Threat actors operating under the Red Menshen designation (also tracked as Earth Bluecrow) have modified the BPFdoor malware to maintain highly stealthy persistence within global telecommunications systems, government networks, and critical infrastructure.
BPFdoor operates within the Linux kernel. It passively uses the Berkeley Packet Filter (BPF) to inspect incoming network traffic for a specific activation message, remaining dormant and difficult to observe until triggered. Researchers at Rapid7 report that Red Menshen has recently refined this listening mechanism. Since late last year, the group has implemented additional evasion techniques to remain undetected while operating near the core of global telecommunications subscriber traffic.
While earlier telemetry identified affected organizations in the Middle East and Africa, Rapid7's Christiaan Beek confirms that the campaign is global, with established persistence in the Asia-Pacific (APAC) region and Europe. Originally focused on telecommunications, the threat actor has also expanded its targeting to include government, critical infrastructure, and defense networks.
Evolution of a sophisticated telecommunications backdoor
Previously, BPFdoor monitored a wide range of network packets for its activation sequence. The updated implant now strictly looks for its trigger within standard Hypertext Transfer Protocol Secure (HTTPS) requests. By hiding the activation sequence within Transport Layer Security (TLS) traffic, the malware easily passes through standard firewalls and traffic inspection tools. Once decrypted, the request appears benign to human analysts and automated security solutions.
BPFdoor specifically monitors the 26th byte offset in the incoming request; if the trigger value appears at this exact location, the implant activates. Trend Micro's analysis of a recent BPFdoor controller reveals that the threat actor also uses a hard-coded password and salt, verifying the MD5 hash before allowing the reverse shell to open. The controller supports TCP and ICMP protocols, allowing the operators to adapt their connection methods based on the specific network restrictions of the affected organization.
Red Menshen also exercises precise control over multiple compromised servers within a single environment using a lightweight Internet Control Message Protocol (ICMP) channel. Rather than relying on traditional, easily detectable command-and-control (C2) servers for internal lateral movement, the malware transmits instructions between infected machines using ICMP pings. A specific value—0xFFFFFFFF—tells a specific machine to execute the enclosed command and terminate the propagation. Beek notes that this allows the threat actor to route commands through multiple network hops to a specific target machine, blending seamlessly into routine network diagnostic traffic.
Deep reconnaissance and process masquerading
Red Menshen demonstrates an exceptional understanding of telecommunications infrastructure. Rapid7 observed the group performing extensive reconnaissance to understand the interconnections of specific equipment inside target networks. This deep operational knowledge allows them to move swiftly and deploy custom tooling, such as localized credential sniffers, once they establish a foothold.
The threat actor adapts its implants to mimic the specific environments of its targets. Knowing that many European and Asian telecommunications providers rely on HPE ProLiant servers and increasingly use Kubernetes to manage 5G core networks, BPFdoor actively disguises itself using legitimate service names and process behaviors associated with these specific technologies.
Proactive hunting and defense strategies
BPFdoor’s combination of passive kernel-level listening, covert ICMP messaging, and highly tailored process masquerading makes it difficult for standard endpoint security solutions to detect. Protecting these environments requires security teams to actively hunt for anomalous internal traffic patterns.
To safeguard critical infrastructure, organizations should expand defensive visibility beyond the traditional perimeter. This includes monitoring high-port network activity on Linux systems, restricting unnecessary ICMP communication between internal servers, and hunting for unauthorized BPF filters attached to network interfaces. Triage recommends working closely with infrastructure teams to ensure that logging captures the specific kernel-level telemetry needed to identify this class of persistent threat. Telecommunications providers and critical infrastructure operators must anticipate these sophisticated techniques and validate their defensive posture continuously to maintain trust and operational resilience.