A months‑long investigation by Rapid7 Labs has uncovered a sustained cyber‑espionage campaign attributed to a China‑nexus threat actor, dubbed Red Menshen, that has embedded some of the stealthiest digital “sleeper cells” the team has seen in global telecommunications networks.
The operation targets telecom core infrastructure with the goal of long‑term reconnaissance, including against government‑related networks and critical‑infrastructure operators.
Telecommunications networks form the backbone of global digital life, carrying government communications, powering critical industries, and underpinning the digital identities of billions of users.
When such infrastructure is compromised, the impact extends far beyond one provider or region, giving an adversary unique visibility into subscriber data, signaling flows, and national‑level communications.
Over the past decade, multiple states have reported breaches of telecom environments, often linked to state‑backed actors who harvested call‑detail records, monitored sensitive conversations, and exploited trusted interconnections between operators.
Rapid7’s research shows that Red Menshen’s activity is not a series of isolated breaches but a repeatable campaign model aimed at establishing persistent, low‑noise access inside telecom and broader critical‑infrastructure environments.
The actors deploy kernel‑level implants, passive backdoors, credential‑harvesting tools, and cross‑platform command & control frameworks that together form a “persistence layer” designed to inhabit networks rather than breach them.
Rapid7 characterizes these footholds as “sleeper cells”: dormant implants placed deep inside the telecom backbone long before they are activated for operational use.
At the technical core of this campaign is BPFdoor, a stealth Linux backdoor that operates within the Linux kernel and abuses the Berkeley Packet Filter (BPF) to inspect network traffic.
Unlike conventional malware, BPFdoor does not bind to listening ports or generate obvious beaconing traffic; instead, it wakes up only when a specially crafted “magic packet” with a predefined byte sequence arrives at a specific port.
This design allows the backdoor to remain invisible to standard network‑monitoring tools such as netstat or ss, complicating detection even when defenders know the implant exists.
Initial access typically occurs through internet‑facing edge devices, including VPN appliances (e.g., Ivanti Connect Secure), Cisco network gear, Fortinet firewalls, VMware ESXi hosts, Palo Alto appliances, and vulnerable web platforms such as Apache Struts.
Once inside, the attackers use tools like CrossC,2 a Linux‑compatible, Cobalt‑Strike–derived beacon framework to execute commands, pivot, and stage further payloads in server‑heavy telecom environments.
They also deploy TinyShell, an open‑source passive backdoor customized by multiple APT groups, to maintain long‑term persistence on edge devices, VPN appliances, and virtualization hosts. Credential‑theft utilities, SSH brute‑forcers with telecom‑specific username lists (e.g., “imsi”), and ELF‑based keyloggers help the attackers move laterally toward control‑plane systems that store subscriber data and signaling information.
Rapid7’s latest analysis highlights newer BPFdoor variants that evolve beyond simple “magic packet” activation. In some cases, the trigger is embedded in HTTPS traffic, allowing the malicious payload to bypass TLS termination, reverse proxies, and web‑application firewalls before being decrypted on the target host.
Attackers use a “magic ruler” technique to pad HTTP requests, ensuring a marker (e.g., “9999”) lands at a fixed byte offset, allowing the implant to reliably detect the trigger without parsing the full HTTP header.
Some variants also incorporate ICMP‑based signaling, where special ICMP packets are used to relay commands between compromised hosts, with a value such as 0xFFFFFFFF acting as a “final destination” flag to stop further forwarding.
The combination of kernel‑level BPF‑based implants, HTTPS‑camouflaged triggers, and ICMP command channels demonstrates how Red Menshen operates across multiple layers of the defensive stack, from TLS inspection at the edge to endpoint monitoring on the host.
Rapid7 warns that this type of activity reflects a broader trend: attackers are shifting deeper into the operating system and infrastructure layer, using tools such as BPFdoor and newer eBPF‑based malware families to hide in plain sight.
To help defenders, Rapid7 has shared Indicators of Compromise, detection guidance, and a community‑available scanning script that hunts for BPFdoor‑related artifacts such as unusual raw socket usage, anomalous packet‑filtering behavior, and masquerading services on Linux systems.
Security teams protecting telecom and government‑adjacent environments are advised to extend visibility into kernel‑level operations, scrutinize BPF and eBPF usage, and continuously monitor edge devices. Inter-network interconnects for signs of these stealthy sleeper‑cell implants.
Site: cybersecuritypath.com
About the Author
