BPFDoor Backdoor Targets Telecom Networks for Covert Long-Term Access
Key Takeaways A China-linked threat actor, Red Menshen, has deployed a highly sophisticated Linux backdoor named BPFdoor within global telecommunications networks. The campaign, uncovered by Rapid7...
Key Takeaways
- A China-linked threat actor, Red Menshen, has deployed a highly sophisticated Linux backdoor named BPFdoor within global telecommunications networks.
- The campaign, uncovered by Rapid7 Labs, focuses on long-term, covert access to critical telecom infrastructure for espionage purposes.
- BPFdoor operates at the kernel level, using advanced stealth techniques like BPF filters, hidden command triggers in legitimate HTTPS traffic, and ICMP-based control channels to evade detection.
- Targeted regions include South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East, with implications for government networks.
- Rapid7 has released a detection script and advises enhanced kernel-level monitoring for Linux systems.
A comprehensive, months-long investigation by Rapid7 Labs has unveiled a highly sophisticated espionage campaign orchestrated by Red Menshen, a state-sponsored threat actor with ties to China. The group has strategically embedded advanced digital “sleeper cells” deep within critical global telecommunications infrastructure.
Table Of Content
The findings, published on March 26, 2026, highlight a significant strategic pivot by the threat actor. Instead of opportunistic attacks, Red Menshen is now focused on long-term pre-positioning within the core networks that form the backbone of national and international communications.
Telecommunications networks are vital conduits, carrying sensitive government communications, authenticating subscriber identities, coordinating essential industries, and managing signaling flows across international borders. Their unique architecture, relying on specialized protocols such as SS7, Diameter, and SCTP, makes them an invaluable target for intelligence gathering, far exceeding the scope of typical data breaches.
Sustained access within a telecom core can expose a wealth of sensitive information, including subscriber identifiers, mobility events, authentication exchanges, and communication metadata. This level of access enables large-scale tracking and surveillance of high-value geopolitical targets.
Red Menshen has specifically targeted telecom providers in key regions, including South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East. Government networks relying on these carriers face significant collateral risk due to the compromise of their underlying infrastructure.
BPFdoor: A Kernel-Level Stealth Backdoor
Central to this espionage campaign is BPFdoor, a highly stealthy Linux backdoor meticulously engineered to operate within the operating system kernel. It achieves this by illicitly leveraging Berkeley Packet Filter (BPF) functionality, making it exceptionally difficult to detect.
Unlike conventional malware, BPFdoor does not open traditional listening ports or generate recognizable command-and-control beaconing traffic. Instead, it installs a custom BPF filter directly within the kernel. This filter silently inspects incoming network traffic, activating only upon receipt of a specially crafted “magic packet” containing a predefined byte sequence. Standard network analysis tools such as netstat, ss, or nmap will show no unusual activity, making the compromised system appear entirely clean.

Rapid7 Labs identified a previously undocumented BPFdoor variant that significantly enhances its stealth capabilities. This updated version no longer relies on a detectable magic packet. Instead, it conceals command triggers within legitimate HTTPS traffic, exploiting SSL termination points like load balancers and reverse proxies. This allows activation commands to be delivered after decryption within the internal network zone, further evading perimeter defenses.
A sophisticated “magic ruler” padding mechanism is employed to ensure a specific marker string (“9999”) consistently lands at a fixed 26-byte or 40-byte offset within inspected request data. This technique allows the implant to survive proxy header rewriting, effectively creating dynamic Layer-7 camouflage. The variant also utilizes an ICMP-based control channel, where compromised servers relay commands to each other using crafted ICMP packets embedded with the value 0xFFFFFFFF as a “do not forward” terminal signal. This enables lateral propagation without generating standard C2 traffic, making internal movement even harder to detect.
Infrastructure-Level Masquerading
To further blend into compromised environments, some BPFdoor samples are designed to mimic legitimate processes on HPE ProLiant bare-metal servers. They specifically impersonate “hpasmlited,” a daemon belonging to HPE’s Agentless Management Service, allowing them to seamlessly integrate into telecom hardware environments running 4G/5G core workloads.
Other BPFdoor samples spoof Docker and containerd components, explicitly targeting Kubernetes-hosted 5G core functions such as AMF (Access and Mobility Management Function), SMF (Session Management Function), and UDM (Unified Data Management).
Initial access for these attacks consistently targets edge infrastructure, including Ivanti Connect Secure VPNs, Cisco and Juniper network devices, Fortinet firewalls, and VMware ESXi hosts. Post-exploitation tooling observed includes CrossC2, TinyShell, SSH brute-forcers, and custom ELF keyloggers. These keyloggers are notable for containing telecom-aware credential lists that reference terms like “imsi” (International Mobile Subscriber Identity), indicating a deep understanding of the targeted environments.
Rapid7 has collaborated with national CERTs and government partners to ensure affected organizations are notified. The firm has also released a free, open-source scanning script designed to detect both legacy and new BPFdoor variants, providing organizations with a vital tool for rapid exposure validation. More details can be found in the Rapid7 Labs threat research report.
What You Should Do
- Enhance Kernel-Level Visibility: Expand monitoring to include kernel-level operations and raw BPF filter activity on all Linux systems. Most organizations lack adequate depth in these areas.
- Monitor for Anomalous High-Port Behavior: Implement robust monitoring for unusual activity on high ports, as BPFdoor’s stealthy nature may still leave subtle traces.
- Scan for BPFdoor: Utilize Rapid7’s free, open-source detection script to scan your Linux infrastructure for both known and new BPFdoor variants.
- Review Edge Infrastructure Logs: Scrutinize logs from Ivanti Connect Secure VPNs, Cisco and Juniper network devices, Fortinet firewalls, and VMware ESXi hosts for signs of initial compromise.
- Implement Network Segmentation: Strengthen network segmentation to limit lateral movement potential, even for highly stealthy malware like BPFdoor.
- Regularly Patch and Update: Ensure all network devices, VPNs, hypervisors, and Linux systems are kept up-to-date with the latest security patches to mitigate known vulnerabilities exploited for initial access.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.