RAPID 7 Labs has exposed a China-linked threat group known as Red Menshen conducting a long-running espionage campaign by infiltrating telecom networks, primarily in the Middle East and Asia, and active since at least 2021. The operation relies on stealthy BPFDoor implants that sit deep in telecom environments, described as extremely hard to detect and capable of covert, long-term surveillance.
The attackers deploy a kernel-level backdoor that activates via specially crafted packets, enabling persistence without visible C2 channels and helping them monitor government communications and subscriber data. According to Rapid7, recent BPFdoor variants show evolution in stealth and control, with triggers moving from simple magic packets to those embedded in legitimate HTTPS traffic and other traffic flows.
The group uses a layered intrusion model, including tools such as CrossC2, TinyShell, and credential harvesting utilities, to move laterally and remain under the radar. BPFdoor is framed as part of a broader shift toward deep visibility and covert access within telecom and critical infrastructure.