Back

Red Menshen APT Uses BPFdoor for Long-Term Espionage in Telecom Networks

Severity: High (Score: 77.9)

Sources: Cybersecuritynews, Cybersecuritydive, Scworld, Gbhackers, Securityaffairs.Co

Summary

A China-linked threat actor known as Red Menshen has been conducting a long-term espionage campaign targeting global telecommunications networks using a stealthy Linux kernel backdoor called BPFdoor. This malware operates at the kernel level, allowing it to passively inspect network traffic and activate only upon receiving specially crafted packets, thus avoiding detection by traditional security measures. Rapid7 Labs uncovered this campaign, which has been ongoing since at least 2021, indicating a shift from opportunistic attacks to pre-positioning within critical infrastructure. The group has successfully infiltrated telecom systems across multiple regions, including Europe and Asia, raising significant concerns about national security. The stealthy nature of BPFdoor complicates detection efforts, as it blends in with normal network operations and does not expose typical command-and-control indicators. Current efforts are underway to develop detection tools to identify these implants in affected systems. Key Points: • Red Menshen uses BPFdoor backdoor for covert access in telecom networks. • The malware operates at the kernel level, complicating detection and response. • The espionage campaign has been active since at least 2021, targeting global infrastructure.

Key Entities

  • Red Menshen (apt_group)
  • Salt Typhoon (apt_group)
  • Flax Typhoon (apt_group)
  • Volt Typhoon (apt_group)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Ajax Amsterdam (company)
  • Cisco (company)
  • Fortinet (company)
  • Ivanti (company)
  • Palo Alto Networks (company)
  • VMware (tool)
  • Armenia (country)
  • China (country)
  • Government (industry)
  • Telecommunications (industry)
  • BPFDoor (malware)
  • RedLine (malware)
  • Tinyshell (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056.001 - Keylogging (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • Apache Struts (platform)
  • Kubernetes (platform)
  • Linux (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed