TL;DR
- A highly sophisticated Chinese threat actor known as Red Menshen (aka Earth Bluecrow, DecisiveArchitect) has successfully compromised major telecommunications providers across Asia and the Middle East.
- The group utilizes a highly advanced, kernel-level Linux backdoor known as BPFDoor.
- Unlike traditional malware, BPFDoor operates without open listening ports. It functions as a dormant “sleeper cell,” activating only when a specifically crafted “magic packet” is received.
- The campaign aims at strategic, long-term espionage. Attackers have gained unprecedented visibility into telecom control planes, weaponizing protocols like SCTP to intercept subscriber data, track individual locations, and monitor communications.
- Newly discovered variants of BPFDoor by Rapid7 Labs reveal alarming upgrades, including Layer 7 (HTTPS) camouflage via a “magic ruler” mechanism, ICMP tunneling for internal lateral movement, and the ability to masquerade as bare-metal telecom hardware services.
The Invisible Backdoor in the Global Telecom Networks
Telecommunications networks are the central communication system of the modern global economy. They route sensitive government communications, underpin the operational technology of critical industries, and manage the digital identities of billions of global citizens. When these networks are breached, the blast radius extends far beyond a single corporate entity; it becomes an immediate national security crisis.
A months-long, exhaustive investigation by Rapid7 Labs has exposed a chilling reality: an advanced, state-aligned threat actor has spent years quietly embedding some of the stealthiest digital sleeper cells ever discovered directly into the core of the global telecom backbone.
Attributed to a China-nexus threat cluster tracked as Red Menshen (also recognized by security researchers as Earth Bluecrow, DecisiveArchitect, and Red Dev 18), this ongoing campaign eschews smash-and-grab data theft. Instead, the objective is profound, persistent strategic positioning. By deploying a devastatingly quiet Linux backdoor known as BPFDoor, Red Menshen has established covert access mechanisms deep inside telecom infrastructure, remaining undetected since at least 2021.
This investigative report dissects the methodology of Red Menshen, the terrifying technical elegance of BPFDoor, and the severe implications for global communications security.
Unmasking Red Menshen and the Strategic Targeting of Telecoms
To understand the severity of this threat, one must understand the target. Modern telecommunications networks are highly complex, layered ecosystems. They consist of customer-facing edge infrastructure such as mobile base stations (RAN), broadband gateways, and security appliances which feed into the operator’s IP core.
Deeper still is the control plane. This is the heart of the telecom network, housing subscriber management systems (HLR/HSS/UDM), authentication platforms (AuC), and lawful intercept capabilities. These systems coordinate identity and mobility across international borders using specialized signaling protocols like SS7, Diameter, and SCTP.
Red Menshen’s operations are surgically aimed at this control plane. The group’s modus operandi is not isolated intrusion but the establishment of a repeatable campaign model. By embedding persistent access at the infrastructure layer, Red Menshen gains capabilities that border on science fiction: visibility into raw subscriber identifiers, the interception of authentication exchanges, and the monitoring of sensitive communications involving high-value geopolitical targets.
They are not just hacking servers; they are inhabiting the mechanisms that route national communications.
How the Attack Chains Begin
The intrusion into a multi-billion-dollar telecom provider rarely begins with a Hollywood-style assault on the core database. Instead, Red Menshen leverages the reality of sprawling corporate attack surfaces.
The threat actors systematically target internet-facing infrastructure and exposed edge services. According to threat intelligence, the initial access vectors frequently rely on the exploitation of public-facing applications (MITRE ATT&CK T1190) and the abuse of valid accounts (T1078).
Primary initial access targets include:
- VPN Appliances: Ivanti Connect Secure.
- Network Edge Devices: Cisco IOS and Juniper Networks (JunOS) devices.
- Security Infrastructure: Fortinet firewalls and Palo Alto Networks appliances.
- Virtualization and Web Platforms: VMware ESXi hosts and Apache Struts.
These devices sit directly on the boundary between the chaotic public internet and the highly sensitive internal telecom environment. Crucially, compromises at this layer often fail to trigger traditional endpoint detection and response (EDR) mechanisms, providing Red Menshen with authenticated, quiet pathways into the provider’s network.
Post-Exploitation and the Telecom Toolchain
Once a foothold is secured at the edge, the attackers transition to post-exploitation, dropping a highly customized arsenal of Linux-compatible malware tailored for telecom environments.
- CrossC2: A Cobalt Strike-derived loader engineered specifically for Linux hosts. It provides the command execution, pivoting, and staging capabilities traditionally seen in Windows environments, allowing operators to blend into the Linux-heavy routing systems of the telecom core.
- TinyShell: An open-source, passive backdoor framework tailored for FreeBSD and Linux. Customized by Red Menshen, it is frequently deployed on boundary devices like firewalls and virtualization hosts for long-term, low-noise persistence.
- Sliver: An increasingly popular open-source command-and-control (C2) framework used for lateral movement.
- Custom Bruteforcers and Keyloggers: Attackers utilize SSH brute-forcing utilities pre-populated with credential lists specific to telecom terminology. The presence of targeted usernames like “imsi” (International Mobile Subscriber Identity) showcases a chilling level of contextual awareness and intent to breach subscriber identity systems.
What is BPFDoor Anyways?
The tools mentioned above are merely the setup. The centerpiece of Red Menshen’s operation is BPFDoor, a malware variant that rewrites the rules of network stealth.
Traditional malware, even advanced variants, generally must expose a listening port to receive commands from an attacker or actively beacon out to an external C2 server. Both of these actions generate network packets that modern firewalls, NetFlow analyzers, and EDR solutions are explicitly designed to catch.
BPFDoor circumvents this entirely by abusing the Berkeley Packet Filter (BPF).
BPF is a legitimate, highly privileged functionality within Unix-like operating systems (commonly used by tools like tcpdump or Wireshark) that processes network packets directly in the kernel space, before they even reach user-space applications.
How the “Trapdoor” Operates:
- Passive Installation: BPFDoor does not bind to a visible port. Instead, it installs a custom BPF filter directly inside the Linux kernel.
- Silent Inspection: The filter passively inspects all incoming network traffic at the kernel level.
- The “Magic Packet”: The malware is looking for a hyper-specific sequence of bytes i.e. a “magic packet.” If normal traffic passes through, the malware remains entirely dormant.
- Activation: The moment the kernel filter detects the exact byte sequence delivered to a specific destination port, the backdoor activates. It instantly spawns a bind shell or a reverse tunnel, allowing the attacker full remote control.
To a network defender looking at netstat or ss output, the compromised system appears completely pristine. The locker only opens when the exact code is presented; otherwise, it is entirely invisible.
The Implant vs. The Controller Architecture
Rapid7’s analysis revealed that the BPFDoor framework relies on a dual-component architecture:
- The Implant: The passive backdoor deployed on the victim’s Linux machine, serving as the hidden lock.
- The Controller: The mechanism used by the attacker to craft and broadcast the magic packets. Shockingly, the controller is often deployed within the victim’s environment. By masquerading as legitimate internal system processes, the internal controller can trigger additional implants across the network, enabling completely silent lateral movement that never traverses the external perimeter.
Weaponizing the Telecom Signaling Plane (SCTP)
While bypassing traditional IT security is alarming, BPFDoor’s true devastation lies in its capability to interface directly with telecom-native protocols.
Researchers discovered that specific BPFDoor variants are hardcoded with BPF instructions to inspect Stream Control Transmission Protocol (SCTP) traffic. SCTP is not used in standard enterprise IT; it is the protocol that underpins Public Switched Telephone Network (PSTN) signaling and real-time communications between core 4G and 5G network elements.
By configuring kernel filters to inspect SCTP, Red Menshen has moved from IT compromise to signaling plane compromise.
The Espionage Implications:
- Location Tracking: By monitoring SCTP commands like
ProvideSubscriberLocationorUpdateLocation, attackers can actively track the real-world, physical movement of a targeted mobile device. - Identity Probing: In 5G networks, monitoring registration requests allows for the capture of Subscription Concealed Identifiers (SUCI), stripping away the privacy protections of modern mobile networks.
- Metadata Capture: Unsecured signaling exposes SMS contents, IMSI identifiers, and vast troves of communication metadata.
This elevates the intrusion from a corporate data breach to a severe, population-level intelligence collection operation.
The “New” BPFDoor Variants
Adversaries do not remain stagnant. As the cybersecurity community slowly gained awareness of early BPFDoor variants, Red Menshen iterated, deploying a previously undocumented variant that introduces profound architectural upgrades aimed at surviving in highly scrutinized enterprise environments.
1. Layer 7 Camouflage and the “Magic Ruler”
Early BPFDoor triggers relied on simple packet signatures that could theoretically be caught by advanced Intrusion Detection Systems (IDS). The new variant conceals the trigger packet deep within seemingly legitimate, encrypted HTTPS traffic.
Because modern networks use reverse proxies, load balancers, and Web Application Firewalls (WAFs) that rewrite HTTP headers, simple signatures often break. To counter this, Red Menshen engineered a mathematical padding scheme, the “Magic Ruler.” The attackers pad the HTTP request body with filler bytes so that their marker string (e.g., "9999") always lands at an exact, fixed byte offset (either 26 bytes or 40 bytes, depending on socket flags). The malware’s BPF filter no longer parses the complex HTTP header; it simply uses the 26-byte mark as a ruler. If the marker is present at those exact coordinates, the encrypted payload is accepted as a command. This dynamic Layer 7 camouflage allows commands to pass cleanly through enterprise TLS termination and proxy layers.
2. The RC4-MD5 Paradox
Despite its modern network evasion, the new controller utilizes a legacy cryptographic combination: RC4-MD5. While deprecated by modern standards, it serves a distinct purpose here. RC4 provides extremely fast, low-latency stream encryption ideal for interactive shells. Furthermore, utilizing legacy, non-standard cryptography can occasionally bypass deep packet inspection engines expecting modern TLS handshakes. Rapid7 notes that this specific cryptographic lineage has been observed in other historic Chinese-nexus malware families, such as RedXOR and PWNIX.
3. ICMP Tunneling for Internal C2 (“Phone Home”)
The new variants introduce a lightweight command-and-control channel utilizing the Internet Control Message Protocol (ICMP) i.e. the “ping” protocol.
This isn’t just an external beacon; it is used for host-to-host control. By inserting a specific hexadecimal value (0xFFFFFFFF) into an ICMP packet, one infected internal server can pass execution instructions to another. The -1 value acts as a “do not forward” terminal signal, instructing the receiving host to execute the embedded command payload. This allows attackers to manage complex lateral movement across compromised nodes using an incredibly compact, natively trusted network protocol.
Deep Infrastructure Spoofing
Red Menshen’s methods exhibits an intimate understanding of the physical and virtual environments powering 4G and 5G networks. To evade endpoint monitoring, the malware actively mimics the environment it infects.
Mimicking Bare-Metal Hardware (HPE ProLiant): Many telecom core networks run on high-performance bare-metal systems, such as HPE ProLiant servers. BPFDoor has been observed adopting the process name hpasmlited. The real hpasmlited process is HPE’s Agentless Management Service, a legitimate hardware telemetry daemon. By adopting this exact name and spawning expected PID files, the malware becomes virtually indistinguishable from routine hardware operational noise to a system administrator checking task lists.
Spoofing Cloud-Native Containers (Docker/Kubernetes): Modern 5G core elements (like the AMF, SMF, and UDM) operate as Containerized Network Functions inside Kubernetes pods. BPFDoor adapts to this by executing with root privileges and adopting the exact, complex command-line arguments of a legitimate Docker daemon (e.g., /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock). It hides in plain sight within the dense, complex orchestration layers of modern telecom clouds.
the Future of Telecom Defense
The Rapid7 discoveries regarding Red Menshen and BPFDoor represent a watershed moment in threat intelligence. We are witnessing a fundamental paradigm shift in adversary methodology.
State-sponsored attackers are abandoning user-space malware that triggers EDR alarms. Instead, they are pushing their implants deeper down the computing stack directly into the operating system kernel and the bare-metal infrastructure platforms.
Telecommunications environments, with their blend of raw hardware, complex virtualization, and containerized architectures, provide the ultimate terrain for this low-noise, persistent warfare.
How Defenders Can Detect BPFDoor
Combating kernel-level sleeper cells requires organizations to expand their defensive visibility well beyond the traditional network perimeter.
- Hunt for Anomalous Socket Usage: Defenders must monitor Linux systems for unusual raw socket creations (
SOCK_RAW) and unexpectedPACKET_RX_RINGmemory allocations, which indicate raw packet filtering behavior. - Scrutinize High-Port Network Activity: While BPFDoor doesn’t maintain listening ports, its activation often spawns bind shells on high, non-standard ports.
- Process Baseline Deviation: Strict process baselining is required. Alerting should be configured if known hardware daemon names (like
hpasmlited) or container services launch from abnormal binary paths or exhibit unexpected network behavior. - Leverage Advanced Scripting: Threat hunting teams should utilize specialized scanning scripts (like those released by Rapid7) that actively query the kernel for anomalous BPF filter bytecodes and known malicious magic sequences.
- Suricata Rules: Deploying highly tuned Suricata network IDS rules to look for the specific ICMP
0xFFFFFFFFpadding or the 26-byte “Magic Ruler” offsets within decrypted traffic streams.
Conclusion
The infiltration of the telecom backbone by Red Menshen using BPFDoor is not merely a technical curiosity; it is a masterclass in covert digital espionage. By weaponizing the very fabric of network routing, Berkeley Packet Filters, SCTP signaling, and ICMP messaging this China-linked group has achieved a terrifying level of persistence.
For the telecommunications sector, the message is clear: the perimeter is an illusion. The adversaries are already inside the core, hiding within the kernel, waiting for the magic packet to arrive. Defeating them will require an unprecedented level of internal visibility, rigorous zero-trust architecture, and cross-border threat intelligence sharing.
Frequently Asked Questions (FAQs)
Q: What is BPFDoor? A: BPFDoor is a highly stealthy, custom Linux backdoor malware. Unlike traditional malware, it does not open listening ports. Instead, it uses Berkeley Packet Filters (BPF) to passively inspect network traffic at the kernel level, activating only when it receives a specific “magic packet.”
Q: Who is Red Menshen? A: Red Menshen is a sophisticated cyber espionage group linked to China. They are also tracked by cybersecurity researchers under aliases such as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. They have actively targeted telecommunications providers in Asia and the Middle East since at least 2021.
Q: Why do hackers target telecommunications networks? A: Telecom networks contain massive amounts of strategic intelligence. Compromising the telecom “control plane” allows state-sponsored actors to track the physical location of subscribers, intercept sensitive government communications, monitor SMS and call metadata, and map out the digital identities of millions of users.
Q: How does BPFDoor evade detection? A: BPFDoor evades detection by operating below the user-space where antivirus tools typically look. It avoids showing up on network scans by not maintaining open ports. Newer variants hide their activation commands inside encrypted HTTPS traffic, use ICMP (ping) for internal communications, and rename their processes to look like legitimate hardware or container services (like Docker or HPE telemetry).
Q: What is SCTP and why does it matter in this attack? A: Stream Control Transmission Protocol (SCTP) is a networking protocol crucial for 4G and 5G telecom signaling. By modifying BPFDoor to intercept SCTP traffic, attackers can directly monitor telecom-native communications, allowing them to steal subscriber identities (IMSI) and track mobile device locations in real-time.
Q: How can organizations detect BPFDoor? A: Detection requires deep infrastructure visibility. Defenders must look for anomalous raw socket creations on Linux servers, unusual packet filtering rules in the kernel, and processes that spoof legitimate hardware or Docker services. Organizations should also apply advanced Suricata IDS rules and utilize specialized BPF hunting scripts provided by security firms like Rapid7.
