Overview
- Rapid7 Labs detailed a months-long espionage campaign by a China‑nexus group called Red Menshen that planted persistent implants inside telecommunications backbones worldwide.
- The core tool is BPFdoor, a Linux kernel backdoor that inspects packets inside the operating system and activates only on crafted triggers, including markers tucked inside encrypted HTTPS traffic.
- Researchers also observed covert control over ICMP messages and support for SCTP, a telecom signaling protocol, which could expose subscriber movement and identity data across 4G and 5G cores.
- Initial access often came through exploited edge devices and stolen accounts on platforms from Ivanti, Cisco, Fortinet, VMware, Palo Alto Networks, Juniper Networks, and Apache Struts.
- Rapid7 released a free scanner to find known and newer BPFdoor samples, reports activity across Europe and APAC, and says national-level attribution remains unsettled due to the implants’ stealth, echoing prior warnings about Chinese pre‑positioning in critical networks.