China Upgrades the Backdoor It Uses to Spy on Telcos Globally - Dark Reading

Threat IntelligenceCyber RiskICS/OT SecurityСloud SecurityNewsChina Upgrades the Backdoor It Uses to Spy on Telcos GloballyChinese APT Red Menshen's super-advanced BPFdoor malware defeats traditional cybersecurity protections. All telcos can do, really, is try hunting it down.Nate Nelson,Contributing WriterMarch 27, 20265 Min ReadSource: Steven May via Alamy Stock PhotoChinese threat actors have been tinkering with a state-of-the-art backdoor called "BPFdoor," modifying it to more stealthily maintain persistence inside of the most sensitive parts of global telecommunications systems, plus other high-level government and critical infrastructure networks.BPFdoor was already one of the world's most sophisticated malware implants before it was upgraded. Its signature trick was to lay dormant inside of a Linux kernel, doing nothing interesting or even observable, while passively using the Berkeley Packet Filter (BPF) to inspect incoming network traffic for a specially crafted activation message.Researchers at Rapid7 now report that the Chinese advanced persistent threat (APT) behind BPFdoor, Red Menshen, has modified that listening system. Since around last November, it's also tacked on a few more stealthy tricks to help BPFdoor stay even quieter, and get closer to the heart of telecommunications subscriber traffic worldwide.Related:China's TA4922 Expands Cybercrime Attacks GloballyIn addition to known targets in the Middle East and Africa, "We have confirmed victims in the Asia-Pacific (APAC) and in Europe — I dare say this is definitely global," Christiaan Beek, vice president of cyber intelligence at Rapid7, tells Dark Reading. He adds that, perhaps due to the malware's runaway success, "where we thought initially it was mostly focused on telcos, we also now have confirmation from [victimized] government networks, critical infrastructure networks, and defense networks."An Ultra-Advanced Telecom BackdoorEven BPFdoor's remarkably subtle and efficient BPF listening technique isn't good enough for Red Menshen anymore. Now, instead of looking for a magic packet in any sort of network packet, the malware only looks for its trigger phrase in innocuous Hypertext Transfer Protocol Secure (HTTPS) requests."They are actually weaponizing our firewalls against us, and we're letting the traffic through," Beek concedes. Firewalls and traffic inspection tools can't reasonably block HTTPS, and even when the request is decrypted, it'll look normal to a human observer or security tool. "So that was a really smart move on [their part] — hiding themselves in that kind of Transport Layer Security (TLS) traffic, so the moment you unpack it, it will actually pass through easily," he says.BPFdoor is also specially tuned to know when malicious message lies are coming through. It looks specifically for the 26th byte offset in the incoming request, and if its trigger appears at that specific location, then it knows it's being summoned.Related:China Uses Dual-Method Cyberattack on Czech OrgsThe trigger phrase is arguably not even BPFdoor's most subtle, highly controlled trick. At an even more granular level, Red Menshen can direct orders to specific instances of its malware within a network, using a lightweight Internet Control Message Protocol (ICMP) control channel. It works like this: Let's say that Red Menshen has compromised more than one server in a target network. It could connect and forward instructions to each individual server using a command-and-control (C2) setup, but that would be loud. Theoretically, they could also include data in the activation packet that routes instructions to the desired instance, but that would make the packet more bloated and potentially detectable. So, instead, the malware uses the innocuous ICMP pings to transmit instructions between infected machines, using a specific value — 0xFFFFFFFF — to indicate which machine should terminate the propagation and actually execute an action."No matter how many hops there are in a network, they know exactly where their next implant in the network is, and they could actually send a command specifically [to any implant] in the traffic," Beek explains. By way of an analogy, he says, "Let's say you have BPFdoor in your living room. and you have BPFdoor in your kitchen. The actor could actually instruct the BPFdoor in the living room that a command is actually intended for BPFdoor in the kitchen."Related:Patch Now: Another Palo Alto Auth Bypass Bug Under Active ExploitHe adds, "That's unbelievable. It's fascinating — how to hide yourself in ping traffic. They knew exactly where there is some space in the network traffic, where you can put in your [malicious] packets. With all due respect, nobody's tracing how much ping traffic goes beyond the host, or outside of the network," he says.China vs. Telcos: An Unfair Cyber FightRed Menshen attacks are characterized by an unusual diligence and knowledge of their targets' infrastructure.Beek thinks that "they do an extremely good job at reconnaissance in their victims' networks. And they know so much about the inner workings of telco infrastructure. So the moment they are inside, and they find certain equipment, they know exactly how it works. And that it's interconnected, and then they can move really fast [to other parts of the network]. We found custom sniffers, custom tooling to intercept usernames and passwords — very highly sophisticated operations."The detail with which the attackers understand and adapt to their targets' systems is exceptional. For instance, cyber researchers call it "advanced" when malware mimics ordinary system processes to try to evade detection. Red Menshen goes a step further. It knows that telcos, particularly in Europe and Asia, are known to use HPE ProLiant servers, and that telcos worldwide are increasingly using Kubernetes to serve 5G. So nowadays BPFdoor disguises itself using legitimate service names and process behaviors associated with HPE ProLiant servers, or Kubernetes, as applicable.Between the passive listening, the covert messaging, the process mimicking, and more, BPFdoor is a league beyond what most cybersecurity solutions can hope to detect and stop. Beek's suggestion, instead, is that operators need to just go out and hunt this thing down.The first step in that process, of course, is actually knowing about its existence. Surprisingly, even though the malware is some years old now, it isn't as famous as it deserves to be."Honestly, when I spoke to different telcos, they were quite unaware of this threat, and also the implications of it," Beek says. "I think that the bigger picture here is: Are you really anticipating these threats?"About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsAdvanced Persistent Threats: A Practical Guide to Detection and ResponseThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsAdvanced Persistent Threats: A Practical Guide to Detection and ResponseTuesday, June 30, 2026 @ 1:00 PM Eastern Daylight TimeThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedTuesday, June 23, 2026 1:00 PM EDTBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space