Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/BPFDoor Backdoor Targets Telecom Networks for Covert Long-Term Access
CyberSecurity News

BPFDoor Backdoor Targets Telecom Networks for Covert Long-Term Access

Key Takeaways A China-linked threat actor, Red Menshen, has deployed a highly sophisticated Linux backdoor named BPFdoor within global telecommunications networks. The campaign, uncovered by Rapid7...

David kimber
David kimber
March 26, 2026 4 Min Read
53 0

Key Takeaways

  • A China-linked threat actor, Red Menshen, has deployed a highly sophisticated Linux backdoor named BPFdoor within global telecommunications networks.
  • The campaign, uncovered by Rapid7 Labs, focuses on long-term, covert access to critical telecom infrastructure for espionage purposes.
  • BPFdoor operates at the kernel level, using advanced stealth techniques like BPF filters, hidden command triggers in legitimate HTTPS traffic, and ICMP-based control channels to evade detection.
  • Targeted regions include South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East, with implications for government networks.
  • Rapid7 has released a detection script and advises enhanced kernel-level monitoring for Linux systems.

A comprehensive, months-long investigation by Rapid7 Labs has unveiled a highly sophisticated espionage campaign orchestrated by Red Menshen, a state-sponsored threat actor with ties to China. The group has strategically embedded advanced digital “sleeper cells” deep within critical global telecommunications infrastructure.

Table Of Content

  • Key Takeaways
  • BPFdoor: A Kernel-Level Stealth Backdoor
  • Infrastructure-Level Masquerading
  • What You Should Do

The findings, published on March 26, 2026, highlight a significant strategic pivot by the threat actor. Instead of opportunistic attacks, Red Menshen is now focused on long-term pre-positioning within the core networks that form the backbone of national and international communications.

Telecommunications networks are vital conduits, carrying sensitive government communications, authenticating subscriber identities, coordinating essential industries, and managing signaling flows across international borders. Their unique architecture, relying on specialized protocols such as SS7, Diameter, and SCTP, makes them an invaluable target for intelligence gathering, far exceeding the scope of typical data breaches.

Sustained access within a telecom core can expose a wealth of sensitive information, including subscriber identifiers, mobility events, authentication exchanges, and communication metadata. This level of access enables large-scale tracking and surveillance of high-value geopolitical targets.

Red Menshen has specifically targeted telecom providers in key regions, including South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East. Government networks relying on these carriers face significant collateral risk due to the compromise of their underlying infrastructure.

BPFdoor: A Kernel-Level Stealth Backdoor

Central to this espionage campaign is BPFdoor, a highly stealthy Linux backdoor meticulously engineered to operate within the operating system kernel. It achieves this by illicitly leveraging Berkeley Packet Filter (BPF) functionality, making it exceptionally difficult to detect.

Unlike conventional malware, BPFdoor does not open traditional listening ports or generate recognizable command-and-control beaconing traffic. Instead, it installs a custom BPF filter directly within the kernel. This filter silently inspects incoming network traffic, activating only upon receipt of a specially crafted “magic packet” containing a predefined byte sequence. Standard network analysis tools such as netstat, ss, or nmap will show no unusual activity, making the compromised system appear entirely clean.

Rapid7 Labs identified a previously undocumented BPFdoor variant that significantly enhances its stealth capabilities. This updated version no longer relies on a detectable magic packet. Instead, it conceals command triggers within legitimate HTTPS traffic, exploiting SSL termination points like load balancers and reverse proxies. This allows activation commands to be delivered after decryption within the internal network zone, further evading perimeter defenses.

A sophisticated “magic ruler” padding mechanism is employed to ensure a specific marker string (“9999”) consistently lands at a fixed 26-byte or 40-byte offset within inspected request data. This technique allows the implant to survive proxy header rewriting, effectively creating dynamic Layer-7 camouflage. The variant also utilizes an ICMP-based control channel, where compromised servers relay commands to each other using crafted ICMP packets embedded with the value 0xFFFFFFFF as a “do not forward” terminal signal. This enables lateral propagation without generating standard C2 traffic, making internal movement even harder to detect.

Infrastructure-Level Masquerading

To further blend into compromised environments, some BPFdoor samples are designed to mimic legitimate processes on HPE ProLiant bare-metal servers. They specifically impersonate “hpasmlited,” a daemon belonging to HPE’s Agentless Management Service, allowing them to seamlessly integrate into telecom hardware environments running 4G/5G core workloads.

Other BPFdoor samples spoof Docker and containerd components, explicitly targeting Kubernetes-hosted 5G core functions such as AMF (Access and Mobility Management Function), SMF (Session Management Function), and UDM (Unified Data Management).

Initial access for these attacks consistently targets edge infrastructure, including Ivanti Connect Secure VPNs, Cisco and Juniper network devices, Fortinet firewalls, and VMware ESXi hosts. Post-exploitation tooling observed includes CrossC2, TinyShell, SSH brute-forcers, and custom ELF keyloggers. These keyloggers are notable for containing telecom-aware credential lists that reference terms like “imsi” (International Mobile Subscriber Identity), indicating a deep understanding of the targeted environments.

Rapid7 has collaborated with national CERTs and government partners to ensure affected organizations are notified. The firm has also released a free, open-source scanning script designed to detect both legacy and new BPFdoor variants, providing organizations with a vital tool for rapid exposure validation. More details can be found in the Rapid7 Labs threat research report.

What You Should Do

  • Enhance Kernel-Level Visibility: Expand monitoring to include kernel-level operations and raw BPF filter activity on all Linux systems. Most organizations lack adequate depth in these areas.
  • Monitor for Anomalous High-Port Behavior: Implement robust monitoring for unusual activity on high ports, as BPFdoor’s stealthy nature may still leave subtle traces.
  • Scan for BPFdoor: Utilize Rapid7’s free, open-source detection script to scan your Linux infrastructure for both known and new BPFdoor variants.
  • Review Edge Infrastructure Logs: Scrutinize logs from Ivanti Connect Secure VPNs, Cisco and Juniper network devices, Fortinet firewalls, and VMware ESXi hosts for signs of initial compromise.
  • Implement Network Segmentation: Strengthen network segmentation to limit lateral movement potential, even for highly stealthy malware like BPFdoor.
  • Regularly Patch and Update: Ensure all network devices, VPNs, hypervisors, and Linux systems are kept up-to-date with the latest security patches to mitigate known vulnerabilities exploited for initial access.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

BreachExploitHackerMalwareThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

LeakBase Hacker Forum Administrator Arrested in Russia

Next Post

CISA Warns of Critical Langflow Code Injection Vulnerability, CVE-2024-28262

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us