Threat Research

APT Profile – Red Menshen

Cyfirma
APT Profile – Red Menshen
Red Menshen is a China-linked APT that uses a kernel-level, BPF-based backdoor called BPFDoor to establish highly stealthy persistence and packet-triggered command activation inside telecommunications and network edge devices. The group focuses on long-term infrastructure-level espionage by exploiting internet-facing devices, using multi-stage post-exploitation toolchains and covert activation mechanisms to collect communications and metadata at scale. #RedMenshen #BPFDoor

Keypoints

  • Red Menshen is a China-linked APT active since at least 2021 that prioritizes long-term espionage over rapid disruption.
  • The group deploys BPFDoor, a Linux kernel-level backdoor using Berkeley Packet Filter functionality that activates only on specially crafted packets for covert persistence.
  • Primary targets are telecommunications providers and internet-facing network devices (VPN appliances, firewalls, enterprise network equipment) to access large volumes of communications and metadata.
  • Initial access is frequently achieved by exploiting public-facing network devices, enabling footholds without heavy phishing reliance.
  • Post-compromise activity uses multi-stage toolchains—custom and public tools such as reverse shells and credential harvesting utilities—to move laterally and maintain control across Linux and Windows systems.
  • Command-and-control is covert: BPFDoor avoids continuous beaconing, using packet-triggered activation to minimize detectable network traffic.
  • The actor emphasizes stealth, passive operations, and pre-positioning inside critical infrastructure to enable continuous intelligence collection over extended dwell times.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Used to gain initial access by exploiting vulnerabilities in internet-facing devices (‘exploits vulnerabilities in internet-facing network devices, including VPN appliances, firewalls, and enterprise network equipment.’)
  • [T1078 ] Valid Accounts – Leveraged for persistence and lateral movement via harvested credentials (‘deploys a combination of custom and publicly available tools… credential harvesting utilities’)
  • [T1059 ] Command and Scripting Interpreter – Used to execute commands and remote shells post-compromise (‘reverse shells’ and cross-platform frameworks facilitate remote command execution)
  • [T1547 ] Boot or Logon Autostart Execution – Employed for persistence and privilege retention to maintain long-term access (‘maintains extended dwell times within compromised environments’)
  • [T1543.003 ] Create or Modify System Process: Windows Service – Utilized to create persistent Windows services as part of multi-stage toolchains (‘cross-platform frameworks that facilitate lateral movement and remote command execution’)
  • [T1068 ] Exploitation for Privilege Escalation – Exploits used to escalate privileges after initial foothold (‘frequently exploits vulnerabilities in internet-facing network devices’)
  • [T1480 ] Execution Guardrails – Execution conditioned on specific triggers to limit activity and avoid detection (‘passively monitors network traffic and activates only upon receiving specially crafted packets.’)
  • [T1564.004 ] Hide Artifacts: NTFS File Attributes – Artifact-hiding techniques applied to reduce detectability (‘prioritizes low-noise operations, avoiding techniques that generate detectable traffic’)
  • [T1036 ] Masquerading – Techniques to blend malicious components with legitimate artifacts to evade detection (‘covert command-and-control mechanisms’ used to mask activity)
  • [T1027 ] Obfuscated Files or Information – Use of obfuscation and low-noise mechanisms to conceal malicious code and communications (‘This approach enables highly covert persistence within compromised environments’)
  • [T1070 ] Indicator Removal – Actions taken to minimize forensic traces and detection likelihood (‘significantly reduces the likelihood of detection’)
  • [T1056 ] Input Capture – Credential and input-capture tools used to obtain account credentials (‘credential harvesting utilities’)
  • [T1110 ] Brute Force – Account compromise techniques implied alongside credential harvesting and valid account use (‘credential harvesting utilities’ and use of valid accounts for access)
  • [T1082 ] System Information Discovery – Reconnaissance of host systems to support lateral movement and collection (‘Following initial compromise, Red Menshen deploys… tools to expand access and maintain control’)
  • [T1018 ] Remote System Discovery – Network and remote discovery to identify targets for lateral movement (‘cross-platform frameworks that facilitate lateral movement and remote command execution’)
  • [T1021.004 ] Remote Services: SSH – SSH used for lateral movement and remote access within environments (‘facilitate lateral movement and remote command execution’)
  • [T1570 ] Lateral Tool Transfer – Transfer of tools across systems to enable expansion of access (‘deploys a combination of custom and publicly available tools to expand access’)
  • [T1005 ] Data from Local System – Collection of files and data from compromised hosts and network elements (‘gains access to large volumes of data traversing these systems, including communications and metadata’)
  • [T1119 ] Automated Collection – Automated harvesting of data to support continuous intelligence collection (‘continuous intelligence collection’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Use of application-layer protocols for C2 or data transfer when observed (‘does not rely on open ports or standard command-and-control communication’ and uses alternative mechanisms)
  • [T1095 ] Non-Application Layer Protocol – Use of non-application-layer techniques and kernel-level packet processing to receive commands (‘operates at the kernel level using Berkeley Packet Filter (BPF) functionality’)
  • [T1572 ] Protocol Tunneling – Encapsulation or tunneling techniques implied by covert packet-triggered mechanisms (‘packet-triggered activation mechanisms within BPFDoor to control infected systems’)
  • [T1001 ] Data Obfuscation – Obfuscation of communications and payloads to evade detection (‘eliminates the need for continuous beaconing and allows command execution only when required’)
  • [T1105 ] Ingress Tool Transfer – Bringing tools into compromised environments as part of post-exploitation toolchains (‘deploys a combination of custom and publicly available tools to expand access’)
  • [T1041 ] Exfiltration Over C2 Channel – Exfiltration conducted via covert channels associated with C2 or triggered mechanisms to remove collected intelligence (‘enables continuous intelligence collection’ and uses covert activation to transfer data)

Indicators of Compromise

  • [Malware/File name ] BPFDoor used as a kernel-level backdoor for stealth persistence – BPFDoor
  • [Tool types ] Post-exploitation tools observed in campaigns – reverse shells, credential harvesting utilities

Read more: https://www.cyfirma.com/research/apt-profile-red-menshen/