A long-running campaign attributed to a China-nexus threat actor known as Red Menshen has implanted stealthy access mechanisms in telecommunications networks to conduct espionage against government networks. The cluster – also tracked as Earth Bluecrow, DecisiveArchitect and Red Dev 18 – has struck telecom providers across the Middle East and Asia since at least 2021.
Security firm Rapid7 said the implants represent some of the stealthiest digital sleeper cells encountered in telecom environments and combine kernel-level implants, passive backdoors, credential-harvesting utilities and cross-platform command frameworks to maintain long-term persistence.
One widely used tool is a Linux backdoor called BPFDoor, which abuses the Berkeley Packet Filter inside the kernel to inspect network traffic and activate only when a specifically crafted ‘magic’ packet is received. The actor also deploys beacon frameworks and post-exploitation tools including CrossC2, Sliver and TinyShell, together with keyloggers and brute-force utilities to harvest credentials and move laterally.
BPFDoor comprises a passive kernel-resident component that installs a BPF filter to watch for an activation packet and spawn a shell, and a controller component used by operators to send specially formatted packets. The controller can run inside victim environments, masquerade as legitimate system processes and trigger additional implants or open local listeners to enable controlled lateral movement between compromised hosts.
Certain BPFDoor samples include support for the Stream Control Transmission Protocol (SCTP), which could allow monitoring of telecom-native protocols and visibility into subscriber behaviour and location. A previously undocumented variant conceals the trigger inside apparently legitimate HTTPS requests by checking for the string ‘9999’ at a fixed byte offset and introduces an ICMP-based lightweight communication mechanism between infected hosts.
The attackers obtain initial access by targeting internet-facing infrastructure and exposed edge services such as VPN appliances, firewalls and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks and Apache Struts. After gaining footholds the campaign deploys backdoors and beaconing frameworks to preserve stealthy, long-term access.
Rapid7 characterised the activity as part of a broader shift toward embedding implants deeper in the computing stack to evade traditional monitoring and warned that telecom environments with bare-metal systems, virtualisation layers and containerised 4G/5G components provide attractive terrain for low-noise persistence.