Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New
| Date | Update |
|---|---|
| 26 Mar 2026 | Rapid7 published its full threat research report on Red Menshen and BPFDoor alongside an open-source scanning script; The Hacker News, SecurityAffairs, Help Net Security, and Cybersecurity Dive all confirmed within 24 hours. |
Changelog
| Date | Summary |
|---|---|
| 27 Mar 2026 | Initial publication based on Rapid7 Labs threat research report. |
BPFDoor Sleeper Cells: How Red Menshen Buried Itself in the Telecom Backbone
Rapid7 Labs spent months working through an intrusion that most detection tools would never see. The result is a detailed picture of how a China-nexus threat actor called Red Menshen has been embedding near-invisible backdoors inside telecommunications infrastructure across the Middle East and Asia – and holding them dormant until they are needed.
The mechanism at the center of it is BPFDoor: a Linux backdoor that operates inside the kernel itself, exposes no open ports, generates no visible command-and-control traffic, and activates only when an attacker sends a specific byte sequence – a “magic packet” – to a target port. To a defender reviewing the system surface, nothing looks wrong. The system appears clean.
What BPFDoor Is and Why Standard Detection Misses It
Normal malware leaves traces: an open port, a listening process, outbound connections to unusual IPs. BPFDoor deliberately avoids all of these.
The backdoor abuses Berkeley Packet Filter (BPF) functionality – the same underlying mechanism that tools like tcpdump and libpcap use to inspect network traffic. BPF operates partly in kernel space, intercepting packets before they ever reach user-space applications. BPFDoor installs a custom BPF filter at this layer. The filter does one thing: watches incoming traffic for a predefined sequence of bytes.
When the correct magic packet arrives at the correct destination port, the filter recognizes it and activates the implant. Until that moment, nothing happens. No open port appears in netstat. No process is visibly listening. When activation occurs, BPFDoor spawns either a bind shell or a reverse shell, giving the attacker remote command execution on the compromised host. The shell disappears once the session ends. The filter stays, dormant again, waiting for the next activation.
Rapid7 describes this as “a shift in stealth tradecraft” – positioning the implant below many traditional visibility layers, significantly complicating detection even when defenders know what they are looking for.
Two Components, One Invisible System
BPFDoor operations consist of two distinct components.
The implant is the passive backdoor deployed on the compromised Linux system. It installs the malicious BPF filter, remains dormant, and silently watches traffic. It does not beacon. It does not maintain persistent connections. It generates no network activity at all unless explicitly triggered.
The controller is operated by the attacker to craft and send the activation packets. Critically, according to Rapid7’s analysis, the controller is designed to operate from within the victim’s environment itself – masquerading as legitimate system processes. This means an attacker already inside the network can activate additional implants across the infrastructure without exposing external C2 channels. The “command and control” traffic looks like internal system communication.
Why Telecommunications Infrastructure
Telecom networks are not just communications companies. They are the substrate carrying government communications, authenticating subscriber identity, routing sensitive signaling, and underpinning the digital infrastructure of entire populations.
The internal architecture of a modern carrier goes deep. Beyond customer-facing services sit subscriber management platforms (HLR/HSS/UDM), authentication platforms (AuC), billing systems, lawful intercept capabilities, and roaming databases. These systems communicate using specialized signaling protocols – SS7, Diameter, SCTP – that handle identity verification, mobility tracking, and cross-border interconnection between operators.
An adversary with persistent kernel-level access inside this environment is not just inside one company. They have a vantage point adjacent to subscriber identifiers, call detail records, authentication exchanges, mobility data, and potentially the lawful intercept mechanisms that governments rely on for legally sanctioned surveillance.
Red Menshen’s positioning here is not a smash-and-grab operation. It is persistent intelligence infrastructure, quietly embedded in systems that governments depend on. Rapid7 describes the goal as “high-level espionage, including against government networks” – but reached not by attacking governments directly, but by compromising the backbone those governments route traffic through.
The Campaign: Countries, Tools, and Progression
Rapid7’s investigation found Red Menshen targeting telecom providers across South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the broader Middle East region. The group has been active in telecom targeting since at least 2021. The BPFDoor source code leaked online in 2022, widening access to the implant, but Red Menshen’s use appears operationally disciplined and sustained.
Initial access does not begin deep inside carrier cores. It begins at the perimeter. Rapid7 observed exploitation of internet-facing infrastructure: Ivanti Connect Secure VPN appliances, Cisco IOS and JunOS network devices, Fortinet firewalls, VMware ESXi hosts, Palo Alto appliances, and web-facing platforms like Apache Struts. These are not zero-days in exotic telecom-specific systems. They are the same exposed edge devices that every large organization runs – and frequently leaves unpatched.
Once inside, the operators deploy additional tooling. CrossC2 – a Cobalt Strike-derived loader adapted for Linux – provides initial post-exploitation capabilities on a platform where traditional Windows-focused security tooling often has limited coverage. TinyShell, an open-source passive backdoor customized by multiple APT groups, provides longer-term persistence with minimal network footprint. SSH brute force utilities and custom ELF-based keyloggers round out the toolkit for credential harvesting and lateral movement.
The credential lists used in brute force tooling are notably specific. They include usernames like “imsi” – referencing International Mobile Subscriber Identity systems. That level of target awareness indicates operational knowledge of what is being attacked. These are not generic credential spray tools. They are targeting telecom-specific authentication systems with deliberate precision.
Why This Kind of Implant Stays Hidden
Traditional endpoint detection relies on visibility into running processes, open network connections, and file system changes. BPFDoor sidesteps each of these.
The implant operates in kernel space. Most endpoint detection tools operate in user space with limited visibility into raw BPF filter installation and behavior. The implant does not expose a listening process – the activation occurs within the kernel filter itself. The result is that netstat, ss, and similar tools report nothing anomalous.
The dormancy factor compounds this. An implant that never activates generates no behavioral telemetry. Threat hunting tools that look for anomalous outbound connections, unusual process behavior, or lateral movement activity find nothing from an implant sitting silently inside the kernel, generating nothing.
The internal controller model removes the last obvious indicator. External C2 infrastructure shows up in network traffic analysis. A controller running on a compromised internal host, disguised as a legitimate system process, does not.
This is what makes BPFDoor architecturally different from most malware – it was designed with the assumption that defenders are watching the surface. It operates where they typically are not.
What Defenders Can Actually Do
Rapid7 has released an open-source scanning script designed to detect BPFDoor variants, covering both previously known samples and newer ones identified during this investigation. Surricata detection rules are available to Rapid7 Intelligence Hub customers and via AWS Marketplace. For any organization running Linux infrastructure in high-value environments, running that scan is the immediate starting point.
Beyond the scan, the defensive posture this threat requires is different from what most organizations have built.
Kernel-level visibility is not optional here. Detection tooling needs to monitor BPF filter installation directly, not just user-space process behavior. Linux Security Module hooks, eBPF-based monitoring of kernel operations, and tools in the observability category that instrument BPF filter creation – Cilium Tetragon, Falco with kernel drivers, and similar approaches – provide coverage that user-space agents cannot.
Anomalous traffic toward high-numbered ports on Linux systems deserves active monitoring. BPFDoor activation can occur without a traditional listener. Traffic patterns toward ports that no legitimate service should be using are worth flagging.
Perimeter hardening remains the highest-leverage control. Red Menshen’s initial access is not sophisticated at the entry point – it is opportunistic exploitation of known vulnerabilities in internet-facing appliances. Ivanti, Fortinet, Cisco, VMware: these are patch management failures that organizations have been warned about repeatedly. The stealth comes later, after a straightforward initial foothold.
Privileged access on control-plane systems warrants a separate review. If attacker toolkits include credential lists targeting IMSI and subscriber management systems by name, then authentication on those systems is specifically being targeted. Multi-factor authentication, privileged access management, and audit logging on anything touching subscriber data or signaling are baseline expectations at this point, not enhancements.
The Broader Pattern
What Rapid7 is describing is not a single intrusion. It is a campaign model – a repeatable approach for establishing persistent access inside telecommunications infrastructure and maintaining it until needed.
The choice of telcos makes strategic sense from an intelligence perspective. Compromise a single large carrier and the potential visibility extends to subscriber movement data, communications metadata, authentication flows for high-value individuals, and interconnection relationships with other operators. That is not a data breach. That is intelligence infrastructure – the kind that persists, that scales, and that can be activated on demand.
BPFDoor first surfaced publicly around 2021. The source code leaked in 2022. This campaign has been running and evolving for years. The Rapid7 disclosure and the release of detection tooling puts defenders in a better position than they were a week ago.
The question is whether the implants are already present. The time to find out is now.