A long-running China-nexus campaign attributed to Red Menshen has implanted kernel-level sleeper cells inside telecom networks to conduct espionage against government and subscriber systems. The actor leverages stealthy tools—most notably the Linux backdoor BPFDoor that abuses Berkeley Packet Filter functionality, hides trigger packets in HTTPS, and supports SCTP to monitor telecom protocols for persistent, low-noise access. #RedMenshen #BPFDoor
Keypoints
- Red Menshen has maintained long-term, stealthy access within telecom infrastructures for espionage.
- BPFDoor installs a BPF filter in the Linux kernel to trigger remote shells only on specially crafted packets.
- New variants conceal activation markers inside HTTPS and use ICMP and SCTP for covert inter-host communications.
- Initial access is achieved by exploiting exposed edge services and appliances from vendors like Ivanti, Cisco, Juniper, Fortinet, VMware, and Palo Alto Networks.
- Post-exploitation tools include CrossC2, Sliver, TinyShell, keyloggers, and brute-force utilities for credential harvesting and lateral movement.
Read More: https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html