Ethical Hacking News
Red Menshen has been linked to various notable incidents of cyber espionage and network security breaches across the Middle East and Asia. The latest development marks a significant escalation in their tactics, with the deployment of stealthy BPFDoor implants within telecom networks. This campaign highlights the evolving threat landscape, where sophisticated actors continually adapt their tactics to evade detection.
Security researchers have identified a sophisticated campaign attributed to Red Menshen, a China-nexus threat actor linked to various notable incidents of cyber espionage and network security breaches since 2021. The campaign uses stealthy BPFDoor implants within telecom networks, enabling the threat actor to inspect network traffic directly inside the kernel for surveillance and espionage. The attack chain begins with targeting internet-facing infrastructure associated with prominent companies, providing an initial foothold for the group to access sensitive networks. BPFDoor features a passive backdoor and a controller that administers specially formatted packets, potentially enabling the adversary to monitor telecom-native protocols and gain visibility into subscriber behavior and location. The framework has been found to support the Stream Control Transmission Protocol (SCTP) and incorporates architectural changes for evasiveness and detection avoidance. Red Menshen's campaign highlights the evolving threat landscape, with sophisticated actors adapting their tactics to evade detection and exploit emerging vulnerabilities.
In a recent revelation, security researchers have identified a sophisticated campaign attributed to a China-nexus threat actor known as Red Menshen. The group has been linked to various notable incidents of cyber espionage and network security breaches across the Middle East and Asia since at least 2021. This latest development marks a significant escalation in the Red Menshen's tactics, with the deployment of stealthy BPFDoor implants within telecom networks.
The BPFDoor implant, a Linux backdoor, has garnered attention for its innovative approach to surveillance and espionage. By leveraging the Berkeley Packet Filter (BPF) functionality within the kernel, BPFDoor enables the threat actor to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet. This unique implementation allows the implant to remain undetected by traditional endpoint monitoring tools, as there is no persistent listener or obvious beaconing.
The attack chain begins with Red Menshen targeting internet-facing infrastructure and exposed edge services associated with prominent companies such as Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts. These targets provide an initial foothold for the group to obtain access to sensitive networks. Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities.
The campaign also includes a range of additional tools, including Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities, designed to facilitate credential harvesting and lateral movement. However, the central component of Red Menshen's operations is undoubtedly BPFDoor.
BPFDoor features two distinct components: a passive backdoor deployed on the compromised Linux system to inspect incoming traffic for a predefined "magic" packet, and a controller that administers the specially formatted packets. The controller can operate within the victim's environment itself, masquerading as legitimate system processes and triggering additional implants across internal hosts.
The BPFDoor framework has also been found to support the Stream Control Transmission Protocol (SCTP), potentially enabling the adversary to monitor telecom-native protocols and gain visibility into subscriber behavior and location. Furthermore, a previously undocumented variant of BPFdoor incorporates architectural changes to make it more evasive and stay undetected for prolonged periods.
These changes include concealing the trigger packet within seemingly legitimate HTTPS traffic and introducing a novel parsing mechanism that ensures the string "9999" appears at a fixed byte offset within the request. This camouflage allows the magic packet to remain hidden inside HTTPS traffic, avoiding shifts in data positions and enabling the implant to always check for the marker at a specific byte offset.
The newly discovered sample also debuts a lightweight communication mechanism using the Internet Control Message Protocol (ICMP) for interacting between two infected hosts. This development reflects a broader evolution in adversary tradecraft, as attackers increasingly target operating system kernels and infrastructure platforms rather than relying solely on user-space malware.
Telecom environments, combining bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G/5G core components, provide ideal terrain for low-noise, long-term persistence. By blending into legitimate hardware services and container runtimes, implants can evade traditional endpoint monitoring and remain undetected for extended periods.
The Red Menshen campaign serves as a stark reminder of the evolving threat landscape, with sophisticated actors continually adapting their tactics to evade detection and exploit emerging vulnerabilities. As cybersecurity professionals strive to keep pace with these advancements, it is essential to recognize the significance of stealthy implants like BPFDoor and to develop effective countermeasures to prevent such campaigns from succeeding.
In light of this new discovery, security experts and organizations are encouraged to remain vigilant and proactive in their efforts to detect and mitigate such threats. By staying informed about emerging threats and implementing robust security measures, individuals can significantly reduce the risk of falling prey to sophisticated cyber espionage campaigns like Red Menshen's BPFDoor implant.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Stealthy-Threat-Actor-Embeds-Its-Fingerprint-Unveiling-the-Red-Menshen-Campaigns-BPFDoor-Implant-ehn.shtml
https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html
https://www.securityweek.com/chinese-hackers-caught-deep-within-telecom-backbone-infrastructure/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cloud.google.com/security/resources/insights/apt-groups
Published: Thu Mar 26 14:07:21 2026 by llama3.2 3B Q4_K_M
