Cybersecurity have uncovered a sophisticated espionage campaign linked to the China-associated threat group Red Menshen, targeting global telecommunications networks with a highly stealthy backdoor known as BPFdoor. The activity, detailed in new findings from Rapid7 Labs, highlights a strategic shift toward long-term, covert surveillance inside critical infrastructure. Unlike disruptive cyberattacks, this campaign focuses on persistence and stealth. Researchers describe the compromised systems as “sleeper cells,” enabling attackers to maintain silent access within telecom environments for extended periods.

Telecommunications networks are a high-value target due to their role in handling mobile identities, call routing, and data transmission. A breach at this level can provide attackers with the ability to monitor communications, track individuals, and collect intelligence at scale. The attackers initially gain access by exploiting vulnerabilities in internet-facing infrastructure, including VPN appliances, firewalls, and virtualized systems. Once inside, they deploy a range of Linux-based post-exploitation tools to move laterally across the network.

Among the tools observed are CrossC2 for command execution and lateral movement, TinyShell for persistent remote access, and custom utilities for SSH brute-force attacks and keystroke logging. These tools are tailored to telecom environments, even incorporating industry-specific identifiers such as “imsi,” reflecting deep operational knowledge. At the core of the campaign is BPFdoor, a kernel-level backdoor that leverages the Berkeley Packet Filter (BPF), a legitimate Linux feature used for packet inspection. Instead of opening network ports or maintaining visible command-and-control connections, BPFdoor embeds itself within the kernel and passively monitors network traffic.

The malware activates only when it detects a specially crafted “magic packet,” which triggers a hidden remote shell. This design allows it to remain undetected by traditional security tools, as it generates minimal observable activity. Recent variants of BPFdoor have introduced capabilities to monitor Stream Control Transmission Protocol (SCTP) traffic, a key protocol used in 4G and 5G signaling systems. By targeting SCTP, attackers can bypass standard IT defenses and gain direct access to telecom core functions.

This level of access enables a range of surveillance activities, including intercepting SMS messages, tracking subscriber identities, and monitoring user locations. In advanced scenarios, attackers can observe signaling data to follow individuals’ movements in near real time.

Ad Banner

To maintain long-term access, BPFdoor employs sophisticated evasion strategies. It disguises itself as legitimate system processes, including those associated with enterprise hardware and cloud-native environments. Researchers identified samples mimicking HPE server services and even Kubernetes components used in modern 5G deployments. By blending into expected system activity, the malware avoids detection and complicates incident response efforts.

The campaign underscores a broader trend among state-aligned threat actors prioritizing stealth, persistence, and intelligence gathering over immediate disruption. Detecting threats like BPFdoor requires deep visibility into kernel-level operations and telecom signaling layers capabilities that many organizations do not yet possess. As telecom networks continue to underpin global connectivity, this campaign serves as a stark reminder of the evolving risks facing critical infrastructure and the increasing sophistication of advanced persistent threats.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com



🔒 Login or Register to continue reading