CHINA-LINKED Red Menshen has embedded stealthy BPFDoor implants in telecom networks to spy on government networks, a long-term campaign that has targeted internet-facing infrastructure and exposed edge services such as VPN appliances and firewalls. The group, also tracked as Earth Bluecrow, DecisiveArchitect and Red Dev 18, has used kernel-level implants, passive backdoors, credential-harvesting utilities and cross-platform command frameworks to persist within networks of interest.
A Linux backdoor called BPFDoor is a central tool in its arsenal, with a controller component that can masquerade as legitimate system processes and trigger implants across internal hosts. According to Rapid7, these implants are among the stealthiest digital sleeper cells encountered in telecommunications networks, and BPFDoor can inspect traffic inside the kernel via a crafted trigger packet without visible beaconing.
The campaign began by compromising internet-facing infrastructure and continues to broaden its reach, with newer variants concealing triggers within HTTPS traffic and even using ICMP for inter-host communication, enabling long-term, low-noise persistence. 26 March 2026