A months-long investigation by Rapid7 has found advanced China-linked threat actor Red Menshen installing some of the stealthiest digital sleeper cells into telecom networks worldwide.According to the researchers, BPFdoor is at the center of these activities, a stealth Linux backdoor designed to operate within the operating system kernel of core telecom infrastructure.In a March 26 blog post, the Rapid7 team said the campaigns aim to carry out high-level espionage against government networks.Unlike most other malware, BPFdoor does not expose listening ports or maintain visible command-and-control (C2) channels. The researchers said it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel. It activates only when it receives a specifically crafted trigger packet. There’s no persistent listener or obvious beaconing, the result of which is a hidden trapdoor embedded within the OS itself.Rapid7 said this approach represents a shift in stealth tradecraft. By positioning below many traditional visibility layers, the implant significantly complicates detection, even when defenders know what to look for.Christiaan Beek, vice president of cyber intelligence at Rapid7, said we’re looking at malware that runs deep inside the operating system and quietly monitors network traffic instead of opening a visible connection. By only activating when it receives a specific trigger, Beek said it makes it very hard to detect with traditional tools.
The main difference with anything that’s been observed in the past is the combination of stealth and adaptability, said Beek. It avoids visibility at the kernel level, doesn’t rely on constant communication, and can hide inside normal encrypted traffic, making it much harder to detect in modern environments.
“The approach is consistent with long-term, stealthy access, but it’s now happening deeper in critical infrastructure,” Beek said. “Teams should focus on improving visibility beyond the network perimeter, especially on Linux systems, and look for unusual behavior rather than relying only on known indicators.”Michael Bell, founder and CEO at Suzu Labs, said BPFdoor has been around since 2021 and its source code leaked in 2022, but the tradecraft has evolved significantly. Bell said previous variants used simple magic packet triggers, but these new ones hide their activation inside legitimate HTTPS traffic that passes cleanly through TLS termination and reverse proxies, and they've added SCTP filtering that wasn't in earlier versions.Bell said teams should compare it to Salt Typhoon, a campaign compromised nine U.S. telecoms by targeting call records and lawful intercept systems from the IT layer.“Red Menshen is operating below that, on the signaling plane itself, filtering traffic at the kernel level without touching the applications or databases that defenders typically watch,” said Bell. “The difference is depth. They're not compromising edge devices and moving laterally. They're embedded in the kernel of systems that are the telecom infrastructure, mimicking hardware daemons on ProLiant servers and container processes in Kubernetes pods running 5G network functions.Bell said teams need to get visibility below the application layer. Monitor for anomalous BPF filters on sockets, unexpected raw socket usage, and processes masquerading as legitimate hardware services. For example, Snap Attack published a detection scanner on GitHub that any team running Linux in a telecom environment should run right now.“The FCC banned imports of new foreign-made routers three days ago, citing Volt Typhoon, Flax Typhoon, and Salt Typhoon specifically,” said Bell. “That's a necessary move on the supply chain side, but Rapid7's findings show the adversary is already past the supply chain and sitting inside the signaling core.”
The main difference with anything that’s been observed in the past is the combination of stealth and adaptability, said Beek. It avoids visibility at the kernel level, doesn’t rely on constant communication, and can hide inside normal encrypted traffic, making it much harder to detect in modern environments.
“The approach is consistent with long-term, stealthy access, but it’s now happening deeper in critical infrastructure,” Beek said. “Teams should focus on improving visibility beyond the network perimeter, especially on Linux systems, and look for unusual behavior rather than relying only on known indicators.”Michael Bell, founder and CEO at Suzu Labs, said BPFdoor has been around since 2021 and its source code leaked in 2022, but the tradecraft has evolved significantly. Bell said previous variants used simple magic packet triggers, but these new ones hide their activation inside legitimate HTTPS traffic that passes cleanly through TLS termination and reverse proxies, and they've added SCTP filtering that wasn't in earlier versions.Bell said teams should compare it to Salt Typhoon, a campaign compromised nine U.S. telecoms by targeting call records and lawful intercept systems from the IT layer.“Red Menshen is operating below that, on the signaling plane itself, filtering traffic at the kernel level without touching the applications or databases that defenders typically watch,” said Bell. “The difference is depth. They're not compromising edge devices and moving laterally. They're embedded in the kernel of systems that are the telecom infrastructure, mimicking hardware daemons on ProLiant servers and container processes in Kubernetes pods running 5G network functions.Bell said teams need to get visibility below the application layer. Monitor for anomalous BPF filters on sockets, unexpected raw socket usage, and processes masquerading as legitimate hardware services. For example, Snap Attack published a detection scanner on GitHub that any team running Linux in a telecom environment should run right now.“The FCC banned imports of new foreign-made routers three days ago, citing Volt Typhoon, Flax Typhoon, and Salt Typhoon specifically,” said Bell. “That's a necessary move on the supply chain side, but Rapid7's findings show the adversary is already past the supply chain and sitting inside the signaling core.”
