ("9999") at a fixed byte offset within a request to activate.
- ICMP Communication: A new lightweight communication mechanism allows two infected hosts to interact using the Internet Control Message Protocol (ICMP).
Conclusion
The Red Menshen campaign represents a broader shift in adversary tradecraft. By moving away from user-space malware and embedding implants deeper into the computing stack—specifically operating system kernels and containerized 4G/5G components—attackers can effectively "disappear" into the infrastructure.
As telecom environments continue to integrate bare-metal systems and complex virtualization layers, these "digital sleeper cells" present a significant challenge for traditional endpoint monitoring systems, requiring a more specialized approach to network traffic analysis and kernel-level security.
