A sophisticated cyber espionage campaign attributed to Red Menshen has infiltrated telecom networks across the Middle East and Asia using highly stealthy, kernel-level implants such as BPFDoor. Unlike conventional malware that relies on visible command-and-control communication, these implants operate silently by leveraging technologies such as Berkeley Packet Filter to monitor network traffic passively and activate only upon receiving specially crafted trigger packets.
This persistent and covert access enables credential harvesting, lateral movement, and potential surveillance of sensitive communications, including subscriber data. The campaign highlights a significant shift in threat actor capabilities, emphasizing deep infrastructure compromise, advanced evasion techniques, and the growing strategic risk posed to telecom operators and government networks.
The campaign attributed to Red Menshen begins with the exploitation of internet-facing edge devices such as VPN gateways, firewalls, and web services to gain initial access. Following compromise, attackers deploy post-exploitation frameworks including CrossC2, credential harvesting tools, and lateral movement utilities to establish control within the environment.
The core capability of the campaign is BPFDoor, a kernel-level implant that leverages Berkeley Packet Filter to inspect live network traffic in real time. The implant remains dormant and undetectable until it identifies a specially crafted “magic packet,” at which point it activates and spawns a remote shell without opening network ports or generating observable beaconing activity.
Advanced variants further enhance stealth by embedding trigger signals at specific byte offsets within HTTPS traffic and enabling covert communication through ICMP. Controller components can operate within compromised environments to propagate activation across infected systems. In telecom environments, support for protocols such as Stream Control Transmission Protocol enables deeper visibility into signaling traffic, facilitating continuous low-noise monitoring and control of critical infrastructure. The details and technicalities of the attack campaign are discussed further,
Red Menshen primarily gains initial access by exploiting vulnerabilities in internet-facing infrastructure, including VPN gateways, firewalls, and web applications. Common targets include exposed services such as Apache Struts and enterprise technologies from vendors like Cisco, Fortinet, and VMware. These entry points provide access to high-value network traffic within telecom environments.
The Infection chain was identified as follows,
The campaign demonstrates advanced technical capabilities focused on deep system integration, persistence, and stealth. BPFDoor operates within the kernel, leveraging Berkeley Packet Filter to passively monitor network traffic without generating visible command-and-control activity or opening listening ports. Activation occurs only when a specifically crafted trigger packet is detected, allowing attackers to execute commands through a hidden remote shell while remaining undetected by conventional monitoring tools.
Enhanced variants incorporate additional evasion and communication techniques, including embedding trigger signals within HTTPS traffic and using ICMP as a covert communication channel. These mechanisms allow attackers to maintain command-and-control without raising suspicion in standard network monitoring systems.
The malware also supports telecom-specific protocols such as Stream Control Transmission Protocol, enabling attackers to inspect signalling traffic and potentially monitor subscriber activity. Combined with internal propagation mechanisms, these capabilities allow for sustained, low-noise lateral movement, long-term persistence, and extensive surveillance within complex telecom environments.
The activity has been consistently attributed to Red Menshen, also known as Earth Bluecrow and Red Dev 18, a threat group known for long-term cyber espionage campaigns. Since at least 2021, the group has evolved from deploying conventional malware to implementing highly stealthy, infrastructure-level persistence techniques.
Recent developments indicate increased sophistication, including encrypted trigger mechanisms, deeper kernel integration, and advanced evasion techniques tailored for modern enterprise and telecom environments. This evolution reflects a strategic focus on maintaining long-term, covert access within high-value networks.
The campaign has been observed targeting telecommunications providers across the Middle East and Asia, particularly in regions of geopolitical significance. By compromising telecom infrastructure, attackers gain indirect access to government communications, enterprise data flows, and potentially large volumes of subscriber information.
The geographic targeting suggests that the campaign is aligned with intelligence collection objectives, enabling surveillance and strategic monitoring across critical regions and sectors.
This campaign reflects a broader shift in cyber espionage toward deep infrastructure compromise and persistent, covert access. By deploying implants at the kernel level and leveraging legitimate technologies such as Berkeley Packet Filter, attackers can bypass traditional security controls and maintain long-term access without detection.
Organizations, particularly telecom operators, must enhance detection strategies by focusing on kernel integrity monitoring, network-level anomaly detection, and proactive threat hunting to address this evolving threat landscape.
The impact of this campaign is significant due to its ability to provide sustained, low-noise access to critical infrastructure. Compromise of telecom networks enables surveillance of communications, potential tracking of individuals, and access to sensitive metadata across large populations.
The stealthy nature of BPFDoor makes detection extremely challenging, increasing the likelihood of prolonged, undetected intrusions and large-scale intelligence collection activities.
https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/
