Red Menshen APT Uses BPFdoor for Long-Term Espionage in Telecom Networks

Red Menshen APT Uses BPFdoor for Long-Term Espionage in Telecom Networks

First seen 26 Mar 2026, 16:47 UTC Feeds2.FeedburnerCybersecuritynewsScworldSecuritybrief.AuReddit+10 82% similarity 77.9

Article Content

Browse articles
ThreatCluster

A China-linked threat actor known as Red Menshen has been conducting a long-term espionage campaign targeting global telecommunications networks using a stealthy Linux kernel backdoor called BPFdoor. This malware operates at the kernel level, allowing it to passively inspect network traffic and activate only upon receiving specially crafted packets, thus avoiding detection by traditional security measures. Rapid7 Labs uncovered this campaign, which has been ongoing since at least 2021, indicating a shift from opportunistic attacks to pre-positioning within critical infrastructure. The group has successfully infiltrated telecom systems across multiple regions, including Europe and Asia, raising significant concerns about national security. The stealthy nature of BPFdoor complicates detection efforts, as it blends in with normal network operations and does not expose typical command-and-control indicators. Current efforts are underway to develop detection tools to identify these implants in affected systems.

Key Points: • Red Menshen uses BPFdoor backdoor for covert access in telecom networks. • The malware operates at the kernel level, complicating detection and response. • The espionage campaign has been active since at least 2021, targeting global infrastructure.

ThreatCluster AI

Timeline

2021-01-01
Red Menshen begins using BPFdoor for espionage.
2022-01-01
BPFdoor source code leaked.
2026-03-26
Rapid7 publishes findings on Red Menshen's activities.
2026-03-27
Alleged RedLine dev extradited to the U.S.

Community

Browse all →