Security News China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks

[Victor M]

Content source

https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html

A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.

The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that's also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021.

Rapid7 described the covert access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks.

"Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels," Rapid7 Labs said in a report shared with The Hacker News. "Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."

 

[Bot]

A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.

The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that's also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021.

Rapid7 described the covert access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks.

"Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels," Rapid7 Labs said in a report shared with The Hacker News. "Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."

This is a serious example of long-term persistence inside high-value networks.

What stands out here is not just the espionage angle, but the stealth model. If the reporting is accurate, BPFdoor is dangerous because it can remain dormant for long periods and avoid many of the usual indicators defenders look for.

Why this matters

• It targets telecom environments, which are strategically important because they can provide visibility into large volumes of communications and network traffic.
• A backdoor that does not rely on obvious listening ports or regular command-and-control traffic can be much harder to detect with standard monitoring.
• Using BPF-related functionality at the kernel level gives the attacker a way to watch for a special trigger packet without behaving like a typical remote access trojan.

Why BPFdoor is notable

In general, defenders often look for:

• Unexpected listening services
• Suspicious outbound beaconing
• Known malware processes
• Persistence entries in common startup locations

A tool like this can reduce those visible signs. That does not make it invisible, but it does mean detection may require deeper host telemetry, memory analysis, kernel-level inspection, and careful network forensics.

Practical defensive takeaway

For organizations that operate critical infrastructure or telecom-adjacent networks, the safer response is to assume that traditional IOC-based hunting may not be enough.

More effective steps usually include:

• Baseline normal kernel/module behavior on exposed Linux systems
• Monitor for unusual packet filtering behavior and unexpected raw socket activity
• Audit privileged access and lateral movement paths
• Perform threat hunting focused on persistence and dormant access, not only active malware
• Segment sensitive network zones and reduce unnecessary administrative pathways

One important caution

Attribution and campaign details should still be treated carefully unless backed by multiple trusted sources, incident data, or vendor reporting. The overall tradecraft described here is plausible and consistent with advanced espionage operations, but specific conclusions are best validated through the full Rapid7 report and any additional independent analysis.

Bottom line

If this reporting holds, the main lesson is that stealthy kernel-aware backdoors in telecom networks are not just a malware problem, but a long-term visibility and trust problem. Defenders need deeper telemetry and proactive hunting, not only signature-based detection.

Sources

• Rapid7 report

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
BPFdoor is a highly evasive Linux kernel backdoor deployed by the China-nexus threat actor Red Menshen to establish "sleeper cells" within telecommunications networks. The malware operates without exposing listening ports by installing custom Berkeley Packet Filters (BPF) to passively intercept network traffic (specifically SCTP), and utilizes a hardcoded array of external Command and Control (C2) nodes alongside advanced process masquerading to maintain covert, persistent espionage capabilities.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1205.002
(Traffic Signaling: Socket Filters)

T1036.009
(Masquerading: Break Process Trees)

T1008
(Fallback Channels)

T1562.004
(Impair Defenses: Disable or Modify System Firewall).

CVE Profile
Varies by Initial Access (commonly exploiting edge appliance vulnerabilities on VPNs/Firewalls)
[NVD Score: 9.0+]
[CISA KEV Status: Active]

Telemetry & Execution Flow

Network Indicators (Deterministic)
The payload utilizes a fallback array of explicit IPv4 infrastructure.
95[.]214[.]24[.]45
158[.]220[.]106[.]155
185[.]185[.]50[.]222
143[.]198[.]81[.]161
89[.]208[.]106[.]31
43[.]155[.]138[.]35
134[.]122[.]133[.]24
47[.]100[.]176[.]4
101[.]43[.]204[.]28
47[.]111[.]139[.]110
124[.]223[.]101[.]216
and domains alioop[.]com / www[.]alioop[.]com.

Process Masquerading (Deterministic)
The binary actively spoofs legitimate hardware daemon services. It locks execution and maintains persistence by writing process ID (PID) files to "/var/run/hpasmlited.pid", "/dev/shm/hpasmlited", and "/var/lock/subsys/hpasmlited".

Traffic Signaling (Behavioral)
The implant utilizes a mathematical padding scheme ("magic ruler") to locate a specific marker (e.g., "9999") at fixed byte offsets within decrypted HTTPS traffic (such as the 26-byte mark for "SOCK_DGRAM" sockets). Upon receiving the trigger, the malware spawns a reverse shell or establishes a C2 connection.

Lateral Tunneling (Behavioral)
Compromised nodes can forward ICMP packets to adjacent internal servers, terminating the chain and executing a payload when the specific destination value "0xFFFFFFFF" is detected.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Authorize immediate global blocklists for the extracted IPv4 addresses and domains; notify executive leadership of a potential signaling-plane (SCTP) compromise requiring deep kernel forensics.

DETECT (DE) – Monitoring & Analysis

Command
Query endpoint detection systems (EDR) for file creation events at "/var/run/hpasmlited.pid" and "/dev/shm/hpasmlited" on systems that are NOT physically running HPE ProLiant hardware.

Command
Deploy Suricata signatures to hunt for anomalous kernel-level passive BPF attachment and rogue ICMP payloads containing 0xFFFFFFFF.

RESPOND (RS) – Mitigation & Containment

Command
Null-route the identified C2 IPs at the edge firewall and isolate any Linux node running the hpasmlited process if the binary hash does not map to a known-good vendor baseline.

RECOVER (RC) – Restoration & Trust

Command
Conduct memory forensics to extract the active BPF filter from the kernel before rebooting, then rebuild compromised bare-metal routing infrastructure from known-good cryptographic baselines.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement strict file integrity monitoring (FIM) on /var/run/ and /dev/shm/ directories; restrict raw socket creation permissions (CAP_NET_RAW) for unprivileged processes across telecom core workloads.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Constraint Check
Because the threat exclusively targets enterprise Linux kernels and telecom signaling infrastructure, consumer devices are inherently immune to this specific architecture.

Command
No emergency system actions required on local personal devices.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., a phone on 5G) if you suspect your telecommunications provider's SMS routing infrastructure has been compromised by state-sponsored actors.

Priority 3: Persistence

Command
Ensure traditional antivirus/EDR software is updated, as threat actors may pivot from backbone networks to traditional phishing once signaling access is severed.

Hardening & References

Baseline
CIS Benchmarks for Linux (Kernel Hardening / BPF Restrictions, specifically restricting unprivileged bpf() system calls).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Rapid7 Threat Research Report

The Hacker News Article