www.darkreading.com 3/27/2026, 5:12:17 PM · via preferred

China Upgrades the Backdoor It Uses to Spy on Telcos Globally

CyberSIXT Evidence Panel
Threat Actor
🇨🇳 Red Menshen

CHINA is said to have upgraded the backdoor it uses to spy on telcos worldwide, with the Chinese APT Red Menshen refining BPFdoor to stay longer in the heart of telecommunications systems and other critical networks. According to Rapid7, the attackers have moved from a passive listening setup to targeting trigger phrases in HTTPS requests, making the malware harder to detect as it rides on legitimate TLS traffic.

The group can direct commands to specific instances within a network using a covert ICMP control channel, including data in activation packets, and it even employs a 0xFFFFFFFF value in ICMP pings to indicate which implant should execute an action. Beek notes that Red Menshen has victims across Asia-Pacific, Europe and other regions, confirming a global footprint beyond its telco focus.

The report highlights that the campaign signals an advanced level of reconnaissance and tool reuse, with BPFdoor disguising itself using legitimate service names and processes associated with HPE ProLiant servers or Kubernetes. March 27, 2026.

View full article

Article by CyberSIXT