Red Menshen’s Upgraded BPFdoor: How China’s Stealthiest Backdoor Infiltrates Global Telecom Networks

Executive Summary

A China-nexus threat group tracked as Red Menshen (also known as Earth Bluecrow, DecisiveArchitect, and Red Dev 18) has deployed a significantly upgraded version of its Linux backdoor BPFdoor against global telecommunications providers. According to research published by Rapid7 Labs, the malware abuses the Berkeley Packet Filter (BPF) subsystem to inspect network traffic at the kernel level, activating only when it receives specifically crafted trigger packets. The upgraded variant introduces covert ICMP-based command channels, trigger phrases embedded in HTTPS traffic, and process masquerading techniques that make it nearly invisible to conventional security tooling. Telecom operators, government network defenders, and critical infrastructure security teams should immediately audit their environments for BPF program loads and anomalous ICMP traffic.

Technical Analysis

Threat Actor Profile

Red Menshen has been active since at least 2021, primarily targeting telecommunications providers across the Middle East, Asia-Pacific, and Europe. Rapid7 described their access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks. The group’s operational objective is not smash-and-grab data theft but persistent strategic positioning — embedding long-term access within the infrastructure that nations depend on for critical communications.

Christiaan Beek, vice president of cyber intelligence at Rapid7, stated: "This is not traditional espionage, it is pre-positioning inside the infrastructure that nations depend on."

How BPFdoor Works

BPFdoor is fundamentally different from conventional backdoors. Rather than opening listening ports or maintaining visible command-and-control (C2) channels, it operates entirely within the Linux kernel’s BPF subsystem.

Key technical characteristics:

Capability	Mechanism
Packet inspection	Attaches a BPF filter via the `bpf()` syscall to inspect all network traffic before it reaches the OS network stack or firewall rules
No listening ports	Does not open any sockets; remains completely dormant until triggered
Trigger activation	Monitors for specifically crafted trigger phrases in HTTPS requests, riding on legitimate TLS traffic
ICMP control channel	Uses ICMP echo requests with embedded command payloads; a `0xFFFFFFFF` value in the ICMP payload identifies which implant instance should execute
Process masquerading	Disguises itself using legitimate service names and processes associated with HPE ProLiant servers or Kubernetes clusters
Firewall bypass	Because BPF operates below the firewall layer, host-based firewalls, IDS, and IPS are completely bypassed

As Rapid7 Labs noted: "Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels. Instead, it abuses Berkeley Packet Filter functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet. There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself."

Attack Chain

Based on the Rapid7 investigation and corroborating reports, Red Menshen’s operational flow follows these stages:

Stage	Activity	Tooling
Initial Access	Exploitation of internet-facing edge infrastructure — VPN appliances, firewalls, and web platforms	Targets services from Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts
Post-Exploitation	Deployment of Linux-compatible beacon frameworks for lateral movement	CrossC2, Sliver, TinySh
Persistence	Installation of BPFdoor kernel-level implant	BPF program injected via `bpf()` syscall
Command & Control	Covert communication via ICMP echo requests with embedded commands	ICMP payloads with `0xFFFFFFFF` implant selector
Espionage	Credential harvesting, traffic monitoring, data exfiltration from telecom core infrastructure	Passive backdoors and credential-harvesting utilities

The sophistication of this approach means that traditional endpoint detection tools — which rely on monitoring network connections, open ports, and process behavior — are fundamentally blind to BPFdoor’s presence.

Impact Assessment

Confirmed Victims and Geographic Scope

The campaign has a confirmed global footprint. According to reporting from multiple sources:

Telecommunications providers across Asia-Pacific, Europe, and the Middle East have been compromised, with implants discovered in core routing and switching infrastructure.
Viasat was breached as part of broader espionage campaigns tied to the Salt Typhoon cluster, which overlaps with Red Menshen activity.
A Canadian telecom provider was also targeted, demonstrating the cross-border nature of these operations.
In Europe, breaches affecting Bouygues Telecom, Orange, Free Mobile, and Odido exposed millions of customer records.

Why Telecom Networks Are the Target

Compromising a telecom operator provides extraordinary intelligence value: access to call metadata, SMS content, internet traffic flows, and — critically — the communications of government officials and military personnel who use these networks. Red Menshen’s objective is not disruption but persistent surveillance capability embedded at the infrastructure level.

Broader Implications

As one researcher noted, BPFdoor represents a shift in threat methodology: "They are actually weaponizing our firewalls against us. The malware now hides inside traffic that security systems are forced to trust." This challenges the fundamental assumption that encrypted HTTPS traffic is safe to pass through security boundaries without deep inspection.

Detection & Response

Detecting BPFdoor requires kernel-level visibility that most organizations do not currently have. Traditional SIEM rules, EDR agents, and network monitoring tools operating at the application or transport layer will not see BPFdoor activity.

Recommended Detection Approaches

Method	Implementation
Audit BPF program loads	Enable `auditd` rules for the `bpf()` syscall: `auditctl -a always,exit -F arch=b64 -S bpf -k bpf_monitor`
Enumerate active BPF programs	Run `bpftool prog show` regularly to list all loaded BPF programs; investigate any with unknown names or loaded by non-system users
Monitor ICMP traffic	Flag ICMP echo requests with payload lengths exceeding 64 bytes or containing the `0xFFFFFFFF` marker
Process name verification	Cross-reference running processes against expected service inventories; BPFdoor masquerades as HPE ProLiant or Kubernetes processes
Kernel log analysis	Monitor `dmesg` and `/var/log/kern.log` for BPF program load events and correlate with process context
Network flow analysis	Look for hosts that never initiate outbound connections but periodically spawn child processes after receiving ICMP packets

Incident Response Steps

Isolate affected hosts from the network immediately. Block external ICMP echo requests at the perimeter.
Enumerate all loaded BPF programs using bpftool and identify those not attributable to legitimate system services.
Preserve forensic images before remediation — kernel-level implants require careful evidence collection.
Eradicate by removing malicious BPF programs (bpftool prog delete), deleting associated binaries, and revoking all credentials accessible from compromised hosts.
Re-image affected systems from known-clean backups. BPFdoor’s kernel-level presence means patching alone is insufficient.
Hunt across the broader environment using the detection indicators above — if one implant is found, assume lateral movement has occurred.

Mitigation & Remediation

Priority	Action	Details
Critical	Patch internet-facing edge services	Update VPN appliances, firewalls, and web platforms from Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto Networks, and Apache Struts to latest versions
High	Restrict BPF usage	Set `kernel.bpf_disabled=1` via sysctl on systems that do not require BPF, or use SELinux/AppArmor policies to deny `bpf()` to non-root processes
High	Harden ICMP handling	Drop ICMP echo requests from untrusted external sources at the perimeter firewall; implement ICMP rate limiting
High	Enable kernel audit logging	Deploy `auditd` rules to monitor all `bpf()` syscall invocations and alert on unexpected program loads
Medium	Deploy kernel-aware detection	Use tools like Falco or Sysdig that operate at the kernel level and can detect anomalous BPF program behavior
Medium	Credential rotation	Rotate all credentials accessible from telecom core infrastructure, particularly those used for network management and routing
Medium	Network segmentation review	Ensure that management planes are isolated from data planes, limiting the blast radius of a kernel-level compromise

Timeline

Date	Event
2021	First documented Red Menshen activity targeting telecom providers in the Middle East and Asia
March 27, 2026	Rapid7 Labs publishes investigation; multiple outlets (DarkReading, The Hacker News, Cybernews, CyberSIXT) report the upgraded BPFdoor variant

Sources & References

DarkReading. China Upgrades the Backdoor It Uses to Spy on Telcos Globally. Link
The Hacker News. China-Linked Red Menshen Uses Stealthy BPFDoor Implants. Link
Cybernews. China hides spy tools deep in telecom networks. Link
CyberSIXT. China upgrades the backdoor it uses to spy on telcos worldwide. Link
The CyberSec Guru. China-Linked Red Menshen Plants BPFDoor Sleeper Cells. Link
IPLogger. China’s Red Menshen APT Group Unleashes Upgraded BPFdoor. Link

Karma-X Blog