Major telecommunications providers around the world are facing a long-running and highly covert cyber‑espionage campaign attributed to the China‑linked threat cluster Red Menshen (also tracked as Earth Bluecrow, DecisiveArchitect, Red Dev 18). According to a recent Rapid7 investigation, the attackers quietly embed themselves for years in telecom network infrastructure to gain persistent access to government and other high‑sensitivity traffic that transits carrier networks.
Long-term cyber espionage targeting telecom operators
Red Menshen has systematically targeted telecom operators in the Middle East and Asia since at least 2021, with indicators suggesting activity may predate public reporting. The objective is not disruptive sabotage, but strategic, long‑term positioning inside critical systems: planting and maintaining hidden remote‑access mechanisms that can remain dormant yet available on demand. Rapid7 researchers describe these mechanisms as some of the most covert “digital sleeper cells” ever observed in carrier environments.
This focus on telecommunications is consistent with broader industry intelligence. Past campaigns such as Mandiant’s documented LightBasin/UNC1945 operation and NSA/CISA advisories on state‑sponsored activity highlight telecoms as priority espionage targets because they provide visibility into diplomatic, military, and commercial communications across borders.
Attack chain: from exposed perimeter to core carrier networks
Initial access via edge infrastructure and VPN gateways
The Red Menshen campaign typically begins by compromising internet‑exposed infrastructure and edge services. Devices at particular risk include VPN gateways, firewalls, and web platforms built on products widely deployed by carriers, such as Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts‑based solutions. This mirrors a global trend in which advanced threat actors increasingly exploit vulnerabilities in perimeter appliances that are often under‑monitored and slow to be patched.
Post-exploitation, credential theft, and lateral movement
Once initial access is achieved, the attackers deploy Linux‑compatible post‑exploitation frameworks such as CrossC2, along with tools including Sliver, the Unix backdoor TinyShell, keyloggers, and brute‑force utilities. These components enable credential harvesting, persistence, and lateral movement across hosts, gradually extending the intrusion from edge systems into core IT and telecom infrastructure. By chaining stolen credentials with misconfigurations and weak segmentation, the group can reach signaling, billing, and lawful interception platforms that carry particularly sensitive data.
BPFdoor: a stealth Linux backdoor in the OS kernel
At the heart of the campaign is the Linux backdoor BPFdoor. Unlike conventional malware, BPFdoor does not open listening ports or maintain obvious command‑and‑control (C2) channels. Instead, it abuses the Berkeley Packet Filter (BPF) mechanism to inspect network packets directly in the Linux kernel and stays completely passive until it sees a specially crafted “trigger packet”.
BPFdoor’s architecture has two main components. The first is a passive backdoor implant deployed on a compromised host. It installs a BPF filter and silently monitors traffic flowing through the system, looking for a pre‑defined magic pattern. Upon detecting this trigger, the implant spawns a remote shell session for the operator. The second component is a controller operated by Red Menshen, which generates and sends the trigger packets. This controller can run from external infrastructure or from within the victim’s own network, masquerading as a legitimate system process to blend with normal activity.
Abusing SCTP and telecom traffic for subscriber surveillance
Certain BPFdoor artifacts support the Stream Control Transmission Protocol (SCTP), a protocol heavily used in carrier networks and 4G/5G cores for signaling. By operating at this level, attackers can gain insight into native telecom control traffic, including subscriber behavior, approximate geolocation, and session metadata. As seen in previous telecom‑focused operations, access to signaling data can enable tracking of specific individuals and targeted interception of their communications.
Evolving BPFdoor variants and low-level attack tactics
Rapid7 has identified a new, previously undocumented BPFdoor variant designed to increase stealth in modern enterprise and telecom environments. One key change is the concealment of the trigger packet inside encrypted HTTPS traffic. The HTTP request contains a deliberate marker — the string “9999” — placed at a fixed offset from the beginning of the request. The implant only inspects that specific position; if the marker matches, it treats the packet as an activation command while leaving the rest of the HTTPS session structure intact. This approach significantly complicates detection, because security tools usually cannot inspect encrypted payloads deeply without terminating TLS.
The new variant also introduces a lightweight ICMP‑based communication channel that allows already compromised hosts to exchange data via seemingly innocuous network diagnostic packets. Combined, these enhancements reflect a broader shift in advanced threat tactics: moving “down the stack” into the operating system kernel, hypervisors, and specialized network and telecom platforms where traditional endpoint and SIEM controls have less visibility.
Defensive priorities for telecom operators and large enterprises
In this context, telecom operators and other large organizations should prioritize rapid patching and hardening of perimeter devices, including VPN gateways, firewalls, and web application platforms. Aligning remediation with high‑risk vulnerabilities listed in sources such as CISA’s Known Exploited Vulnerabilities catalog, enforcing strong authentication, and minimizing direct internet exposure of management interfaces are critical first steps.
Equally important is extending visibility to kernel and network levels. This includes monitoring for suspicious BPF hooks, unauthorized kernel modules, unusual use of SCTP, and atypical ICMP patterns. Host‑based intrusion detection, eBPF‑based telemetry, network detection and response (NDR) focused on carrier protocols, and integrity checking on critical appliances can help uncover stealth implants like BPFdoor.
Proactive threat hunting and behavioral analytics are essential complements to signature‑based detection. Regular configuration audits, rigorous network segmentation between IT and telecom domains, and tight access controls for signaling and lawful interception systems reduce the attacker’s ability to move laterally. Participation in sector‑specific information‑sharing communities and telecom‑focused ISACs further improves the odds of detecting such “digital sleeper cells” before they are leveraged for large‑scale espionage.
As cyber‑espionage groups increasingly embed themselves deep inside carrier infrastructure, telecom security can no longer rely solely on perimeter firewalls and traditional endpoint tools. A layered strategy that combines timely patching, kernel‑aware monitoring, protocol‑level visibility, and collaborative intelligence sharing offers the best chance of disrupting campaigns like Red Menshen’s BPFdoor and protecting the communications on which governments, businesses, and citizens depend.
