A highly sophisticated cyber espionage campaign linked to a China-associated threat group has been uncovered, targeting telecommunications infrastructure to infiltrate sensitive government networks. The operation reflects a long-term strategy focused on stealth, persistence, and deep network access, raising serious concerns for global cybersecurity.
Silent Infiltration of Telecom Networks
The threat group known as Red Menshen, also identified under aliases such as Earth Bluecrow, DecisiveArchitect, and Red Dev 18, has been actively compromising telecom providers across Asia and the Middle East since at least 2021. Their primary objective is to establish hidden access within critical infrastructure and maintain long-term surveillance capabilities.
Cybersecurity researchers have described their methods as exceptionally stealthy, comparing them to dormant digital sleeper cells embedded deep inside telecom environments.
Advanced Malware Arsenal and Attack Strategy
The campaign relies on a combination of advanced tools and techniques designed to maintain persistent access. These include kernel-level implants, passive backdoors, credential harvesting tools, and cross-platform command systems.
At the center of these operations is BPFDoor, a highly evasive Linux-based backdoor. Unlike traditional malware, it does not open visible network ports or communicate through standard command-and-control channels. Instead, it leverages Berkeley Packet Filter functionality within the operating system kernel to monitor network traffic silently.
BPFDoor activates only when it detects a specially crafted data packet, effectively acting as a hidden trigger mechanism. This design allows it to remain invisible during routine security scans, making detection extremely difficult.
Initial Access and Lateral Movement
Attackers typically begin by targeting exposed internet-facing systems such as VPN gateways, firewalls, and web services. Platforms from major technology providers are often exploited if misconfigured or unpatched.
Once inside, the attackers deploy additional tools such as CrossC2 frameworks, Sliver implants, Unix-based backdoors, keyloggers, and password brute-force utilities. These tools help them expand access, steal credentials, and move laterally across compromised networks.
How BPFDoor Maintains Control
BPFDoor operates through two main components. The first is a passive implant installed on compromised Linux systems. It continuously scans incoming traffic for a specific “magic packet” using a BPF filter. When detected, it silently opens a remote shell for the attacker.
The second component is a controller used by the attacker to send these trigger packets. In some cases, this controller can operate from within the victim’s own network, disguising itself as a legitimate system process. This enables attackers to control multiple infected systems and move between them without raising suspicion.
Telecom Surveillance Capabilities
Some variants of BPFDoor support advanced telecom protocols such as SCTP, allowing attackers to monitor telecom-specific data. This capability can potentially expose subscriber activity, location data, and communication patterns, making it possible to track individuals of interest.
This highlights that BPFDoor is not just a backdoor, but a strategic surveillance tool embedded within telecom infrastructure.
New Evasion Techniques
Researchers have also identified a newer version of BPFDoor with enhanced stealth capabilities. This variant hides its activation signals inside normal HTTPS traffic, making malicious communication appear legitimate.
A unique technique ensures that a specific marker, such as “9999”, appears at a fixed position within the data packet. This allows the malware to detect activation commands without altering the structure of the network request, further reducing detection risk.
Additionally, a lightweight communication method using ICMP enables compromised systems to communicate with each other discreetly.
Evolving Cyber Threat Landscape
This campaign demonstrates a growing trend in cyberattacks, where threat actors are targeting deeper layers of computing systems, including operating system kernels and infrastructure platforms.
Telecom environments, with their mix of physical hardware, virtualization, and modern 4G and 5G systems, provide an ideal environment for such attacks. By blending into legitimate processes and services, attackers can remain hidden for extended periods while continuously collecting intelligence.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
